Analysis Overview
SHA256
53cae19aa470b038966c47f8e7361fde1da99f4f54ea97ab3fb7198506ecbc3d
Threat Level: Known bad
The file c7cf7d0b57ec48df2c660cbaaa2f921a.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
Phorphiex Worm
Windows security bypass
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-12-26 07:53
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-12-26 07:53
Reported
2020-12-26 07:55
Platform
win7v20201028
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\c7cf7d0b57ec48df2c660cbaaa2f921a.exe
"C:\Users\Admin\AppData\Local\Temp\c7cf7d0b57ec48df2c660cbaaa2f921a.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tsrv4.ws | udp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
Files
memory/1972-2-0x000007FEF6510000-0x000007FEF678A000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2020-12-26 07:53
Reported
2020-12-26 07:55
Platform
win10v20201028
Max time kernel
150s
Max time network
147s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82E1.exe | N/A |
| N/A | N/A | C:\111451198912179\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3146837468.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2406415636.exe | N/A |
| N/A | N/A | C:\2169476693253\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2746511107.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2728537196.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\2169476693253\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\2169476693253\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\2169476693253\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\2169476693253\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\2169476693253\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\2169476693253\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\111451198912179\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\2169476693253\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\111451198912179\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\82E1.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2169476693253\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\3146837468.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\2169476693253\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\3146837468.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\111451198912179\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\82E1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c7cf7d0b57ec48df2c660cbaaa2f921a.exe
"C:\Users\Admin\AppData\Local\Temp\c7cf7d0b57ec48df2c660cbaaa2f921a.exe"
C:\Users\Admin\AppData\Local\Temp\82E1.exe
"C:\Users\Admin\AppData\Local\Temp\82E1.exe"
C:\111451198912179\svchost.exe
C:\111451198912179\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
C:\2169476693253\svchost.exe
C:\2169476693253\svchost.exe
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | tsrv4.ws | udp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueughek.ws | udp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 64.70.19.203:80 | seuufhehfueughek.ws | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdk.ws | udp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 64.70.19.203:80 | feuhdeuhduhuehdk.ws | tcp |
| N/A | 8.8.8.8:53 | feauhueudughuurk.ws | udp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | feauhueudughuurk.ws | tcp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggk.ws | udp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 64.70.19.203:80 | fheuhdwdzwgzdggk.ws | tcp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfk.ws | udp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 64.70.19.203:80 | faugzeazdezgzgfk.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgk.ws | udp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 64.70.19.203:80 | wduufbaueeubffgk.ws | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoek.ws | udp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 64.70.19.203:80 | okdoekeoehghaoek.ws | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgk.ws | udp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 64.70.19.203:80 | efuheruhdehduhgk.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgk.ws | udp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 64.70.19.203:80 | eafueudzefverrgk.ws | tcp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgk.ws | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | tsrv1.ws | udp |
| N/A | 45.182.189.251:80 | tsrv1.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 45.182.189.251:80 | tsrv1.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | tsrv2.top | udp |
| N/A | 64.70.19.203:80 | deauduafzgezzfgk.ws | tcp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguuk.ws | udp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 64.70.19.203:80 | gaueudbuwdbuguuk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | efeuafubeubaefuk.ws | udp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | efeuafubeubaefuk.ws | tcp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggk.ws | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv3.ru | udp |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | eafuebdbedbedggk.ws | tcp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfk.ws | udp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 64.70.19.203:80 | wdkowdohwodhfhfk.ws | tcp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufuk.ws | udp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 64.70.19.203:80 | efaeduvedvzfufuk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | edhuaudhuedugufk.ws | udp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 185.215.113.10:80 | tsrv4.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 8.8.8.8:53 | tsrv5.top | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | edhuaudhuedugufk.ws | tcp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbk.ws | udp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 64.70.19.203:80 | eaffuebudbeudbbk.ws | tcp |
| N/A | 8.8.8.8:53 | seuufhehfueugheg.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdg.to | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurg.to | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggg.to | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfg.to | udp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 45.182.189.251:80 | worm.ws | tcp |
| N/A | 45.182.189.251:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgg.to | udp |
| N/A | 8.8.8.8:53 | eoufaoeuhoauengi.su | udp |
| N/A | 185.215.113.10:80 | eoufaoeuhoauengi.su | tcp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoeg.to | udp |
| N/A | 185.215.113.10:80 | eoufaoeuhoauengi.su | tcp |
| N/A | 185.215.113.10:80 | eoufaoeuhoauengi.su | tcp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgg.to | udp |
| N/A | 45.182.189.251:80 | worm.ws | tcp |
| N/A | 45.182.189.251:80 | worm.ws | tcp |
| N/A | 8.8.8.8:53 | eafueudzefverrgg.to | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgg.to | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguug.to | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefug.to | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggg.to | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfg.to | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufug.to | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufg.to | udp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbg.to | udp |
| N/A | 8.8.8.8:53 | seuufhehfueughem.top | udp |
| N/A | 208.100.26.245:80 | seuufhehfueughem.top | tcp |
| N/A | 8.8.8.8:53 | feuhdeuhduhuehdm.top | udp |
| N/A | 8.8.8.8:53 | feauhueudughuurm.top | udp |
| N/A | 8.8.8.8:53 | fheuhdwdzwgzdggm.top | udp |
| N/A | 8.8.8.8:53 | faugzeazdezgzgfm.top | udp |
| N/A | 8.8.8.8:53 | wduufbaueeubffgm.top | udp |
| N/A | 8.8.8.8:53 | okdoekeoehghaoem.top | udp |
| N/A | 8.8.8.8:53 | efuheruhdehduhgm.top | udp |
| N/A | 8.8.8.8:53 | eafueudzefverrgm.top | udp |
| N/A | 8.8.8.8:53 | deauduafzgezzfgm.top | udp |
| N/A | 8.8.8.8:53 | gaueudbuwdbuguum.top | udp |
| N/A | 8.8.8.8:53 | efeuafubeubaefum.top | udp |
| N/A | 8.8.8.8:53 | eafuebdbedbedggm.top | udp |
| N/A | 8.8.8.8:53 | wdkowdohwodhfhfm.top | udp |
| N/A | 8.8.8.8:53 | efaeduvedvzfufum.top | udp |
| N/A | 8.8.8.8:53 | edhuaudhuedugufm.top | udp |
| N/A | 8.8.8.8:53 | eaffuebudbeudbbm.top | udp |
| N/A | 45.182.189.251:80 | worm.ws | tcp |
| N/A | 45.182.189.251:80 | worm.ws | tcp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/1672-2-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\82E1.exe
| MD5 | 6b34c7a8ba353c6f2d54f3226da2f4b8 |
| SHA1 | 78dbc792083d1cc09ecc9868f2b66b505cabeec1 |
| SHA256 | 9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76 |
| SHA512 | 3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096 |
C:\Users\Admin\AppData\Local\Temp\82E1.exe
| MD5 | 6b34c7a8ba353c6f2d54f3226da2f4b8 |
| SHA1 | 78dbc792083d1cc09ecc9868f2b66b505cabeec1 |
| SHA256 | 9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76 |
| SHA512 | 3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096 |
memory/2040-5-0x0000000000000000-mapping.dmp
C:\111451198912179\svchost.exe
| MD5 | 6b34c7a8ba353c6f2d54f3226da2f4b8 |
| SHA1 | 78dbc792083d1cc09ecc9868f2b66b505cabeec1 |
| SHA256 | 9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76 |
| SHA512 | 3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096 |
C:\111451198912179\svchost.exe
| MD5 | 6b34c7a8ba353c6f2d54f3226da2f4b8 |
| SHA1 | 78dbc792083d1cc09ecc9868f2b66b505cabeec1 |
| SHA256 | 9ede66863b43a80a99cb77abbaf1a35283d0e9e420b64cc669a5201e975ccc76 |
| SHA512 | 3c81e1193b04a7fec98b0872d4b13f7a9ae6c93fec17411b2bc4b4e8eb20ea0e415c901e8f0e7f2f9ea6ac017e1201e8100943faa714beedb508fc3d4f7d0096 |
memory/784-8-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
| MD5 | 0d37420a6c390be8ec764780990afba7 |
| SHA1 | 7f2ebc00c796267b525c36e899af20e8f64d4ff7 |
| SHA256 | 56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33 |
| SHA512 | 31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415 |
C:\Users\Admin\AppData\Local\Temp\3146837468.exe
| MD5 | 0d37420a6c390be8ec764780990afba7 |
| SHA1 | 7f2ebc00c796267b525c36e899af20e8f64d4ff7 |
| SHA256 | 56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33 |
| SHA512 | 31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415 |
memory/2132-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
| MD5 | aed34d307811e262601d4fa29587990d |
| SHA1 | 36466f4f73cbaeb03e496cafb62bad8c83bb5d73 |
| SHA256 | b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05 |
| SHA512 | b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77 |
C:\Users\Admin\AppData\Local\Temp\2406415636.exe
| MD5 | aed34d307811e262601d4fa29587990d |
| SHA1 | 36466f4f73cbaeb03e496cafb62bad8c83bb5d73 |
| SHA256 | b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05 |
| SHA512 | b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77 |
memory/3732-14-0x0000000000000000-mapping.dmp
C:\2169476693253\svchost.exe
| MD5 | 0d37420a6c390be8ec764780990afba7 |
| SHA1 | 7f2ebc00c796267b525c36e899af20e8f64d4ff7 |
| SHA256 | 56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33 |
| SHA512 | 31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415 |
C:\2169476693253\svchost.exe
| MD5 | 0d37420a6c390be8ec764780990afba7 |
| SHA1 | 7f2ebc00c796267b525c36e899af20e8f64d4ff7 |
| SHA256 | 56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33 |
| SHA512 | 31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415 |
memory/2248-17-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
| MD5 | 0d37420a6c390be8ec764780990afba7 |
| SHA1 | 7f2ebc00c796267b525c36e899af20e8f64d4ff7 |
| SHA256 | 56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33 |
| SHA512 | 31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415 |
C:\Users\Admin\AppData\Local\Temp\2746511107.exe
| MD5 | 0d37420a6c390be8ec764780990afba7 |
| SHA1 | 7f2ebc00c796267b525c36e899af20e8f64d4ff7 |
| SHA256 | 56058a4fd7c019475d5193744880ba2ef462f2615a744e76a08c1dd712ad2b33 |
| SHA512 | 31fdf6fcb73364abdc6f87ea007204c32c15181dcb8f6e7cfe4cc32f515de5157532d54a7b2600aa15f17d6146f1e8c1259a4c5dfa50e5f4ca5978d297dc2415 |
memory/3540-20-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
| MD5 | aed34d307811e262601d4fa29587990d |
| SHA1 | 36466f4f73cbaeb03e496cafb62bad8c83bb5d73 |
| SHA256 | b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05 |
| SHA512 | b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77 |
C:\Users\Admin\AppData\Local\Temp\2728537196.exe
| MD5 | aed34d307811e262601d4fa29587990d |
| SHA1 | 36466f4f73cbaeb03e496cafb62bad8c83bb5d73 |
| SHA256 | b6998869086a3dee1bafe69efdfa1050aec370cc5eceb47e7e48317fffe73e05 |
| SHA512 | b2f2e5ffb85d6840ba2df6168c5c974c0ce00cc4a82a843528ecd9f12e4ee5d8f08cdcc38e3f57104559b87a72b4d2db883f0b7db222a284ec216cdd0623bd77 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8U21I66T\1[1]
| MD5 | 88cf10f2f7f1b1dd7082049fc3797f30 |
| SHA1 | 5fa48dab10bb627219825e9bb4eb9457b1b3cc3f |
| SHA256 | 33cfe7bd6f7f77590fb64ebb4bc02a617c431cbdda6547b4a68bd86043cce8db |
| SHA512 | 4bb1574a53b32aba04917c3d1c3fc4c58133bcb4a07f0bea0541221f15b51aed71d66ff4816f60c649c09e6ca6e7cdcafadbaf933bca4cce2bee7f387e7cb095 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\RW8YYLAG\3[1]
| MD5 | 8f895fe6ebcb1a320c067cdbea383108 |
| SHA1 | 3fdc140809a3fa47194d9b11646eb0cf6f836465 |
| SHA256 | 3c73f1483559394143c22887939fcfd0aa231b46125d1e8fba95efed82749a92 |
| SHA512 | 4c91325f63e54ef665c45243218df10152a21ea81b631eb1de531a111bbbec540f0c3a2595cb4675408485a2f85f9ecebcdd119115b0288330e7f1d944449704 |