Analysis Overview
SHA256
1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
Threat Level: Known bad
The file SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841 was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
Windows security bypass
Modifies Windows Defender Real-time Protection settings
Phorphiex Worm
Executes dropped EXE
Windows security modification
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-09 20:17
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-09 20:17
Reported
2020-11-10 15:33
Platform
win7v20201028
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\262282303825536\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1847737620.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2609225382.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3144736335.exe | N/A |
| N/A | N/A | C:\1754266524840\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1953333470.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3830329087.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1832824553.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| N/A | N/A | C:\Windows\262282303825536\svchost.exe | N/A |
| N/A | N/A | C:\Windows\262282303825536\svchost.exe | N/A |
| N/A | N/A | C:\Windows\262282303825536\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1847737620.exe | N/A |
| N/A | N/A | C:\1754266524840\svchost.exe | N/A |
| N/A | N/A | C:\1754266524840\svchost.exe | N/A |
| N/A | N/A | C:\1754266524840\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\1754266524840\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\1754266524840\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\1754266524840\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\262282303825536\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\1754266524840\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\262282303825536\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\262282303825536\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1754266524840\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1847737620.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1754266524840\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1847737620.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\262282303825536\svchost.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| File opened for modification | C:\Windows\262282303825536\svchost.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| File opened for modification | C:\Windows\262282303825536 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"
C:\Windows\262282303825536\svchost.exe
C:\Windows\262282303825536\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
C:\Users\Admin\AppData\Local\Temp\2609225382.exe
C:\Users\Admin\AppData\Local\Temp\2609225382.exe
C:\Users\Admin\AppData\Local\Temp\3144736335.exe
C:\Users\Admin\AppData\Local\Temp\3144736335.exe
C:\1754266524840\svchost.exe
C:\1754266524840\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1953333470.exe
C:\Users\Admin\AppData\Local\Temp\1953333470.exe
C:\Users\Admin\AppData\Local\Temp\3830329087.exe
C:\Users\Admin\AppData\Local\Temp\3830329087.exe
C:\Users\Admin\AppData\Local\Temp\1832824553.exe
C:\Users\Admin\AppData\Local\Temp\1832824553.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 8.8.8.8:53 | loeghaiofiehfihf.to | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | loirgsiorgididii.to | udp |
| N/A | 8.8.8.8:53 | lefiefijiejdijef.to | udp |
| N/A | 8.8.8.8:53 | linbeafbiaebfiie.to | udp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | loueafhuoaefhefu.to | udp |
| N/A | 8.8.8.8:53 | lpleflpokadkeoot.to | udp |
| N/A | 8.8.8.8:53 | laefneabdmemdnaf.to | udp |
| N/A | 8.8.8.8:53 | lezaeazdgzegdget.to | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | ladbabbabefnefmf.to | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | lauedaiednaibduf.to | udp |
| N/A | 8.8.8.8:53 | leuaueufuanbbgbg.to | udp |
| N/A | 8.8.8.8:53 | lgauheudbbchaiii.to | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | lploaeieifuebaub.to | udp |
| N/A | 8.8.8.8:53 | lfubaebeanfienfi.to | udp |
| N/A | 8.8.8.8:53 | lefiaeieiififnnf.to | udp |
| N/A | 8.8.8.8:53 | trikhaus.top | udp |
| N/A | 8.8.8.8:53 | lbdadnmolaedbfau.to | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | lnabeuffhshsueur.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | llpaenimonadfueh.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | laedvezdeahfhuea.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | lganieeidiehgihe.to | udp |
| N/A | 8.8.8.8:53 | seuufhehfueugheu.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| N/A | 8.8.8.8:53 | toeghaiofiehfihf.ws | udp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdu.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 8.8.8.8:53 | toirgsiorgididii.ws | udp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuuru.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggu.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 8.8.8.8:53 | tefiefijiejdijef.ws | udp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfu.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 8.8.8.8:53 | tinbeafbiaebfiie.ws | udp |
| N/A | 64.70.19.203:80 | tinbeafbiaebfiie.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgu.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeu.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 8.8.8.8:53 | toueafhuoaefhefu.ws | udp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgu.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgu.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| N/A | 8.8.8.8:53 | tpleflpokadkeoot.ws | udp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgu.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 8.8.8.8:53 | taefneabdmemdnaf.ws | udp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuu.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuu.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 8.8.8.8:53 | tezaeazdgzegdget.ws | udp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggu.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 8.8.8.8:53 | tadbabbabefnefmf.ws | udp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfu.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuu.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 8.8.8.8:53 | tauedaiednaibduf.ws | udp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufu.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 8.8.8.8:53 | teuaueufuanbbgbg.ws | udp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbu.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheb.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdb.to | udp |
| N/A | 8.8.8.8:53 | tgauheudbbchaiii.ws | udp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurb.to | udp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggb.to | udp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfb.to | udp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgb.to | udp |
| N/A | 8.8.8.8:53 | tploaeieifuebaub.ws | udp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeb.to | udp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgb.to | udp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgb.to | udp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgb.to | udp |
| N/A | 8.8.8.8:53 | tfubaebeanfienfi.ws | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguub.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefub.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggb.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tcp | |
| N/A | 8.8.8.8:53 | udp |
Files
\Windows\262282303825536\svchost.exe
| MD5 | b18e53bb27f7c270cadfa062c8c9330a |
| SHA1 | a472e5ba842817df057cad53a1934d5b91617032 |
| SHA256 | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092 |
| SHA512 | 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba |
memory/1284-1-0x0000000000000000-mapping.dmp
C:\Windows\262282303825536\svchost.exe
| MD5 | b18e53bb27f7c270cadfa062c8c9330a |
| SHA1 | a472e5ba842817df057cad53a1934d5b91617032 |
| SHA256 | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092 |
| SHA512 | 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba |
C:\Windows\262282303825536\svchost.exe
| MD5 | b18e53bb27f7c270cadfa062c8c9330a |
| SHA1 | a472e5ba842817df057cad53a1934d5b91617032 |
| SHA256 | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092 |
| SHA512 | 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba |
memory/1244-4-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp
\Users\Admin\AppData\Local\Temp\1847737620.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
memory/916-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
\Users\Admin\AppData\Local\Temp\2609225382.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
memory/664-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2609225382.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
\Users\Admin\AppData\Local\Temp\3144736335.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
memory/1852-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3144736335.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
C:\Users\Admin\AppData\Local\Temp\1847737620.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
\1754266524840\svchost.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
memory/1616-16-0x0000000000000000-mapping.dmp
C:\1754266524840\svchost.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
C:\1754266524840\svchost.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
\Users\Admin\AppData\Local\Temp\1953333470.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
C:\Users\Admin\AppData\Local\Temp\1953333470.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
memory/912-20-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\3830329087.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
memory/112-23-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3830329087.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
\Users\Admin\AppData\Local\Temp\1832824553.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
memory/1180-26-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1832824553.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-09 20:17
Reported
2020-11-10 15:34
Platform
win10v20201028
Max time kernel
155s
Max time network
155s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\5066213467465\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3721512616.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3872222412.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2366731905.exe | N/A |
| N/A | N/A | C:\92781776224280\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1572736130.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1429524268.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3319414717.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\92781776224280\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\92781776224280\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\92781776224280\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\5066213467465\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\92781776224280\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\92781776224280\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\3721512616.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\5066213467465\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\5066213467465\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\92781776224280\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\3721512616.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\5066213467465 | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| File created | C:\Windows\5066213467465\svchost.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
| File opened for modification | C:\Windows\5066213467465\svchost.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"
C:\Windows\5066213467465\svchost.exe
C:\Windows\5066213467465\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
C:\92781776224280\svchost.exe
C:\92781776224280\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 217.8.117.63:80 | 217.8.117.63 | tcp |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 217.8.117.10:80 | tldrbox.top | tcp |
| N/A | 8.8.8.8:53 | loeghaiofiehfihf.to | udp |
| N/A | 8.8.8.8:53 | loirgsiorgididii.to | udp |
| N/A | 8.8.8.8:53 | lefiefijiejdijef.to | udp |
| N/A | 8.8.8.8:53 | linbeafbiaebfiie.to | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | loueafhuoaefhefu.to | udp |
| N/A | 8.8.8.8:53 | lpleflpokadkeoot.to | udp |
| N/A | 8.8.8.8:53 | laefneabdmemdnaf.to | udp |
| N/A | 8.8.8.8:53 | lezaeazdgzegdget.to | udp |
| N/A | 8.8.8.8:53 | ladbabbabefnefmf.to | udp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | lauedaiednaibduf.to | udp |
| N/A | 8.8.8.8:53 | leuaueufuanbbgbg.to | udp |
| N/A | 8.8.8.8:53 | lgauheudbbchaiii.to | udp |
| N/A | 8.8.8.8:53 | lploaeieifuebaub.to | udp |
| N/A | 8.8.8.8:53 | lfubaebeanfienfi.to | udp |
| N/A | 8.8.8.8:53 | lefiaeieiififnnf.to | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | lbdadnmolaedbfau.to | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | lnabeuffhshsueur.to | udp |
| N/A | 8.8.8.8:53 | llpaenimonadfueh.to | udp |
| N/A | 8.8.8.8:53 | laedvezdeahfhuea.to | udp |
| N/A | 8.8.8.8:53 | lganieeidiehgihe.to | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | toeghaiofiehfihf.ws | udp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 64.70.19.203:80 | toeghaiofiehfihf.ws | tcp |
| N/A | 8.8.8.8:53 | toirgsiorgididii.ws | udp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 8.8.8.8:53 | trikhaus.top | udp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 64.70.19.203:80 | toirgsiorgididii.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tefiefijiejdijef.ws | udp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 64.70.19.203:80 | tefiefijiejdijef.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheu.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| N/A | 8.8.8.8:53 | tinbeafbiaebfiie.ws | udp |
| N/A | 64.70.19.203:80 | tinbeafbiaebfiie.ws | tcp |
| N/A | 64.70.19.203:80 | tinbeafbiaebfiie.ws | tcp |
| N/A | 64.70.19.203:80 | tinbeafbiaebfiie.ws | tcp |
| N/A | 64.70.19.203:80 | tinbeafbiaebfiie.ws | tcp |
| N/A | 64.70.19.203:80 | tinbeafbiaebfiie.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdu.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuuru.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| N/A | 8.8.8.8:53 | toueafhuoaefhefu.ws | udp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 64.70.19.203:80 | toueafhuoaefhefu.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggu.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| N/A | 8.8.8.8:53 | tpleflpokadkeoot.ws | udp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 64.70.19.203:80 | tpleflpokadkeoot.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfu.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| N/A | 8.8.8.8:53 | trik.ws | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgu.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| N/A | 8.8.8.8:53 | taefneabdmemdnaf.ws | udp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 64.70.19.203:80 | taefneabdmemdnaf.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeu.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| N/A | 8.8.8.8:53 | tezaeazdgzegdget.ws | udp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 64.70.19.203:80 | tezaeazdgzegdget.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgu.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgu.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| N/A | 8.8.8.8:53 | tadbabbabefnefmf.ws | udp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 64.70.19.203:80 | tadbabbabefnefmf.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgu.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| N/A | 8.8.8.8:53 | tauedaiednaibduf.ws | udp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 64.70.19.203:80 | tauedaiednaibduf.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuu.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuu.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggu.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| N/A | 8.8.8.8:53 | teuaueufuanbbgbg.ws | udp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 64.70.19.203:80 | teuaueufuanbbgbg.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfu.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| N/A | 8.8.8.8:53 | tgauheudbbchaiii.ws | udp |
| N/A | 64.70.19.203:80 | tgauheudbbchaiii.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuu.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufu.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| N/A | 8.8.8.8:53 | tploaeieifuebaub.ws | udp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 64.70.19.203:80 | tploaeieifuebaub.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbu.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheb.to | udp |
| N/A | 8.8.8.8:53 | tfubaebeanfienfi.ws | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdb.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurb.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggb.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfb.to | udp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 64.70.19.203:80 | tfubaebeanfienfi.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgb.to | udp |
| N/A | 8.8.8.8:53 | tefiaeieiififnnf.ws | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeb.to | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgb.to | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgb.to | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgb.to | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguub.to | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefub.to | udp |
| N/A | 64.70.19.203:80 | tefiaeieiififnnf.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggb.to | udp |
| N/A | 8.8.8.8:53 | tbdadnmolaedbfau.ws | udp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfb.to | udp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufub.to | udp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufb.to | udp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbb.to | udp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheh.top | udp |
| N/A | 64.70.19.203:80 | tbdadnmolaedbfau.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdh.top | udp |
| N/A | 8.8.8.8:53 | tnabeuffhshsueur.ws | udp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurh.top | udp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggh.top | udp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfh.top | udp |
| N/A | 208.100.26.245:80 | faugzeazdezgzgfh.top | tcp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgh.top | udp |
| N/A | 64.70.19.203:80 | tnabeuffhshsueur.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeh.top | udp |
| N/A | 8.8.8.8:53 | tlpaenimonadfueh.ws | udp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgh.top | udp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgh.top | udp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgh.top | udp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuh.top | udp |
| N/A | 64.70.19.203:80 | tlpaenimonadfueh.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuh.top | udp |
| N/A | 8.8.8.8:53 | taedvezdeahfhuea.ws | udp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggh.top | udp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfh.top | udp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuh.top | udp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufh.top | udp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbh.top | udp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 64.70.19.203:80 | taedvezdeahfhuea.ws | tcp |
| N/A | 8.8.8.8:53 | tsrv1.ws | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tganieeidiehgihe.ws | udp |
| N/A | 64.70.19.203:80 | tganieeidiehgihe.ws | tcp |
| N/A | 64.70.19.203:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | tcp |
Files
memory/2440-0-0x0000000000000000-mapping.dmp
C:\Windows\5066213467465\svchost.exe
| MD5 | b18e53bb27f7c270cadfa062c8c9330a |
| SHA1 | a472e5ba842817df057cad53a1934d5b91617032 |
| SHA256 | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092 |
| SHA512 | 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba |
C:\Windows\5066213467465\svchost.exe
| MD5 | b18e53bb27f7c270cadfa062c8c9330a |
| SHA1 | a472e5ba842817df057cad53a1934d5b91617032 |
| SHA256 | 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092 |
| SHA512 | 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba |
memory/184-3-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
C:\Users\Admin\AppData\Local\Temp\3721512616.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
memory/3608-6-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
C:\Users\Admin\AppData\Local\Temp\3872222412.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
memory/3660-9-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
C:\Users\Admin\AppData\Local\Temp\2366731905.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
memory/3348-12-0x0000000000000000-mapping.dmp
C:\92781776224280\svchost.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
C:\92781776224280\svchost.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
memory/2268-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
C:\Users\Admin\AppData\Local\Temp\1572736130.exe
| MD5 | 2968307563096dfe9c628171a724744f |
| SHA1 | fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe |
| SHA256 | 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5 |
| SHA512 | def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01 |
memory/3496-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
C:\Users\Admin\AppData\Local\Temp\1429524268.exe
| MD5 | 15d07920fe0d8d6012912504f4437628 |
| SHA1 | 30f5e45c53d25f1a3fd882a4f6c5766fe574c090 |
| SHA256 | b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740 |
| SHA512 | a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a |
memory/648-21-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |
C:\Users\Admin\AppData\Local\Temp\3319414717.exe
| MD5 | 3f1db3dc8315d4b551241a5d1060119d |
| SHA1 | de30f3fb88794d03c5f612e2f051aabd670dff88 |
| SHA256 | 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff |
| SHA512 | 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a |