Malware Analysis Report

2024-11-30 15:36

Sample ID 201119-r4qk76rqbx
Target 10941585e933119c70b14961e91acc82.exe
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
Tags
phorphiex evasion loader persistence spyware trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1

Threat Level: Known bad

The file 10941585e933119c70b14961e91acc82.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence spyware trojan worm

Phorphiex family

Phorphiex Payload

Phorphiex Worm

Windows security bypass

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Windows security modification

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-11-19 09:32

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2020-11-19 09:32

Reported

2020-11-19 09:35

Platform

win7v20201028

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Reads user/profile data of web browsers

spyware

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\1326261419625\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\1326261419625\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\1326261419625\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\1326261419625\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\1326261419625\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\1326261419625\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\1326261419625\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1326261419625\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1326261419625\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe C:\1326261419625\svchost.exe
PID 2028 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe C:\1326261419625\svchost.exe
PID 2028 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe C:\1326261419625\svchost.exe
PID 2028 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe C:\1326261419625\svchost.exe
PID 1136 wrote to memory of 852 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1540428975.exe
PID 1136 wrote to memory of 852 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1540428975.exe
PID 1136 wrote to memory of 852 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1540428975.exe
PID 1136 wrote to memory of 852 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1540428975.exe
PID 1136 wrote to memory of 1312 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1252817773.exe
PID 1136 wrote to memory of 1312 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1252817773.exe
PID 1136 wrote to memory of 1312 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1252817773.exe
PID 1136 wrote to memory of 1312 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\1252817773.exe
PID 1136 wrote to memory of 1384 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\2908718115.exe
PID 1136 wrote to memory of 1384 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\2908718115.exe
PID 1136 wrote to memory of 1384 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\2908718115.exe
PID 1136 wrote to memory of 1384 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\2908718115.exe
PID 1136 wrote to memory of 240 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\3640435775.exe
PID 1136 wrote to memory of 240 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\3640435775.exe
PID 1136 wrote to memory of 240 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\3640435775.exe
PID 1136 wrote to memory of 240 N/A C:\1326261419625\svchost.exe C:\Users\Admin\AppData\Local\Temp\3640435775.exe

Processes

C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe

"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"

C:\1326261419625\svchost.exe

C:\1326261419625\svchost.exe

C:\Users\Admin\AppData\Local\Temp\1540428975.exe

C:\Users\Admin\AppData\Local\Temp\1540428975.exe

C:\Users\Admin\AppData\Local\Temp\1252817773.exe

C:\Users\Admin\AppData\Local\Temp\1252817773.exe

C:\Users\Admin\AppData\Local\Temp\2908718115.exe

C:\Users\Admin\AppData\Local\Temp\2908718115.exe

C:\Users\Admin\AppData\Local\Temp\3640435775.exe

C:\Users\Admin\AppData\Local\Temp\3640435775.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 8.8.8.8:53 worm.ws udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 8.8.8.8:53 yahoo.com udp
N/A 8.8.8.8:53 mta7.am0.yahoodns.net udp
N/A 67.195.228.94:25 mta7.am0.yahoodns.net tcp
N/A 8.8.8.8:53 icanhazip.com udp
N/A 136.144.56.255:80 icanhazip.com tcp
N/A 217.8.117.10:8080 worm.ws tcp
N/A 8.8.8.8:53 seuufhehfueughek.ws udp
N/A 64.70.19.203:80 seuufhehfueughek.ws tcp
N/A 67.195.228.94:25 mta7.am0.yahoodns.net tcp
N/A 64.70.19.203:80 seuufhehfueughek.ws tcp
N/A 136.144.56.255:80 icanhazip.com tcp
N/A 217.8.117.10:8080 worm.ws tcp
N/A 64.70.19.203:80 seuufhehfueughek.ws tcp
N/A 64.70.19.203:80 seuufhehfueughek.ws tcp
N/A 64.70.19.203:80 seuufhehfueughek.ws tcp
N/A 64.70.19.203:80 seuufhehfueughek.ws tcp
N/A 8.8.8.8:53 feuhdeuhduhuehdk.ws udp
N/A 64.70.19.203:80 feuhdeuhduhuehdk.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdk.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdk.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdk.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdk.ws tcp
N/A 64.70.19.203:80 feuhdeuhduhuehdk.ws tcp
N/A 8.8.8.8:53 feauhueudughuurk.ws udp
N/A 64.70.19.203:80 feauhueudughuurk.ws tcp
N/A 64.70.19.203:80 feauhueudughuurk.ws tcp
N/A 64.70.19.203:80 feauhueudughuurk.ws tcp
N/A 64.70.19.203:80 feauhueudughuurk.ws tcp
N/A 64.70.19.203:80 feauhueudughuurk.ws tcp
N/A 64.70.19.203:80 feauhueudughuurk.ws tcp
N/A 8.8.8.8:53 fheuhdwdzwgzdggk.ws udp
N/A 64.70.19.203:80 fheuhdwdzwgzdggk.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggk.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggk.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggk.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggk.ws tcp
N/A 64.70.19.203:80 fheuhdwdzwgzdggk.ws tcp
N/A 8.8.8.8:53 faugzeazdezgzgfk.ws udp
N/A 64.70.19.203:80 faugzeazdezgzgfk.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfk.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfk.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfk.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfk.ws tcp
N/A 64.70.19.203:80 faugzeazdezgzgfk.ws tcp
N/A 8.8.8.8:53 wduufbaueeubffgk.ws udp
N/A 64.70.19.203:80 wduufbaueeubffgk.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgk.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgk.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgk.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgk.ws tcp
N/A 64.70.19.203:80 wduufbaueeubffgk.ws tcp
N/A 8.8.8.8:53 okdoekeoehghaoek.ws udp
N/A 64.70.19.203:80 okdoekeoehghaoek.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoek.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoek.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoek.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoek.ws tcp
N/A 64.70.19.203:80 okdoekeoehghaoek.ws tcp
N/A 8.8.8.8:53 efuheruhdehduhgk.ws udp
N/A 64.70.19.203:80 efuheruhdehduhgk.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgk.ws tcp
N/A 64.70.19.203:80 efuheruhdehduhgk.ws tcp
N/A 8.8.8.8:53 videotron.ca udp
N/A 8.8.8.8:53 mx.videotron.ca udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 ryerson.ca udp
N/A 8.8.8.8:53 rscan.ryerson.ca udp
N/A 141.117.126.6:25 rscan.ryerson.ca tcp
N/A 8.8.8.8:53 hydraussca.ca udp
N/A 64.70.19.203:80 efuheruhdehduhgk.ws tcp
N/A 8.8.8.8:53 4078ae2e0c3a8644a645f95b832411.pamx1.hotmail.com udp
N/A 8.8.8.8:53 shaw.ca udp
N/A 8.8.8.8:53 idcmail-mx2no.cg.shawcable.net udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 1934.com udp
N/A 8.8.8.8:53 sympatico.ca udp
N/A 104.47.4.33:25 4078ae2e0c3a8644a645f95b832411.pamx1.hotmail.com tcp
N/A 8.8.8.8:53 3796.com udp
N/A 8.8.8.8:53 mxmta.owm.bell.net udp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 efuheruhdehduhgk.ws tcp
N/A 8.8.8.8:53 vianet.ca udp
N/A 8.8.8.8:53 mx1.vianet.ca udp
N/A 209.91.128.21:25 mx1.vianet.ca tcp
N/A 8.8.8.8:53 sympatici.ca udp
N/A 8.8.8.8:53 yahoo.ca udp
N/A 8.8.8.8:53 mta6.am0.yahoodns.net udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.70.19.203:80 efuheruhdehduhgk.ws tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 9934.com udp
N/A 8.8.8.8:53 6273.com udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 6588.com udp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 eafueudzefverrgk.ws udp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 64.70.19.203:80 eafueudzefverrgk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 3132.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 eafueudzefverrgk.ws tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 7269.com udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 ttva.ca udp
N/A 64.70.19.203:80 eafueudzefverrgk.ws tcp
N/A 8.8.8.8:53 ttva.ca udp
N/A 8.8.8.8:53 etzone.ca udp
N/A 8.8.8.8:53 ALT1.ASPMX.L.GOOGLE.COM udp
N/A 172.253.118.26:25 ALT1.ASPMX.L.GOOGLE.COM tcp
N/A 67.23.226.231:25 ttva.ca tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 141.117.126.6:25 rscan.ryerson.ca tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 4424.com udp
N/A 8.8.8.8:53 6951.com udp
N/A 64.70.19.203:80 eafueudzefverrgk.ws tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 6802.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 3062.com udp
N/A 217.8.117.10:8080 worm.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 eafueudzefverrgk.ws tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 0052.com udp
N/A 8.8.8.8:53 caasco.ca udp
N/A 8.8.8.8:53 4159.com udp
N/A 64.70.19.203:80 eafueudzefverrgk.ws tcp
N/A 8.8.8.8:53 caasco-ca.mail.protection.outlook.com udp
N/A 104.47.61.36:25 caasco-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 9382.com udp
N/A 8.8.8.8:53 lacelestelevure.ca udp
N/A 8.8.8.8:53 lacelestelevure-ca.mail.protection.outlook.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 104.47.60.36:25 lacelestelevure-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 4800.com udp
N/A 8.8.8.8:53 3401.com udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 1197.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 deauduafzgezzfgk.ws udp
N/A 64.70.19.203:80 deauduafzgezzfgk.ws tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 7248.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 4808.com udp
N/A 8.8.8.8:53 cogeco.ca udp
N/A 8.8.8.8:53 mx.cogeco.net udp
N/A 64.70.19.203:80 deauduafzgezzfgk.ws tcp
N/A 8.8.8.8:53 5265.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 66.226.82.202:25 mx.cogeco.net tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 5115.com udp
N/A 8.8.8.8:53 csduroy.qc.ca udp
N/A 8.8.8.8:53 0730.com udp
N/A 8.8.8.8:53 1767.com udp
N/A 8.8.8.8:53 csduroy-qc-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 csduroy-qc-ca.mail.protection.outlook.com tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 deauduafzgezzfgk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 5273.com udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 0701.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 deauduafzgezzfgk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.70.19.203:80 deauduafzgezzfgk.ws tcp
N/A 8.8.8.8:53 7649.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 5945.com udp
N/A 64.70.19.203:80 deauduafzgezzfgk.ws tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 isnhighspeed.ca udp
N/A 8.8.8.8:53 cgocable.ca udp
N/A 8.8.8.8:53 mx2.cgocable.ca udp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 8.8.8.8:53 gaueudbuwdbuguuk.ws udp
N/A 64.70.19.203:80 gaueudbuwdbuguuk.ws tcp
N/A 8.8.8.8:53 aernet.ca udp
N/A 8.8.8.8:53 mx.aernet.ca.cust.a.hostedemail.com udp
N/A 216.40.42.4:25 mx.aernet.ca.cust.a.hostedemail.com tcp
N/A 8.8.8.8:53 3191.com udp
N/A 8.8.8.8:53 missisystems.ca udp
N/A 8.8.8.8:53 mail.missisystems.ca udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuk.ws tcp
N/A 107.189.159.16:25 mail.missisystems.ca tcp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 141.117.126.6:25 rscan.ryerson.ca tcp
N/A 8.8.8.8:53 5844.com udp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 2883.com udp
N/A 8.8.8.8:53 6569.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.70.19.203:80 gaueudbuwdbuguuk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 9093.com udp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 7397.com udp
N/A 64.70.19.203:80 gaueudbuwdbuguuk.ws tcp
N/A 8.8.8.8:53 6983.com udp
N/A 209.91.128.21:25 mx1.vianet.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 0685.com udp
N/A 8.8.8.8:53 4287.com udp
N/A 64.70.19.203:80 gaueudbuwdbuguuk.ws tcp
N/A 8.8.8.8:53 bellnet.ca udp
N/A 8.8.8.8:53 mxmta.bellnet.ca udp
N/A 204.101.250.9:25 mxmta.bellnet.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 8.8.8.8:53 3406.com udp
N/A 8.8.8.8:53 gbs.ca udp
N/A 8.8.8.8:53 mailwash39.pair.com udp
N/A 64.70.19.203:80 gaueudbuwdbuguuk.ws tcp
N/A 8.8.8.8:53 5597.com udp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 66.39.2.39:25 mailwash39.pair.com tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 1753.com udp
N/A 8.8.8.8:53 0365.com udp
N/A 8.8.8.8:53 efeuafubeubaefuk.ws udp
N/A 64.70.19.203:80 efeuafubeubaefuk.ws tcp
N/A 104.47.4.33:25 4078ae2e0c3a8644a645f95b832411.pamx1.hotmail.com tcp
N/A 8.8.8.8:53 1199.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 0325.com udp
N/A 64.70.19.203:80 efeuafubeubaefuk.ws tcp
N/A 141.117.126.6:25 rscan.ryerson.ca tcp
N/A 8.8.8.8:53 2890.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 4980.com udp
N/A 8.8.8.8:53 7325.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 domlebo.ca udp
N/A 8.8.8.8:53 mx.emailarray.com udp
N/A 65.39.216.37:25 mx.emailarray.com tcp
N/A 64.70.19.203:80 efeuafubeubaefuk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 104.47.60.36:25 csduroy-qc-ca.mail.protection.outlook.com tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 6334.com udp
N/A 64.70.19.203:80 efeuafubeubaefuk.ws tcp
N/A 8.8.8.8:53 globalchains.ca udp
N/A 8.8.8.8:53 globalchains.ca udp
N/A 8.8.8.8:53 6689.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 104.254.183.21:25 globalchains.ca tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 64.70.19.203:80 efeuafubeubaefuk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 efeuafubeubaefuk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 hurontel.on.ca udp
N/A 8.8.8.8:53 fish.hurontel.on.ca udp
N/A 216.46.129.163:25 fish.hurontel.on.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 7705.com udp
N/A 8.8.8.8:53 1879.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 eafuebdbedbedggk.ws udp
N/A 8.8.8.8:53 6491.com udp
N/A 64.70.19.203:80 eafuebdbedbedggk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 6617.com udp
N/A 8.8.8.8:53 4895.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.70.19.203:80 eafuebdbedbedggk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 172.253.118.26:25 ALT1.ASPMX.L.GOOGLE.COM tcp
N/A 8.8.8.8:53 6083.com udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 9153.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 eafuebdbedbedggk.ws tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 1559.com udp
N/A 8.8.8.8:53 camosun.bc.ca udp
N/A 8.8.8.8:53 camosun-bc-ca.mail.protection.outlook.com udp
N/A 104.47.61.36:25 camosun-bc-ca.mail.protection.outlook.com tcp
N/A 184.150.200.82:25 mxmta.owm.bell.net tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 7021.com udp
N/A 64.70.19.203:80 eafuebdbedbedggk.ws tcp
N/A 8.8.8.8:53 mxmta.owm.bell.net udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 7726.com udp
N/A 8.8.8.8:53 eafwr.on.ca udp
N/A 8.8.8.8:53 2428.com udp
N/A 8.8.8.8:53 ontario.ca udp
N/A 8.8.8.8:53 aspmx.l.google.com udp
N/A 108.177.119.26:25 aspmx.l.google.com tcp
N/A 8.8.8.8:53 ontario-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 ontario-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 5929.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.70.19.203:80 eafuebdbedbedggk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 4221.com udp
N/A 8.8.8.8:53 8434.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 eafuebdbedbedggk.ws tcp
N/A 8.8.8.8:53 usherbrooke.ca udp
N/A 8.8.8.8:53 usherbrooke-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 usherbrooke-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 thetravelstore.ca udp
N/A 8.8.8.8:53 alt2.aspmx.l.google.com udp
N/A 108.177.97.27:25 alt2.aspmx.l.google.com tcp
N/A 8.8.8.8:53 4822.com udp
N/A 104.254.183.21:25 globalchains.ca tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 wdkowdohwodhfhfk.ws udp
N/A 64.70.19.203:80 wdkowdohwodhfhfk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 6068.com udp
N/A 8.8.8.8:53 caasco-ca.mail.protection.outlook.com udp
N/A 104.47.61.36:25 caasco-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 6375.com udp
N/A 8.8.8.8:53 9831.com udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 8446.com udp
N/A 64.70.19.203:80 wdkowdohwodhfhfk.ws tcp
N/A 104.47.4.33:25 4078ae2e0c3a8644a645f95b832411.pamx1.hotmail.com tcp
N/A 8.8.8.8:53 0475.com udp
N/A 8.8.8.8:53 8743.com udp
N/A 8.8.8.8:53 9880.com udp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 5938.com udp
N/A 8.8.8.8:53 8494.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 3650.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 9471.com udp
N/A 8.8.8.8:53 lumbermart.ca udp
N/A 64.70.19.203:80 wdkowdohwodhfhfk.ws tcp
N/A 8.8.8.8:53 backstage.lumbermart.ca udp
N/A 8.8.8.8:53 6047.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 0830.com udp
N/A 207.107.115.23:25 backstage.lumbermart.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 5769.com udp
N/A 8.8.8.8:53 2909.com udp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 8.8.8.8:53 9869.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfk.ws tcp
N/A 8.8.8.8:53 5600.com udp
N/A 8.8.8.8:53 6729.com udp
N/A 8.8.8.8:53 8164.com udp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 64.70.19.203:80 wdkowdohwodhfhfk.ws tcp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 7736.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 kwvip.ca udp
N/A 108.177.97.27:25 alt2.aspmx.l.google.com tcp
N/A 8.8.8.8:53 dynamic-concept.ca udp
N/A 8.8.8.8:53 dynamicconcept-ca01i.mail.protection.outlook.com udp
N/A 8.8.8.8:53 7084.com udp
N/A 104.47.60.36:25 dynamicconcept-ca01i.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 efaeduvedvzfufuk.ws udp
N/A 64.70.19.203:80 efaeduvedvzfufuk.ws tcp
N/A 8.8.8.8:53 gameil.cam udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 0898.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 efaeduvedvzfufuk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 8.8.8.8:53 2221.com udp
N/A 66.226.82.202:25 mx2.cgocable.ca tcp
N/A 8.8.8.8:53 8867.com udp
N/A 64.70.19.203:80 efaeduvedvzfufuk.ws tcp
N/A 8.8.8.8:53 8172.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 67.23.226.231:25 ttva.ca tcp
N/A 64.70.19.203:80 efaeduvedvzfufuk.ws tcp
N/A 8.8.8.8:53 3637.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 mikebrowne.ca udp
N/A 8.8.8.8:53 mikebrowne-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 mikebrowne-ca.mail.protection.outlook.com tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 efaeduvedvzfufuk.ws tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 9449.com udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 travelplus.ca udp
N/A 64.70.19.203:80 efaeduvedvzfufuk.ws tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 travelplus-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 travelplus-ca.mail.protection.outlook.com tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 104.47.61.36:25 caasco-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 5861.com udp
N/A 8.8.8.8:53 9963.com udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 edhuaudhuedugufk.ws udp
N/A 8.8.8.8:53 9989.com udp
N/A 64.70.19.203:80 edhuaudhuedugufk.ws tcp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 172.253.118.26:25 ALT1.ASPMX.L.GOOGLE.COM tcp
N/A 67.23.226.231:25 ttva.ca tcp
N/A 64.70.19.203:80 edhuaudhuedugufk.ws tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 67.23.226.231:25 ttva.ca tcp
N/A 8.8.8.8:53 3069.com udp
N/A 8.8.8.8:53 lacelestelevure-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 lacelestelevure-ca.mail.protection.outlook.com tcp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 64.70.19.203:80 edhuaudhuedugufk.ws tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 6048.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 1386.com udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 0652.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 edhuaudhuedugufk.ws tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 caasco-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 caasco-ca.mail.protection.outlook.com tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 4602.com udp
N/A 209.91.128.21:25 mx1.vianet.ca tcp
N/A 64.70.19.203:80 edhuaudhuedugufk.ws tcp
N/A 8.8.8.8:53 5046.com udp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 9165.com udp
N/A 104.47.60.36:25 caasco-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 3065.com udp
N/A 8.8.8.8:53 0945.com udp
N/A 64.70.19.203:80 edhuaudhuedugufk.ws tcp
N/A 8.8.8.8:53 mpht.ca udp
N/A 172.253.118.26:25 ALT1.ASPMX.L.GOOGLE.COM tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 eaffuebudbeudbbk.ws udp
N/A 64.70.19.203:80 eaffuebudbeudbbk.ws tcp
N/A 216.40.42.4:25 mx.aernet.ca.cust.a.hostedemail.com tcp
N/A 98.136.96.74:25 mta6.am0.yahoodns.net tcp
N/A 8.8.8.8:53 5164.com udp
N/A 8.8.8.8:53 eastlink.ca udp
N/A 8.8.8.8:53 smtpin.eastlink.ca udp
N/A 24.222.0.18:25 smtpin.eastlink.ca tcp
N/A 64.70.19.203:80 eaffuebudbeudbbk.ws tcp
N/A 64.59.134.8:25 idcmail-mx2no.cg.shawcable.net tcp
N/A 8.8.8.8:53 5484.com udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 108.177.119.26:25 aspmx.l.google.com tcp
N/A 8.8.8.8:53 5135.com udp
N/A 8.8.8.8:53 4726.com udp
N/A 64.70.19.203:80 eaffuebudbeudbbk.ws tcp
N/A 8.8.8.8:53 hfx.eastlink.ca udp
N/A 24.222.0.18:25 smtpin.eastlink.ca tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 7112.com udp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 eaffuebudbeudbbk.ws tcp
N/A 8.8.8.8:53 1665.com udp
N/A 8.8.8.8:53 ontario-ca.mail.protection.outlook.com udp
N/A 104.47.61.36:25 ontario-ca.mail.protection.outlook.com tcp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 7193.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 5471.com udp
N/A 64.70.19.203:80 eaffuebudbeudbbk.ws tcp
N/A 184.150.200.210:25 mxmta.owm.bell.net tcp
N/A 8.8.8.8:53 1636.com udp
N/A 8.8.8.8:53 adls.ca udp
N/A 172.253.118.26:25 ALT1.ASPMX.L.GOOGLE.COM tcp
N/A 8.8.8.8:53 adls-ca.mail.protection.outlook.com udp
N/A 104.47.60.36:25 adls-ca.mail.protection.outlook.com tcp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 64.70.19.203:80 eaffuebudbeudbbk.ws tcp
N/A 104.47.61.36:25 ontario-ca.mail.protection.outlook.com tcp
N/A 8.8.8.8:53 7544.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 8.8.8.8:53 2052.com udp
N/A 24.201.245.37:25 mx.videotron.ca tcp
N/A 108.177.97.27:25 alt2.aspmx.l.google.com tcp
N/A 8.8.8.8:53 seuufhehfueugheg.to udp
N/A 24.201.245.37:25 mx.videotron.ca tcp

Files

memory/1096-0-0x000007FEF6510000-0x000007FEF678A000-memory.dmp

\1326261419625\svchost.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

memory/1136-2-0x0000000000000000-mapping.dmp

C:\1326261419625\svchost.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

C:\1326261419625\svchost.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

\Users\Admin\AppData\Local\Temp\1540428975.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

memory/852-6-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1540428975.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

\Users\Admin\AppData\Local\Temp\1252817773.exe

MD5 4a61038c4d176da1c3c522b57be2fe55
SHA1 3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90
SHA256 9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2
SHA512 76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

memory/1312-9-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1252817773.exe

MD5 4a61038c4d176da1c3c522b57be2fe55
SHA1 3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90
SHA256 9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2
SHA512 76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

\Users\Admin\AppData\Local\Temp\2908718115.exe

MD5 7f371679986c29befdf61c85c1262008
SHA1 f1b6a970675cd61dccee2f460685ea0922b55a3c
SHA256 2a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581
SHA512 f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2

memory/1384-12-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2908718115.exe

MD5 7f371679986c29befdf61c85c1262008
SHA1 f1b6a970675cd61dccee2f460685ea0922b55a3c
SHA256 2a3e09782d93ed6198e184ced21083b9c233f61a8c79aaa8cc9c383daefec581
SHA512 f9f998f4b7af9b425d5d00805c0bc7495b52b198d355ff2eb4654ca4920a9b048fdaa74c11cc13db4b87ed1bee933d0dc4a272edc0f254777867934979af92f2

\Users\Admin\AppData\Local\Temp\3640435775.exe

MD5 f6e97a60aeb12d0cda2e80d9a2f81186
SHA1 9231abff318430e87b375ad12d2b4056ee8dfe50
SHA256 b40b1b80b7c3b81abe8cfcc94021201243649451ec8ab97f882e365e35aa79ec
SHA512 ab0bdf9fcee7bfd30d573b41d399c8712a4ee79e821779407d7c4d47dae9f33f0f7b3bd0861902607073f8dbd221f3b5bd01f26dc96326e9c11a766862f246c1

C:\Users\Admin\AppData\Local\Temp\3640435775.exe

MD5 f6e97a60aeb12d0cda2e80d9a2f81186
SHA1 9231abff318430e87b375ad12d2b4056ee8dfe50
SHA256 b40b1b80b7c3b81abe8cfcc94021201243649451ec8ab97f882e365e35aa79ec
SHA512 ab0bdf9fcee7bfd30d573b41d399c8712a4ee79e821779407d7c4d47dae9f33f0f7b3bd0861902607073f8dbd221f3b5bd01f26dc96326e9c11a766862f246c1

memory/240-15-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-11-19 09:32

Reported

2020-11-19 09:35

Platform

win10v20201028

Max time kernel

149s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\1893860866577\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2023616281.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1095910114.exe N/A

Reads user/profile data of web browsers

spyware

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\1893860866577\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\1893860866577\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\1893860866577\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\1893860866577\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\1893860866577\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\1893860866577\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\1893860866577\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1893860866577\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\1893860866577\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe

"C:\Users\Admin\AppData\Local\Temp\10941585e933119c70b14961e91acc82.exe"

C:\1893860866577\svchost.exe

C:\1893860866577\svchost.exe

C:\Users\Admin\AppData\Local\Temp\2023616281.exe

C:\Users\Admin\AppData\Local\Temp\2023616281.exe

C:\Users\Admin\AppData\Local\Temp\1095910114.exe

C:\Users\Admin\AppData\Local\Temp\1095910114.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 8.8.8.8:53 worm.ws udp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 217.8.117.10:80 worm.ws tcp
N/A 217.8.117.10:80 worm.ws tcp

Files

memory/4024-0-0x0000000000000000-mapping.dmp

C:\1893860866577\svchost.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

C:\1893860866577\svchost.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

memory/576-3-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\2023616281.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

C:\Users\Admin\AppData\Local\Temp\2023616281.exe

MD5 10941585e933119c70b14961e91acc82
SHA1 e629db65702a4d84c9313c2918f5851bdb14b49e
SHA256 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1
SHA512 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450

memory/996-6-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\1095910114.exe

MD5 4a61038c4d176da1c3c522b57be2fe55
SHA1 3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90
SHA256 9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2
SHA512 76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31

C:\Users\Admin\AppData\Local\Temp\1095910114.exe

MD5 4a61038c4d176da1c3c522b57be2fe55
SHA1 3f8ec8a9c51e1ae444e58ee1f14d3556d6388f90
SHA256 9b4aba32e6f88813733cacf7c43896a3c7b81bda7e5dd3df5dd9877b9aa833f2
SHA512 76b2a3b790accc2ffc3c466494dbdaa7448ef4fe023d75129c63e5e64d5a91960460d88c65838592e6af750b219e420c55c7f0f4ef9d2237530a494e6c523f31