Malware Analysis Report

2024-10-19 01:53

Sample ID 240416-hdh1labe25
Target f2e83482658169cfb723595f03ed4c73_JaffaCakes118
SHA256 2127d8998f0d3f04259848e7f11e6353cf71078cacfd2c23b6276323cead9718
Tags
tofsee evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2127d8998f0d3f04259848e7f11e6353cf71078cacfd2c23b6276323cead9718

Threat Level: Known bad

The file f2e83482658169cfb723595f03ed4c73_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

tofsee evasion persistence trojan

Windows security bypass

Tofsee

Creates new service(s)

Sets service image path in registry

Modifies Windows Firewall

Executes dropped EXE

Checks computer location settings

Deletes itself

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-16 06:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-16 06:37

Reported

2024-04-16 06:39

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"

Signatures

Tofsee

trojan tofsee

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\eetzfolv\ImagePath = "C:\\Windows\\SysWOW64\\eetzfolv\\gidulfmf.exe" C:\Windows\SysWOW64\svchost.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2904 set thread context of 3696 N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4028 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 3996 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4028 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 224 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 4028 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 4028 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 4028 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 2904 wrote to memory of 3696 N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe C:\Windows\SysWOW64\svchost.exe
PID 2904 wrote to memory of 3696 N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe C:\Windows\SysWOW64\svchost.exe
PID 2904 wrote to memory of 3696 N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe C:\Windows\SysWOW64\svchost.exe
PID 2904 wrote to memory of 3696 N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe C:\Windows\SysWOW64\svchost.exe
PID 2904 wrote to memory of 3696 N/A C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe C:\Windows\SysWOW64\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\eetzfolv\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\gidulfmf.exe" C:\Windows\SysWOW64\eetzfolv\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create eetzfolv binPath= "C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description eetzfolv "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start eetzfolv

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe

C:\Windows\SysWOW64\eetzfolv\gidulfmf.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.54.36:25 microsoft-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 133.250.112.20.in-addr.arpa udp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta5.am0.yahoodns.net udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 67.195.204.72:25 mta5.am0.yahoodns.net tcp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 173.194.69.26:25 smtp.google.com tcp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

memory/4028-1-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4028-0-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/4028-2-0x00000000005D0000-0x00000000005D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gidulfmf.exe

MD5 28d85f0c0190db876bb6849d34c3424d
SHA1 bd38bb101ef716d9f2723a9f6a1216385a9062a5
SHA256 66015469685512ebaac33725e2e9bb822ec4a50a10ac74cc69069719e1c9e39b
SHA512 9ae4ad4cb4e18380205787f31955d6537db4495fd6fe3417b83b6ff13f2ea0379edde9f954a2326814ab132bc2c74bdffc58bf46c0228b85212fe9573d05c09f

memory/4028-5-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2904-8-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2904-7-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/3696-9-0x0000000000610000-0x0000000000625000-memory.dmp

memory/2904-11-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3696-13-0x0000000000610000-0x0000000000625000-memory.dmp

memory/3696-14-0x0000000000610000-0x0000000000625000-memory.dmp

memory/3696-15-0x0000000000610000-0x0000000000625000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-16 06:37

Reported

2024-04-16 06:39

Platform

win7-20231129-en

Max time kernel

145s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"

Signatures

Tofsee

trojan tofsee

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\SysWOW64\qvcanwup = "0" C:\Windows\SysWOW64\svchost.exe N/A

Creates new service(s)

persistence

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\qvcanwup\ImagePath = "C:\\Windows\\SysWOW64\\qvcanwup\\nwonwimd.exe" C:\Windows\SysWOW64\svchost.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2680 set thread context of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3040 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2144 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 3040 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\sc.exe
PID 2680 wrote to memory of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe
PID 2680 wrote to memory of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe
PID 2680 wrote to memory of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe
PID 2680 wrote to memory of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe
PID 2680 wrote to memory of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe
PID 2680 wrote to memory of 2664 N/A C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe C:\Windows\SysWOW64\svchost.exe
PID 3040 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe
PID 3040 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qvcanwup\

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\nwonwimd.exe" C:\Windows\SysWOW64\qvcanwup\

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" create qvcanwup binPath= "C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe /d\"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe\"" type= own start= auto DisplayName= "wifi support"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" description qvcanwup "wifi internet conection"

C:\Windows\SysWOW64\sc.exe

"C:\Windows\System32\sc.exe" start qvcanwup

C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe

C:\Windows\SysWOW64\qvcanwup\nwonwimd.exe /d"C:\Users\Admin\AppData\Local\Temp\f2e83482658169cfb723595f03ed4c73_JaffaCakes118.exe"

C:\Windows\SysWOW64\svchost.exe

svchost.exe

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul

Network

Country Destination Domain Proto
US 8.8.8.8:53 microsoft.com udp
US 20.112.250.133:80 microsoft.com tcp
US 8.8.8.8:53 microsoft.com udp
US 8.8.8.8:53 microsoft-com.mail.protection.outlook.com udp
US 104.47.53.36:25 microsoft-com.mail.protection.outlook.com tcp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 yahoo.com udp
US 8.8.8.8:53 mta7.am0.yahoodns.net udp
US 98.136.96.75:25 mta7.am0.yahoodns.net tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 smtp.google.com udp
NL 173.194.69.26:25 smtp.google.com tcp
HK 43.231.4.7:443 tcp
US 8.8.8.8:53 mail.ru udp
US 8.8.8.8:53 mxs.mail.ru udp
RU 94.100.180.31:25 mxs.mail.ru tcp
HK 43.231.4.7:443 tcp

Files

memory/3040-1-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3040-0-0x0000000000250000-0x0000000000251000-memory.dmp

memory/3040-2-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nwonwimd.exe

MD5 ac9ec22f425d5273ad42836a12214315
SHA1 e3f05e090ef4e9c8331c3ad2123d7040285581f3
SHA256 55124e8c2028af5ecc2b9392ce5e823eaebe82b1cc0e55d6a145f15c0a6a3277
SHA512 c57d555d1198128a863300ba22f425253b63a0662c14a6c11c997c51bbfd7b7d4a5cb139fa9d92b3882a04d43c8389eefa1d1854fb1d4fc023414d2f5e0cd2ed

memory/2680-7-0x0000000000390000-0x0000000000391000-memory.dmp

memory/2664-11-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2680-12-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2664-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-8-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2664-15-0x0000000000080000-0x0000000000095000-memory.dmp

memory/3040-16-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2664-17-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2664-18-0x0000000000080000-0x0000000000095000-memory.dmp

memory/2664-19-0x0000000000080000-0x0000000000095000-memory.dmp