Analysis Overview
SHA256
fe3428c2f1613c72ef1612b6876239ec8cc058628e8240664315359802215af1
Threat Level: Known bad
The file 465c8cac1040a56b514c0998b998550a.exe was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
xmrig
Phorphiex Worm
Phorphiex Payload
XMRig Miner Payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops startup file
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-11-29 07:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-11-29 07:22
Reported
2020-11-29 07:24
Platform
win7v20201028
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2B54.exe | N/A |
| N/A | N/A | C:\4674217239782\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1193721419.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2132838141.exe | N/A |
| N/A | N/A | C:\220592644020915\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1576829447.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1457310523.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2B54.exe | N/A |
| N/A | N/A | C:\4674217239782\svchost.exe | N/A |
| N/A | N/A | C:\4674217239782\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1193721419.exe | N/A |
| N/A | N/A | C:\220592644020915\svchost.exe | N/A |
| N/A | N/A | C:\220592644020915\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\220592644020915\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\220592644020915\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\220592644020915\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\220592644020915\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\220592644020915\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\220592644020915\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\4674217239782\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\220592644020915\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\4674217239782\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\2B54.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\4674217239782\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\2B54.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\220592644020915\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1193721419.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\220592644020915\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1193721419.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe
"C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe"
C:\Users\Admin\AppData\Local\Temp\2B54.exe
"C:\Users\Admin\AppData\Local\Temp\2B54.exe"
C:\4674217239782\svchost.exe
C:\4674217239782\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
C:\Users\Admin\AppData\Local\Temp\2132838141.exe
C:\Users\Admin\AppData\Local\Temp\2132838141.exe
C:\220592644020915\svchost.exe
C:\220592644020915\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1576829447.exe
C:\Users\Admin\AppData\Local\Temp\1576829447.exe
C:\Users\Admin\AppData\Local\Temp\1457310523.exe
C:\Users\Admin\AppData\Local\Temp\1457310523.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tldrnet.top | udp |
| N/A | 217.8.117.10:80 | tldrnet.top | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughek.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdk.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurk.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggk.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfk.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgk.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoek.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgk.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgk.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgk.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuk.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuk.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggk.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfk.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuk.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufk.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbk.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 8.8.8.8:53 | seuufhehfueughem.top | udp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 217.8.117.10:8080 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufm.top | udp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbm.top | udp |
| N/A | 8.8.8.8:53 | tsrv1.ws | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/2000-2-0x000007FEF7D90000-0x000007FEF800A000-memory.dmp
\Users\Admin\AppData\Local\Temp\2B54.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/268-4-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2B54.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\Users\Admin\AppData\Local\Temp\2B54.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
\4674217239782\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/928-8-0x0000000000000000-mapping.dmp
C:\4674217239782\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\4674217239782\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
\Users\Admin\AppData\Local\Temp\1193721419.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1596-12-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
\Users\Admin\AppData\Local\Temp\2132838141.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/1536-15-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2132838141.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
C:\Users\Admin\AppData\Local\Temp\1193721419.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
\220592644020915\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\220592644020915\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1632-19-0x0000000000000000-mapping.dmp
C:\220592644020915\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5T8OP4KT\1[1]
| MD5 | 2275ed13db4f19a4d2b3bfc66deb63d9 |
| SHA1 | 0dac76d19829e5d40482e0c03c7bfa275196f8bb |
| SHA256 | da977d81ecf967e1a7d54b59273e6140b57678d765b42169664a81ff8c146e39 |
| SHA512 | 97fcb5babceb1f498976ca2409fcd03f19427dac579975c6285e2b04118f7619277c65b579436a15b2dca48537ad2465e7019fe694e9cd97e68eb4cd9d7595c1 |
\Users\Admin\AppData\Local\Temp\1576829447.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Temp\1576829447.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1604-24-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\D73194RS\2[1]
| MD5 | 01b67463f2d156f8967df65d266b0544 |
| SHA1 | 14862f60b8bbb2336a13697edcaa3bb55edaeb19 |
| SHA256 | 65dfc887457748fd1194153c5c6e36c5414015abffd23cc961bf086714c6b0c1 |
| SHA512 | 98c4e1a26074ab6fd146cebf2f3fff139bf39b9862c734db168e8be10f4fcf1f17a5b7b59db26d62ea8d7ff8e7b6086ece3e9a602295dca7543fba2d09b6a52f |
\Users\Admin\AppData\Local\Temp\1457310523.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/1320-28-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1457310523.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
Analysis: behavioral2
Detonation Overview
Submitted
2020-11-29 07:22
Reported
2020-11-29 07:24
Platform
win10v20201028
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
xmrig
XMRig Miner Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6046.exe | N/A |
| N/A | N/A | C:\85191280014434\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1047923475.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2629828513.exe | N/A |
| N/A | N/A | C:\41651833220639\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3229329119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1697131715.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\17975.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ulZYCdTsml.url | C:\Windows\SysWOW64\wscript.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\41651833220639\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\41651833220639\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\41651833220639\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\41651833220639\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\41651833220639\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\41651833220639\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\85191280014434\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\41651833220639\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\41651833220639\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1047923475.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\41651833220639\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\1047923475.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\85191280014434\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\6046.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\85191280014434\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\6046.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2656 set thread context of 756 | N/A | C:\Users\Admin\AppData\Local\Temp\17975.exe | C:\Windows\notepad.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\17975.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\notepad.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\notepad.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe
"C:\Users\Admin\AppData\Local\Temp\465c8cac1040a56b514c0998b998550a.exe"
C:\Users\Admin\AppData\Local\Temp\6046.exe
"C:\Users\Admin\AppData\Local\Temp\6046.exe"
C:\85191280014434\svchost.exe
C:\85191280014434\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1047923475.exe
C:\Users\Admin\AppData\Local\Temp\1047923475.exe
C:\Users\Admin\AppData\Local\Temp\2629828513.exe
C:\Users\Admin\AppData\Local\Temp\2629828513.exe
C:\41651833220639\svchost.exe
C:\41651833220639\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3229329119.exe
C:\Users\Admin\AppData\Local\Temp\3229329119.exe
C:\Users\Admin\AppData\Local\Temp\1697131715.exe
C:\Users\Admin\AppData\Local\Temp\1697131715.exe
C:\Users\Admin\AppData\Local\Temp\17975.exe
C:\Users\Admin\AppData\Local\Temp\17975.exe
C:\Windows\notepad.exe
"C:\Windows\notepad.exe" -c "C:\ProgramData\PnQssBdbSh\cfgi"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C WScript "C:\ProgramData\PnQssBdbSh\r.vbs"
C:\Windows\SysWOW64\wscript.exe
WScript "C:\ProgramData\PnQssBdbSh\r.vbs"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tldrnet.top | udp |
| N/A | 217.8.117.10:80 | tldrnet.top | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughek.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdk.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurk.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggk.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfk.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgk.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoek.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 217.8.117.10:80 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgk.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 217.8.117.10:8080 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgk.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgk.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuk.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefuk.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggk.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfk.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuk.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufk.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbk.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | worm.top | udp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | worm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 217.8.117.10:5555 | worm.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughem.top | udp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufm.top | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbm.top | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 8.8.8.8:53 | tsrv1.ws | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 8.8.8.8:53 | tsrv2.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 8.8.8.8:53 | tsrv3.ru | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufm.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbm.top | udp |
| N/A | 8.8.8.8:53 | tsrv1.ws | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv4.ws | udp |
| N/A | 217.8.117.10:80 | tsrv4.ws | tcp |
| N/A | 217.8.117.10:80 | tsrv4.ws | tcp |
| N/A | 217.8.117.10:80 | tsrv4.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv5.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 217.8.117.10:80 | tsrv4.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 217.8.117.10:80 | tsrv4.ws | tcp |
| N/A | 217.8.117.10:80 | tsrv4.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\6046.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/752-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\6046.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/2268-5-0x0000000000000000-mapping.dmp
C:\85191280014434\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
C:\85191280014434\svchost.exe
| MD5 | 10941585e933119c70b14961e91acc82 |
| SHA1 | e629db65702a4d84c9313c2918f5851bdb14b49e |
| SHA256 | 38637b0bf898df12f7549c595eb255b38995e8da8058bff700428d90e98052c1 |
| SHA512 | 8f620be8bdee03372af507e57e5a2d8f98b3b5ee6f50d37b43c94ecd93255d7dd052b2d51ee83c27e03353154f005636870dee6961f8d0b3d49b600ffe7d2450 |
memory/1308-8-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1047923475.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Temp\1047923475.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
memory/1304-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2629828513.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
C:\Users\Admin\AppData\Local\Temp\2629828513.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/496-14-0x0000000000000000-mapping.dmp
C:\41651833220639\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\41651833220639\svchost.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\1[1]
| MD5 | 2275ed13db4f19a4d2b3bfc66deb63d9 |
| SHA1 | 0dac76d19829e5d40482e0c03c7bfa275196f8bb |
| SHA256 | da977d81ecf967e1a7d54b59273e6140b57678d765b42169664a81ff8c146e39 |
| SHA512 | 97fcb5babceb1f498976ca2409fcd03f19427dac579975c6285e2b04118f7619277c65b579436a15b2dca48537ad2465e7019fe694e9cd97e68eb4cd9d7595c1 |
memory/8-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3229329119.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Temp\3229329119.exe
| MD5 | 2b7a233816d3ea9be1b14bc2ae52ebb8 |
| SHA1 | c84ade76f07945c510f52739797484db02393a11 |
| SHA256 | 311168b8f1914a7427453d8c931ee8e78639aa6dba21265adaee4313b41d8e47 |
| SHA512 | d9f83e476b899d96545bfdba857dc124fdb725184a4a7168ff4aa757d151f83019c9bea8e1a27657b621cf55bd77bbc99f423ca5fe9af84210ee3cefbc09e037 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\2[1]
| MD5 | 01b67463f2d156f8967df65d266b0544 |
| SHA1 | 14862f60b8bbb2336a13697edcaa3bb55edaeb19 |
| SHA256 | 65dfc887457748fd1194153c5c6e36c5414015abffd23cc961bf086714c6b0c1 |
| SHA512 | 98c4e1a26074ab6fd146cebf2f3fff139bf39b9862c734db168e8be10f4fcf1f17a5b7b59db26d62ea8d7ff8e7b6086ece3e9a602295dca7543fba2d09b6a52f |
memory/412-22-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1697131715.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
C:\Users\Admin\AppData\Local\Temp\1697131715.exe
| MD5 | c692e385134135211b73973cf6c35acb |
| SHA1 | 03accccdf6abf730f1af8ccf136ab36ec5ad02ad |
| SHA256 | e84bfd2d79fdf46fd4202725dceb92e3605c2035565511e3d45601a528fd81ea |
| SHA512 | 179d179c3c73f8d9e90e7db2c1cf7376a684e62f2329635d1b5170826930a95017f02fafdcf40cce6a2e5a35a254b8aabf7c72b0862f1dd19e7b4773c861a3c6 |
memory/2656-25-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\17975.exe
| MD5 | 215dc4d9de61e4bebb4fb60f1e1fab4a |
| SHA1 | b33581c68016d1d3db429053aef73a92f815b950 |
| SHA256 | 2f1adc1cb3f881d33017ecadb9dfbb4471662ac486d16c7b60680df58839c32c |
| SHA512 | 929316c0ec8bc639739036747ed2ee2371871222c1855d5082210aff792de91c67ce56554d6ea95a550b000bba0f289eb4843db54b89478049df00875959c7ff |
C:\Users\Admin\AppData\Local\Temp\17975.exe
| MD5 | 215dc4d9de61e4bebb4fb60f1e1fab4a |
| SHA1 | b33581c68016d1d3db429053aef73a92f815b950 |
| SHA256 | 2f1adc1cb3f881d33017ecadb9dfbb4471662ac486d16c7b60680df58839c32c |
| SHA512 | 929316c0ec8bc639739036747ed2ee2371871222c1855d5082210aff792de91c67ce56554d6ea95a550b000bba0f289eb4843db54b89478049df00875959c7ff |
memory/2656-29-0x00000000050A0000-0x00000000050A1000-memory.dmp
memory/756-30-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/756-31-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/756-32-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/756-33-0x0000000000A14AA0-mapping.dmp
memory/756-34-0x0000000000400000-0x0000000000A16000-memory.dmp
C:\ProgramData\PnQssBdbSh\cfgi
| MD5 | d91c40a4056494023ae54f0563e5bb89 |
| SHA1 | 416b135965be1fb506b0f6bfcc6c2b234b25145c |
| SHA256 | dd996bb09570904d7d08185fb76cfe80bfb5d44a7e36854ee52334eeab8334ea |
| SHA512 | 403291ae3e90e3b7c7645dcb226151ea5e05a78cb8c044154a6d40398ebcfe6a1be4d8df5305ef0bfb50e9a3da60c363976355975a56ddda3026a55afdad5e0e |
memory/756-36-0x0000000000400000-0x0000000000A16000-memory.dmp
memory/3612-37-0x0000000000000000-mapping.dmp
memory/2608-38-0x0000000000000000-mapping.dmp
C:\ProgramData\PnQssBdbSh\r.vbs
| MD5 | d9b393e0df878eadc62db1df2fdaae29 |
| SHA1 | 71393f6cca2f9727b5f9953a3b21784267131c60 |
| SHA256 | aab053f4effc02e94020eb3e80f11dd37ed2459bbaad5154605a1bb6b44cf5e0 |
| SHA512 | d95a5a95e2d37b90792480c172a2eb58e9f881d258d375ef051e87d4159c2ffc327fb96b6ff38bbaf65da0efa12a7f7d96d66fba7b9062452eb28e088a287852 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ulZYCdTsml.url
| MD5 | dc6c58f0b92c049a61cf70148ea1dbd9 |
| SHA1 | 2f3a61fc7a2bfc8a8b0cc368aa153905dec1a06a |
| SHA256 | ef58b218662edfb165c814ce47fee0b98b4c774f963ad93d66cbc6903f92aed5 |
| SHA512 | 58eebadd2b546d459d39f7024834607dc3e8f65084d4323a6be567d301c2cc1ffcf78a9672019f8b45093352f8a5ba4ed88c63f1173eab662e3f386671c1f1a0 |