Analysis Overview
SHA256
01b3da80517886f0b91023294da6be87ec44dd87eadc39b9141950fc54f96783
Threat Level: Known bad
The file bdc0968a6b40243c3b54fe554fa7567b.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex Worm
Windows security bypass
Phorphiex Payload
xmrig
XMRig Miner Payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Windows security modification
Drops startup file
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-28 10:18
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-28 10:18
Reported
2020-11-28 10:20
Platform
win7v20201028
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2D.exe | N/A |
| N/A | N/A | C:\93902715619932\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3929931926.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1832623972.exe | N/A |
| N/A | N/A | C:\2054723263257\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3284912040.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1983638296.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\F2D.exe | N/A |
| N/A | N/A | C:\93902715619932\svchost.exe | N/A |
| N/A | N/A | C:\93902715619932\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3929931926.exe | N/A |
| N/A | N/A | C:\2054723263257\svchost.exe | N/A |
| N/A | N/A | C:\2054723263257\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\2054723263257\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\2054723263257\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\2054723263257\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\2054723263257\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\2054723263257\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\2054723263257\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\93902715619932\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\2054723263257\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\93902715619932\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\F2D.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\93902715619932\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\F2D.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2054723263257\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\3929931926.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2054723263257\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\3929931926.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe
"C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe"
C:\Users\Admin\AppData\Local\Temp\F2D.exe
"C:\Users\Admin\AppData\Local\Temp\F2D.exe"
C:\93902715619932\svchost.exe
C:\93902715619932\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
C:\Users\Admin\AppData\Local\Temp\1832623972.exe
C:\Users\Admin\AppData\Local\Temp\1832623972.exe
C:\2054723263257\svchost.exe
C:\2054723263257\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3284912040.exe
C:\Users\Admin\AppData\Local\Temp\3284912040.exe
C:\Users\Admin\AppData\Local\Temp\1983638296.exe
C:\Users\Admin\AppData\Local\Temp\1983638296.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tldrnet.top | udp |
| N/A | 217.8.117.10:80 | tldrnet.top | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughek.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdk.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurk.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggk.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfk.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgk.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoek.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgk.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgk.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgk.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuk.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuk.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggk.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfk.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuk.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufk.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbk.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 8.8.8.8:53 | seuufhehfueughem.top | udp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | udp |
Files
memory/1984-2-0x000007FEF7EB0000-0x000007FEF812A000-memory.dmp
\Users\Admin\AppData\Local\Temp\F2D.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/764-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\F2D.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\Users\Admin\AppData\Local\Temp\F2D.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
\93902715619932\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/1332-8-0x0000000000000000-mapping.dmp
C:\93902715619932\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\93902715619932\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
\Users\Admin\AppData\Local\Temp\3929931926.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1904-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
\Users\Admin\AppData\Local\Temp\1832623972.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/848-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1832623972.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
C:\Users\Admin\AppData\Local\Temp\3929931926.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
\2054723263257\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/884-19-0x0000000000000000-mapping.dmp
C:\2054723263257\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\2054723263257\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\1[1]
| MD5 | 2275ed13db4f19a4d2b3bfc66deb63d9 |
| SHA1 | 0dac76d19829e5d40482e0c03c7bfa275196f8bb |
| SHA256 | da977d81ecf967e1a7d54b59273e6140b57678d765b42169664a81ff8c146e39 |
| SHA512 | 97fcb5babceb1f498976ca2409fcd03f19427dac579975c6285e2b04118f7619277c65b579436a15b2dca48537ad2465e7019fe694e9cd97e68eb4cd9d7595c1 |
\Users\Admin\AppData\Local\Temp\3284912040.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Temp\3284912040.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1640-24-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\2[1]
| MD5 | 01b67463f2d156f8967df65d266b0544 |
| SHA1 | 14862f60b8bbb2336a13697edcaa3bb55edaeb19 |
| SHA256 | 65dfc887457748fd1194153c5c6e36c5414015abffd23cc961bf086714c6b0c1 |
| SHA512 | 98c4e1a26074ab6fd146cebf2f3fff139bf39b9862c734db168e8be10f4fcf1f17a5b7b59db26d62ea8d7ff8e7b6086ece3e9a602295dca7543fba2d09b6a52f |
\Users\Admin\AppData\Local\Temp\1983638296.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/752-28-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1983638296.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-28 10:18
Reported
2020-11-28 10:20
Platform
win10v20201028
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6344.exe | N/A |
| N/A | N/A | C:\292391863416576\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1906625719.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1272213199.exe | N/A |
| N/A | N/A | C:\216192968722883\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3260731160.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1603022934.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\35651.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ulZYCdTsml.url | C:\Windows\SysWOW64\wscript.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\292391863416576\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\292391863416576\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\292391863416576\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\292391863416576\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\292391863416576\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\292391863416576\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\216192968722883\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\292391863416576\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\216192968722883\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1906625719.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\292391863416576\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\6344.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\292391863416576\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\6344.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\216192968722883\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1906625719.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2660 set thread context of 1836 | N/A | C:\Users\Admin\AppData\Local\Temp\35651.exe | C:\Windows\notepad.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\35651.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe
"C:\Users\Admin\AppData\Local\Temp\bdc0968a6b40243c3b54fe554fa7567b.exe"
C:\Users\Admin\AppData\Local\Temp\6344.exe
"C:\Users\Admin\AppData\Local\Temp\6344.exe"
C:\292391863416576\svchost.exe
C:\292391863416576\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1906625719.exe
C:\Users\Admin\AppData\Local\Temp\1906625719.exe
C:\Users\Admin\AppData\Local\Temp\1272213199.exe
C:\Users\Admin\AppData\Local\Temp\1272213199.exe
C:\216192968722883\svchost.exe
C:\216192968722883\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3260731160.exe
C:\Users\Admin\AppData\Local\Temp\3260731160.exe
C:\Users\Admin\AppData\Local\Temp\1603022934.exe
C:\Users\Admin\AppData\Local\Temp\1603022934.exe
C:\Users\Admin\AppData\Local\Temp\35651.exe
C:\Users\Admin\AppData\Local\Temp\35651.exe
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\PnQssBdbSh\cfgi"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\PnQssBdbSh\r.vbs"
C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\PnQssBdbSh\r.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tldrnet.top | udp |
| N/A | 217.8.117.10:80 | tldrnet.top | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughek.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdk.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurk.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggk.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfk.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgk.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoek.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgk.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgk.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgk.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuk.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuk.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggk.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfk.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuk.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufk.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbk.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 217.8.117.10:8080 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughem.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 8.8.8.8:53 | worm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 8.8.8.8:53 | worm.top | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 217.8.117.10:5555 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufm.top | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbm.top | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 8.8.8.8:53 | tsrv1.ws | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 8.8.8.8:53 | tsrv2.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv3.ru | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv4.ws | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/3680-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6344.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\Users\Admin\AppData\Local\Temp\6344.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/2884-5-0x0000000000000000-mapping.dmp
C:\292391863416576\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\292391863416576\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/3612-8-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1906625719.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Temp\1906625719.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1460-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1272213199.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
C:\Users\Admin\AppData\Local\Temp\1272213199.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/3628-14-0x0000000000000000-mapping.dmp
C:\216192968722883\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\216192968722883\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\1[1]
| MD5 | 2275ed13db4f19a4d2b3bfc66deb63d9 |
| SHA1 | 0dac76d19829e5d40482e0c03c7bfa275196f8bb |
| SHA256 | da977d81ecf967e1a7d54b59273e6140b57678d765b42169664a81ff8c146e39 |
| SHA512 | 97fcb5babceb1f498976ca2409fcd03f19427dac579975c6285e2b04118f7619277c65b579436a15b2dca48537ad2465e7019fe694e9cd97e68eb4cd9d7595c1 |
C:\Users\Admin\AppData\Local\Temp\3260731160.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/648-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3260731160.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\2[1]
| MD5 | 01b67463f2d156f8967df65d266b0544 |
| SHA1 | 14862f60b8bbb2336a13697edcaa3bb55edaeb19 |
| SHA256 | 65dfc887457748fd1194153c5c6e36c5414015abffd23cc961bf086714c6b0c1 |
| SHA512 | 98c4e1a26074ab6fd146cebf2f3fff139bf39b9862c734db168e8be10f4fcf1f17a5b7b59db26d62ea8d7ff8e7b6086ece3e9a602295dca7543fba2d09b6a52f |
C:\Users\Admin\AppData\Local\Temp\1603022934.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/2668-22-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1603022934.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/2660-25-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\35651.exe
| MD5 | 215dc4d9de61e4bebb4fb60f1e1fab4a |
| SHA1 | b33581c68016d1d3db429053aef73a92f815b950 |
| SHA256 | 2f1adc1cb3f881d33017ecadb9dfbb4471662ac486d16c7b60680df58839c32c |
| SHA512 | 929316c0ec8bc639739036747ed2ee2371871222c1855d5082210aff792de91c67ce56554d6ea95a550b000bba0f289eb4843db54b89478049df00875959c7ff |
C:\Users\Admin\AppData\Local\Temp\35651.exe
| MD5 | 215dc4d9de61e4bebb4fb60f1e1fab4a |
| SHA1 | b33581c68016d1d3db429053aef73a92f815b950 |
| SHA256 | 2f1adc1cb3f881d33017ecadb9dfbb4471662ac486d16c7b60680df58839c32c |
| SHA512 | 929316c0ec8bc639739036747ed2ee2371871222c1855d5082210aff792de91c67ce56554d6ea95a550b000bba0f289eb4843db54b89478049df00875959c7ff |
memory/2660-29-0x0000000005010000-0x0000000005011000-memory.dmp
memory/1836-30-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1836-31-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1836-32-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/1836-33-0x0000000000A14AA0-mapping.dmp
memory/1836-34-0x0000000000400000-0x0000000000A16000-memory.dmp
C:\ProgramData\PnQssBdbSh\cfgi
| MD5 | d91c40a4056494023ae54f0563e5bb89 |
| SHA1 | 416b135965be1fb506b0f6bfcc6c2b234b25145c |
| SHA256 | dd996bb09570904d7d08185fb76cfe80bfb5d44a7e36854ee52334eeab8334ea |
| SHA512 | 403291ae3e90e3b7c7645dcb226151ea5e05a78cb8c044154a6d40398ebcfe6a1be4d8df5305ef0bfb50e9a3da60c363976355975a56ddda3026a55afdad5e0e |
memory/1836-36-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/2828-37-0x0000000000000000-mapping.dmp
memory/4076-38-0x0000000000000000-mapping.dmp
C:\ProgramData\PnQssBdbSh\r.vbs
| MD5 | d9b393e0df878eadc62db1df2fdaae29 |
| SHA1 | 71393f6cca2f9727b5f9953a3b21784267131c60 |
| SHA256 | aab053f4effc02e94020eb3e80f11dd37ed2459bbaad5154605a1bb6b44cf5e0 |
| SHA512 | d95a5a95e2d37b90792480c172a2eb58e9f881d258d375ef051e87d4159c2ffc327fb96b6ff38bbaf65da0efa12a7f7d96d66fba7b9062452eb28e088a287852 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ulZYCdTsml.url
| MD5 | dc6c58f0b92c049a61cf70148ea1dbd9 |
| SHA1 | 2f3a61fc7a2bfc8a8b0cc368aa153905dec1a06a |
| SHA256 | ef58b218662edfb165c814ce47fee0b98b4c774f963ad93d66cbc6903f92aed5 |
| SHA512 | 58eebadd2b546d459d39f7024834607dc3e8f65084d4323a6be567d301c2cc1ffcf78a9672019f8b45093352f8a5ba4ed88c63f1173eab662e3f386671c1f1a0 |