Malware Analysis Report

2024-11-30 15:06

Sample ID 201109-zltbkv8tws
Target SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841
SHA256 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092

Threat Level: Known bad

The file SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex Payload

Windows security bypass

Modifies Windows Defender Real-time Protection settings

Phorphiex Worm

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-09 20:17

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-09 20:17

Reported

2020-11-10 15:33

Platform

win7v20201028

Max time kernel

151s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\1754266524840\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\1754266524840\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\1754266524840\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\262282303825536\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\1754266524840\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\262282303825536\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\262282303825536\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1754266524840\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1847737620.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1754266524840\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\1847737620.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
File opened for modification C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
File opened for modification C:\Windows\262282303825536 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 484 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\262282303825536\svchost.exe
PID 484 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\262282303825536\svchost.exe
PID 484 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\262282303825536\svchost.exe
PID 484 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\262282303825536\svchost.exe
PID 1284 wrote to memory of 916 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\1847737620.exe
PID 1284 wrote to memory of 916 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\1847737620.exe
PID 1284 wrote to memory of 916 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\1847737620.exe
PID 1284 wrote to memory of 916 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\1847737620.exe
PID 1284 wrote to memory of 664 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\2609225382.exe
PID 1284 wrote to memory of 664 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\2609225382.exe
PID 1284 wrote to memory of 664 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\2609225382.exe
PID 1284 wrote to memory of 664 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\2609225382.exe
PID 1284 wrote to memory of 1852 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\3144736335.exe
PID 1284 wrote to memory of 1852 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\3144736335.exe
PID 1284 wrote to memory of 1852 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\3144736335.exe
PID 1284 wrote to memory of 1852 N/A C:\Windows\262282303825536\svchost.exe C:\Users\Admin\AppData\Local\Temp\3144736335.exe
PID 916 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1847737620.exe C:\1754266524840\svchost.exe
PID 916 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1847737620.exe C:\1754266524840\svchost.exe
PID 916 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1847737620.exe C:\1754266524840\svchost.exe
PID 916 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\1847737620.exe C:\1754266524840\svchost.exe
PID 1616 wrote to memory of 912 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1953333470.exe
PID 1616 wrote to memory of 912 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1953333470.exe
PID 1616 wrote to memory of 912 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1953333470.exe
PID 1616 wrote to memory of 912 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1953333470.exe
PID 1616 wrote to memory of 112 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\3830329087.exe
PID 1616 wrote to memory of 112 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\3830329087.exe
PID 1616 wrote to memory of 112 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\3830329087.exe
PID 1616 wrote to memory of 112 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\3830329087.exe
PID 1616 wrote to memory of 1180 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1832824553.exe
PID 1616 wrote to memory of 1180 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1832824553.exe
PID 1616 wrote to memory of 1180 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1832824553.exe
PID 1616 wrote to memory of 1180 N/A C:\1754266524840\svchost.exe C:\Users\Admin\AppData\Local\Temp\1832824553.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"

C:\Windows\262282303825536\svchost.exe

C:\Windows\262282303825536\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1847737620.exe

C:\Users\Admin\AppData\Local\Temp\1847737620.exe

C:\Users\Admin\AppData\Local\Temp\2609225382.exe

C:\Users\Admin\AppData\Local\Temp\2609225382.exe

C:\Users\Admin\AppData\Local\Temp\3144736335.exe

C:\Users\Admin\AppData\Local\Temp\3144736335.exe

C:\1754266524840\svchost.exe

C:\1754266524840\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1953333470.exe

C:\Users\Admin\AppData\Local\Temp\1953333470.exe

C:\Users\Admin\AppData\Local\Temp\3830329087.exe

C:\Users\Admin\AppData\Local\Temp\3830329087.exe

C:\Users\Admin\AppData\Local\Temp\1832824553.exe

C:\Users\Admin\AppData\Local\Temp\1832824553.exe

Network

Country Destination Domain Proto
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 8.8.8.8:53 tldrbox.top udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 8.8.8.8:53 loeghaiofiehfihf.to udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 8.8.8.8:53 loirgsiorgididii.to udp
N/A 8.8.8.8:53 lefiefijiejdijef.to udp
N/A 8.8.8.8:53 linbeafbiaebfiie.to udp
N/A 8.8.8.8:53 worm.ws udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 loueafhuoaefhefu.to udp
N/A 8.8.8.8:53 lpleflpokadkeoot.to udp
N/A 8.8.8.8:53 laefneabdmemdnaf.to udp
N/A 8.8.8.8:53 lezaeazdgzegdget.to udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 ladbabbabefnefmf.to udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 8.8.8.8:53 lauedaiednaibduf.to udp
N/A 8.8.8.8:53 leuaueufuanbbgbg.to udp
N/A 8.8.8.8:53 lgauheudbbchaiii.to udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 lploaeieifuebaub.to udp
N/A 8.8.8.8:53 lfubaebeanfienfi.to udp
N/A 8.8.8.8:53 lefiaeieiififnnf.to udp
N/A 8.8.8.8:53 trikhaus.top udp
N/A 8.8.8.8:53 lbdadnmolaedbfau.to udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 lnabeuffhshsueur.to udp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 llpaenimonadfueh.to udp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 laedvezdeahfhuea.to udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 lganieeidiehgihe.to udp
N/A 8.8.8.8:53 seuufhehfueugheu.ws udp
N/A 64.70.19.203:80 seuufhehfueugheu.ws tcp
N/A 64.70.19.203:80 seuufhehfueugheu.ws tcp
N/A 8.8.8.8:53 toeghaiofiehfihf.ws udp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 8.8.8.8:53 feuhdeuhduhuehdu.ws udp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 8.8.8.8:53 toirgsiorgididii.ws udp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 8.8.8.8:53 feauhueudughuuru.ws udp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 8.8.8.8:53 fheuhdwdzwgzdggu.ws udp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 8.8.8.8:53 tefiefijiejdijef.ws udp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 8.8.8.8:53 faugzeazdezgzgfu.ws udp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 8.8.8.8:53 tinbeafbiaebfiie.ws udp
N/A 64.70.19.203:80 tinbeafbiaebfiie.ws tcp
N/A 8.8.8.8:53 wduufbaueeubffgu.ws udp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 8.8.8.8:53 okdoekeoehghaoeu.ws udp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 8.8.8.8:53 toueafhuoaefhefu.ws udp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 8.8.8.8:53 efuheruhdehduhgu.ws udp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 8.8.8.8:53 eafueudzefverrgu.ws udp
N/A 64.70.19.203:80 eafueudzefverrgu.ws tcp
N/A 64.70.19.203:80 eafueudzefverrgu.ws tcp
N/A 64.70.19.203:80 eafueudzefverrgu.ws tcp
N/A 64.70.19.203:80 eafueudzefverrgu.ws tcp
N/A 8.8.8.8:53 tpleflpokadkeoot.ws udp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 8.8.8.8:53 deauduafzgezzfgu.ws udp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 8.8.8.8:53 taefneabdmemdnaf.ws udp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 8.8.8.8:53 gaueudbuwdbuguuu.ws udp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 8.8.8.8:53 efeuafubeubaefuu.ws udp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 8.8.8.8:53 tezaeazdgzegdget.ws udp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 8.8.8.8:53 eafuebdbedbedggu.ws udp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 8.8.8.8:53 tadbabbabefnefmf.ws udp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 8.8.8.8:53 wdkowdohwodhfhfu.ws udp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 8.8.8.8:53 efaeduvedvzfufuu.ws udp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 8.8.8.8:53 tauedaiednaibduf.ws udp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 8.8.8.8:53 edhuaudhuedugufu.ws udp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 8.8.8.8:53 teuaueufuanbbgbg.ws udp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 8.8.8.8:53 eaffuebudbeudbbu.ws udp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 8.8.8.8:53 seuufhehfueugheb.to udp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 8.8.8.8:53 feuhdeuhduhuehdb.to udp
N/A 8.8.8.8:53 tgauheudbbchaiii.ws udp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 8.8.8.8:53 feauhueudughuurb.to udp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 8.8.8.8:53 fheuhdwdzwgzdggb.to udp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 8.8.8.8:53 faugzeazdezgzgfb.to udp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 8.8.8.8:53 wduufbaueeubffgb.to udp
N/A 8.8.8.8:53 tploaeieifuebaub.ws udp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 8.8.8.8:53 okdoekeoehghaoeb.to udp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 8.8.8.8:53 efuheruhdehduhgb.to udp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 8.8.8.8:53 eafueudzefverrgb.to udp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 8.8.8.8:53 deauduafzgezzfgb.to udp
N/A 8.8.8.8:53 tfubaebeanfienfi.ws udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 gaueudbuwdbuguub.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 efeuafubeubaefub.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 eafuebdbedbedggb.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tcp
N/A 8.8.8.8:53 udp

Files

\Windows\262282303825536\svchost.exe

MD5 b18e53bb27f7c270cadfa062c8c9330a
SHA1 a472e5ba842817df057cad53a1934d5b91617032
SHA256 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

memory/1284-1-0x0000000000000000-mapping.dmp

C:\Windows\262282303825536\svchost.exe

MD5 b18e53bb27f7c270cadfa062c8c9330a
SHA1 a472e5ba842817df057cad53a1934d5b91617032
SHA256 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

C:\Windows\262282303825536\svchost.exe

MD5 b18e53bb27f7c270cadfa062c8c9330a
SHA1 a472e5ba842817df057cad53a1934d5b91617032
SHA256 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

memory/1244-4-0x000007FEF63D0000-0x000007FEF664A000-memory.dmp

\Users\Admin\AppData\Local\Temp\1847737620.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

memory/916-6-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1847737620.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

\Users\Admin\AppData\Local\Temp\2609225382.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

memory/664-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2609225382.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

\Users\Admin\AppData\Local\Temp\3144736335.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

memory/1852-12-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3144736335.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

C:\Users\Admin\AppData\Local\Temp\1847737620.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

\1754266524840\svchost.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

memory/1616-16-0x0000000000000000-mapping.dmp

C:\1754266524840\svchost.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

C:\1754266524840\svchost.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

\Users\Admin\AppData\Local\Temp\1953333470.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

C:\Users\Admin\AppData\Local\Temp\1953333470.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

memory/912-20-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\3830329087.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

memory/112-23-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3830329087.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

\Users\Admin\AppData\Local\Temp\1832824553.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

memory/1180-26-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1832824553.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-09 20:17

Reported

2020-11-10 15:34

Platform

win10v20201028

Max time kernel

155s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\92781776224280\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\92781776224280\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\92781776224280\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\5066213467465\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\92781776224280\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\92781776224280\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\3721512616.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\5066213467465\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\Windows\\5066213467465\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\92781776224280\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\3721512616.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\5066213467465 C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
File created C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A
File opened for modification C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\5066213467465\svchost.exe
PID 636 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\5066213467465\svchost.exe
PID 636 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe C:\Windows\5066213467465\svchost.exe
PID 2440 wrote to memory of 184 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\3721512616.exe
PID 2440 wrote to memory of 184 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\3721512616.exe
PID 2440 wrote to memory of 184 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\3721512616.exe
PID 2440 wrote to memory of 3608 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\3872222412.exe
PID 2440 wrote to memory of 3608 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\3872222412.exe
PID 2440 wrote to memory of 3608 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\3872222412.exe
PID 2440 wrote to memory of 3660 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\2366731905.exe
PID 2440 wrote to memory of 3660 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\2366731905.exe
PID 2440 wrote to memory of 3660 N/A C:\Windows\5066213467465\svchost.exe C:\Users\Admin\AppData\Local\Temp\2366731905.exe
PID 184 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3721512616.exe C:\92781776224280\svchost.exe
PID 184 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3721512616.exe C:\92781776224280\svchost.exe
PID 184 wrote to memory of 3348 N/A C:\Users\Admin\AppData\Local\Temp\3721512616.exe C:\92781776224280\svchost.exe
PID 3348 wrote to memory of 2268 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\1572736130.exe
PID 3348 wrote to memory of 2268 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\1572736130.exe
PID 3348 wrote to memory of 2268 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\1572736130.exe
PID 3348 wrote to memory of 3496 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\1429524268.exe
PID 3348 wrote to memory of 3496 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\1429524268.exe
PID 3348 wrote to memory of 3496 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\1429524268.exe
PID 3348 wrote to memory of 648 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\3319414717.exe
PID 3348 wrote to memory of 648 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\3319414717.exe
PID 3348 wrote to memory of 648 N/A C:\92781776224280\svchost.exe C:\Users\Admin\AppData\Local\Temp\3319414717.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.50743.11374.31841.exe"

C:\Windows\5066213467465\svchost.exe

C:\Windows\5066213467465\svchost.exe

C:\Users\Admin\AppData\Local\Temp\3721512616.exe

C:\Users\Admin\AppData\Local\Temp\3721512616.exe

C:\Users\Admin\AppData\Local\Temp\3872222412.exe

C:\Users\Admin\AppData\Local\Temp\3872222412.exe

C:\Users\Admin\AppData\Local\Temp\2366731905.exe

C:\Users\Admin\AppData\Local\Temp\2366731905.exe

C:\92781776224280\svchost.exe

C:\92781776224280\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1572736130.exe

C:\Users\Admin\AppData\Local\Temp\1572736130.exe

C:\Users\Admin\AppData\Local\Temp\1429524268.exe

C:\Users\Admin\AppData\Local\Temp\1429524268.exe

C:\Users\Admin\AppData\Local\Temp\3319414717.exe

C:\Users\Admin\AppData\Local\Temp\3319414717.exe

Network

Country Destination Domain Proto
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 217.8.117.63:80 217.8.117.63 tcp
N/A 8.8.8.8:53 tldrbox.top udp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 217.8.117.10:80 tldrbox.top tcp
N/A 8.8.8.8:53 loeghaiofiehfihf.to udp
N/A 8.8.8.8:53 loirgsiorgididii.to udp
N/A 8.8.8.8:53 lefiefijiejdijef.to udp
N/A 8.8.8.8:53 linbeafbiaebfiie.to udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 8.8.8.8:53 loueafhuoaefhefu.to udp
N/A 8.8.8.8:53 lpleflpokadkeoot.to udp
N/A 8.8.8.8:53 laefneabdmemdnaf.to udp
N/A 8.8.8.8:53 lezaeazdgzegdget.to udp
N/A 8.8.8.8:53 ladbabbabefnefmf.to udp
N/A 8.8.8.8:53 worm.ws udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 lauedaiednaibduf.to udp
N/A 8.8.8.8:53 leuaueufuanbbgbg.to udp
N/A 8.8.8.8:53 lgauheudbbchaiii.to udp
N/A 8.8.8.8:53 lploaeieifuebaub.to udp
N/A 8.8.8.8:53 lfubaebeanfienfi.to udp
N/A 8.8.8.8:53 lefiaeieiififnnf.to udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 lbdadnmolaedbfau.to udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 8.8.8.8:53 lnabeuffhshsueur.to udp
N/A 8.8.8.8:53 llpaenimonadfueh.to udp
N/A 8.8.8.8:53 laedvezdeahfhuea.to udp
N/A 8.8.8.8:53 lganieeidiehgihe.to udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 toeghaiofiehfihf.ws udp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 64.70.19.203:80 toeghaiofiehfihf.ws tcp
N/A 8.8.8.8:53 toirgsiorgididii.ws udp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 8.8.8.8:53 trikhaus.top udp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 127.0.0.1:80 tcp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 64.70.19.203:80 toirgsiorgididii.ws tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 tefiefijiejdijef.ws udp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 64.70.19.203:80 tefiefijiejdijef.ws tcp
N/A 8.8.8.8:53 seuufhehfueugheu.ws udp
N/A 64.70.19.203:80 seuufhehfueugheu.ws tcp
N/A 64.70.19.203:80 seuufhehfueugheu.ws tcp
N/A 64.70.19.203:80 seuufhehfueugheu.ws tcp
N/A 64.70.19.203:80 seuufhehfueugheu.ws tcp
N/A 8.8.8.8:53 tinbeafbiaebfiie.ws udp
N/A 64.70.19.203:80 tinbeafbiaebfiie.ws tcp
N/A 64.70.19.203:80 tinbeafbiaebfiie.ws tcp
N/A 64.70.19.203:80 tinbeafbiaebfiie.ws tcp
N/A 64.70.19.203:80 tinbeafbiaebfiie.ws tcp
N/A 64.70.19.203:80 tinbeafbiaebfiie.ws tcp
N/A 8.8.8.8:53 feuhdeuhduhuehdu.ws udp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdu.ws tcp
N/A 8.8.8.8:53 feauhueudughuuru.ws udp
N/A 64.70.19.203:80 feauhueudughuuru.ws tcp
N/A 8.8.8.8:53 toueafhuoaefhefu.ws udp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 64.70.19.203:80 toueafhuoaefhefu.ws tcp
N/A 8.8.8.8:53 fheuhdwdzwgzdggu.ws udp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggu.ws tcp
N/A 8.8.8.8:53 tpleflpokadkeoot.ws udp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 64.70.19.203:80 tpleflpokadkeoot.ws tcp
N/A 8.8.8.8:53 faugzeazdezgzgfu.ws udp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfu.ws tcp
N/A 8.8.8.8:53 trik.ws udp
N/A 8.8.8.8:53 wduufbaueeubffgu.ws udp
N/A 64.70.19.203:80 wduufbaueeubffgu.ws tcp
N/A 8.8.8.8:53 taefneabdmemdnaf.ws udp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 64.70.19.203:80 taefneabdmemdnaf.ws tcp
N/A 8.8.8.8:53 okdoekeoehghaoeu.ws udp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoeu.ws tcp
N/A 8.8.8.8:53 tezaeazdgzegdget.ws udp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 64.70.19.203:80 tezaeazdgzegdget.ws tcp
N/A 8.8.8.8:53 efuheruhdehduhgu.ws udp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgu.ws tcp
N/A 8.8.8.8:53 eafueudzefverrgu.ws udp
N/A 64.70.19.203:80 eafueudzefverrgu.ws tcp
N/A 8.8.8.8:53 tadbabbabefnefmf.ws udp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 64.70.19.203:80 tadbabbabefnefmf.ws tcp
N/A 8.8.8.8:53 deauduafzgezzfgu.ws udp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 64.70.19.203:80 deauduafzgezzfgu.ws tcp
N/A 8.8.8.8:53 tauedaiednaibduf.ws udp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 64.70.19.203:80 tauedaiednaibduf.ws tcp
N/A 8.8.8.8:53 gaueudbuwdbuguuu.ws udp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuu.ws tcp
N/A 8.8.8.8:53 efeuafubeubaefuu.ws udp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 64.70.19.203:80 efeuafubeubaefuu.ws tcp
N/A 8.8.8.8:53 eafuebdbedbedggu.ws udp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 64.70.19.203:80 eafuebdbedbedggu.ws tcp
N/A 8.8.8.8:53 teuaueufuanbbgbg.ws udp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 64.70.19.203:80 teuaueufuanbbgbg.ws tcp
N/A 8.8.8.8:53 wdkowdohwodhfhfu.ws udp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfu.ws tcp
N/A 8.8.8.8:53 tgauheudbbchaiii.ws udp
N/A 64.70.19.203:80 tgauheudbbchaiii.ws tcp
N/A 8.8.8.8:53 efaeduvedvzfufuu.ws udp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 64.70.19.203:80 efaeduvedvzfufuu.ws tcp
N/A 8.8.8.8:53 edhuaudhuedugufu.ws udp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 64.70.19.203:80 edhuaudhuedugufu.ws tcp
N/A 8.8.8.8:53 tploaeieifuebaub.ws udp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 64.70.19.203:80 tploaeieifuebaub.ws tcp
N/A 8.8.8.8:53 eaffuebudbeudbbu.ws udp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 64.70.19.203:80 eaffuebudbeudbbu.ws tcp
N/A 8.8.8.8:53 seuufhehfueugheb.to udp
N/A 8.8.8.8:53 tfubaebeanfienfi.ws udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 feuhdeuhduhuehdb.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 feauhueudughuurb.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 fheuhdwdzwgzdggb.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 faugzeazdezgzgfb.to udp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 64.70.19.203:80 tfubaebeanfienfi.ws tcp
N/A 8.8.8.8:53 wduufbaueeubffgb.to udp
N/A 8.8.8.8:53 tefiaeieiififnnf.ws udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 okdoekeoehghaoeb.to udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 efuheruhdehduhgb.to udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 eafueudzefverrgb.to udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 deauduafzgezzfgb.to udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 gaueudbuwdbuguub.to udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 efeuafubeubaefub.to udp
N/A 64.70.19.203:80 tefiaeieiififnnf.ws tcp
N/A 8.8.8.8:53 eafuebdbedbedggb.to udp
N/A 8.8.8.8:53 tbdadnmolaedbfau.ws udp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 8.8.8.8:53 wdkowdohwodhfhfb.to udp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 8.8.8.8:53 efaeduvedvzfufub.to udp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 8.8.8.8:53 edhuaudhuedugufb.to udp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 8.8.8.8:53 eaffuebudbeudbbb.to udp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 8.8.8.8:53 seuufhehfueugheh.top udp
N/A 64.70.19.203:80 tbdadnmolaedbfau.ws tcp
N/A 8.8.8.8:53 feuhdeuhduhuehdh.top udp
N/A 8.8.8.8:53 tnabeuffhshsueur.ws udp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 8.8.8.8:53 feauhueudughuurh.top udp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 8.8.8.8:53 fheuhdwdzwgzdggh.top udp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 8.8.8.8:53 faugzeazdezgzgfh.top udp
N/A 208.100.26.245:80 faugzeazdezgzgfh.top tcp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 8.8.8.8:53 wduufbaueeubffgh.top udp
N/A 64.70.19.203:80 tnabeuffhshsueur.ws tcp
N/A 8.8.8.8:53 okdoekeoehghaoeh.top udp
N/A 8.8.8.8:53 tlpaenimonadfueh.ws udp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 8.8.8.8:53 efuheruhdehduhgh.top udp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 8.8.8.8:53 eafueudzefverrgh.top udp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 8.8.8.8:53 deauduafzgezzfgh.top udp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 8.8.8.8:53 gaueudbuwdbuguuh.top udp
N/A 64.70.19.203:80 tlpaenimonadfueh.ws tcp
N/A 8.8.8.8:53 efeuafubeubaefuh.top udp
N/A 8.8.8.8:53 taedvezdeahfhuea.ws udp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 8.8.8.8:53 eafuebdbedbedggh.top udp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 8.8.8.8:53 wdkowdohwodhfhfh.top udp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 8.8.8.8:53 efaeduvedvzfufuh.top udp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 8.8.8.8:53 edhuaudhuedugufh.top udp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 8.8.8.8:53 eaffuebudbeudbbh.top udp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 64.70.19.203:80 taedvezdeahfhuea.ws tcp
N/A 8.8.8.8:53 tsrv1.ws udp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 tganieeidiehgihe.ws udp
N/A 64.70.19.203:80 tganieeidiehgihe.ws tcp
N/A 64.70.19.203:80 tcp
N/A 127.0.0.1:80 tcp
N/A 64.70.19.203:80 tcp

Files

memory/2440-0-0x0000000000000000-mapping.dmp

C:\Windows\5066213467465\svchost.exe

MD5 b18e53bb27f7c270cadfa062c8c9330a
SHA1 a472e5ba842817df057cad53a1934d5b91617032
SHA256 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

C:\Windows\5066213467465\svchost.exe

MD5 b18e53bb27f7c270cadfa062c8c9330a
SHA1 a472e5ba842817df057cad53a1934d5b91617032
SHA256 1314a12570bef72ff76b05764456120c10b32b9c6a22df24e6874951abaa6092
SHA512 10b5632a7b808efb1f8926772124b213c6db4fb4cca49c854d28f570ea12a1c018c6094286239293e684fea922e26f59276bbf7771b5f0df01971ffdfa5033ba

memory/184-3-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3721512616.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

C:\Users\Admin\AppData\Local\Temp\3721512616.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

memory/3608-6-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3872222412.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

C:\Users\Admin\AppData\Local\Temp\3872222412.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

memory/3660-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2366731905.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

C:\Users\Admin\AppData\Local\Temp\2366731905.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

memory/3348-12-0x0000000000000000-mapping.dmp

C:\92781776224280\svchost.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

C:\92781776224280\svchost.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

memory/2268-15-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1572736130.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

C:\Users\Admin\AppData\Local\Temp\1572736130.exe

MD5 2968307563096dfe9c628171a724744f
SHA1 fbd80e98d6bfe740fb5ff09f46c6b248815fb4fe
SHA256 003f5fc1e43950bb9db92c2e8fb72425c1177b6e98fde8b41f9a94e4d3549af5
SHA512 def6be85f58f76c74adf70bcef3325148636bd99df1c58560b02ef72ecfda5e79d3f510d8270a54fb0574c285de98aa58382dbb00f50ef54b291df50f67c8f01

memory/3496-18-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1429524268.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

C:\Users\Admin\AppData\Local\Temp\1429524268.exe

MD5 15d07920fe0d8d6012912504f4437628
SHA1 30f5e45c53d25f1a3fd882a4f6c5766fe574c090
SHA256 b04122115189986f6ac650a8f37dc942888a4f0938778a98a8d51fc8522e6740
SHA512 a7d9ce8f796718f74b39c54b3420e0f4433dc173f463483002978678ed2262ab9021e6e4f5d93042fe18b11baf534754b0049126c6161a5cae3db4b4fc5da71a

memory/648-21-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3319414717.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a

C:\Users\Admin\AppData\Local\Temp\3319414717.exe

MD5 3f1db3dc8315d4b551241a5d1060119d
SHA1 de30f3fb88794d03c5f612e2f051aabd670dff88
SHA256 74cc395bfbd859381e28c0e705d49c243ecec38aee3f1acc4555e61afa8d96ff
SHA512 782701e791d2ddd9715dfba5018b1a41b9f1691e73610d913cf2f2b5c648b04105ada8e7db21e5ab51ab28504bcdeb15f994264aa4565670479ac67d791bf32a