Malware Analysis Report

2025-04-13 10:35

Sample ID 240326-t1dj6seb97
Target df9b061b8b91e89659ad8592ce4ea7ad
SHA256 be0186fe58064c8c88db16927a48a857699ba9ea162d49192dc2b152637d8aa4
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be0186fe58064c8c88db16927a48a857699ba9ea162d49192dc2b152637d8aa4

Threat Level: Known bad

The file df9b061b8b91e89659ad8592ce4ea7ad was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Windows security bypass

Tofsee

Modifies Windows Firewall

Sets service image path in registry

Creates new service(s)

Deletes itself

Checks computer location settings

Executes dropped EXE

Suspicious use of SetThreadContext

Launches sc.exe

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-26 16:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-26 16:31

Reported

2024-03-26 16:33

Platform

win7-20240221-en

Max time kernel

148s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\kcjczhaa = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\kcjczhaa\ImagePath = "C:\\Windows\\SysWOW64\\kcjczhaa\\gmxiapjv.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2844 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2908 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 2068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 2068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 2068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 2068 wrote to memory of 2712 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 2444 wrote to memory of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe
PID 2444 wrote to memory of 2368 N/A C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe

"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\kcjczhaa\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gmxiapjv.exe" C:\Windows\SysWOW64\kcjczhaa\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create kcjczhaa binPath= "C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe /d\"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description kcjczhaa "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start kcjczhaa

C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe

C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe /d"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\svchost.exe

svchost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta6.am0.yahoodns.net udp
US 98.136.96.75:25 mta6.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 64.233.167.26:25 smtp.google.com tcp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
HK 43.231.4.6:443 tcp

Files

memory/2068-1-0x0000000000290000-0x0000000000390000-memory.dmp

memory/2068-3-0x00000000001B0000-0x00000000001C3000-memory.dmp

memory/2068-4-0x0000000000400000-0x0000000000C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gmxiapjv.exe

MD5 1b290650d808b4c3dcc7465229bda8de
SHA1 f48018f8489d8f130cb8144af74d13a86c5479ff
SHA256 a89522a6e3729073b517218217002bd2b8d3041ae0a7291d9ccc3bc01fab36f7
SHA512 08e204361d396ccf3b1dd7e2960439525371a6e33aea630d390873109ae9636e67f9245498f1c2e425de93745801b13d682b2e1e256aa3d5821ca8a3970ab2fa

C:\Windows\SysWOW64\kcjczhaa\gmxiapjv.exe

MD5 c4c08b35b5a92121ddfb34bdfd0b54a2
SHA1 ffb4bc63d13fba3f05f2616107888cc600dc96db
SHA256 523fa42140ca9fd830ba5097a8a09d6f90ae58b6e675104e0d275e9bde42e672
SHA512 37ab7c198e2d57df9b9be01e328502c11bffede4e68d63828464b77868762c1fb931b1d55b678a59b6e1d96b9dc5373218c4294c58a5172aacabf4a150a66d73

memory/2068-7-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/2444-9-0x0000000000D80000-0x0000000000E80000-memory.dmp

memory/2444-10-0x00000000002E0000-0x00000000002F3000-memory.dmp

memory/2368-11-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2444-12-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/2368-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2368-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2444-17-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/2368-19-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2368-20-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2368-21-0x0000000000080000-0x0000000000095000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-26 16:31

Reported

2024-03-26 16:33

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\jhfirlgh\ImagePath = "C:\\Windows\\SysWOW64\\jhfirlgh\\hdvtbknf.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1336 set thread context of 4528 N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2052 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe C:\Windows\SysWOW64\netsh.exe
PID 1336 wrote to memory of 4528 N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe C:\Windows\SysWOW64\svchost.exe
PID 1336 wrote to memory of 4528 N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe C:\Windows\SysWOW64\svchost.exe
PID 1336 wrote to memory of 4528 N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe C:\Windows\SysWOW64\svchost.exe
PID 1336 wrote to memory of 4528 N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe C:\Windows\SysWOW64\svchost.exe
PID 1336 wrote to memory of 4528 N/A C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe

"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\jhfirlgh\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\hdvtbknf.exe" C:\Windows\SysWOW64\jhfirlgh\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create jhfirlgh binPath= "C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe /d\"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description jhfirlgh "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start jhfirlgh

C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe

C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe /d"C:\Users\Admin\AppData\Local\Temp\df9b061b8b91e89659ad8592ce4ea7ad.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3040 -ip 3040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3040 -s 604

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1336 -ip 1336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 512

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 67.195.228.106:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 195.177.78.104.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 43.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 205.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
BE 64.233.167.26:25 smtp.google.com tcp
US 8.8.8.8:53 209.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 18.58.20.217.in-addr.arpa udp
HK 43.231.4.6:443 tcp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 217.69.139.150:25 mxs.mail.ru tcp
US 8.8.8.8:53 17.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
HK 43.231.4.6:443 tcp

Files

memory/3040-1-0x0000000000C80000-0x0000000000D80000-memory.dmp

memory/3040-2-0x0000000000D90000-0x0000000000DA3000-memory.dmp

memory/3040-4-0x0000000000400000-0x0000000000C0A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hdvtbknf.exe

MD5 02bed7835e90c3f7446a49d62650e3ae
SHA1 1949efb09cc938e95ec82b668769f939e7f09aef
SHA256 adc967e2f862fa26fbdc1d1803cfceaa249de022d6b1bb67605132b9139bca2d
SHA512 e1510250fc0dc46e1f1b137e8cfa09f8ce0904007ed6fc200fb2f46961d917172c7877536f0dda77ba7ab039d36b3ad711487975154cc6d8a40cc1d1e23e9956

C:\Windows\SysWOW64\jhfirlgh\hdvtbknf.exe

MD5 96e5261cb500d7872afd5a3f7371c5e6
SHA1 0659c14ac7773a8ac13333363930d847d052663c
SHA256 2b01001a58816c99e706b59729d3d4eaff4aabd472dab46b3d43b515b0bc7e33
SHA512 3823dc3196980b44191a3ee7bfc58c05c7b255545632a72d0d0b4055219cab7a4a120f8d45b8a1b3e1b664ea84fe8c33f8337a23c8a8fd6163584e2f74ea2e48

memory/3040-8-0x0000000000D90000-0x0000000000DA3000-memory.dmp

memory/3040-7-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/1336-10-0x0000000000CD0000-0x0000000000DD0000-memory.dmp

memory/1336-11-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/4528-12-0x0000000001280000-0x0000000001295000-memory.dmp

memory/4528-15-0x0000000001280000-0x0000000001295000-memory.dmp

memory/4528-16-0x0000000001280000-0x0000000001295000-memory.dmp

memory/4528-17-0x0000000001280000-0x0000000001295000-memory.dmp

memory/1336-18-0x0000000000400000-0x0000000000C0A000-memory.dmp

memory/4528-19-0x0000000001280000-0x0000000001295000-memory.dmp