Malware Analysis Report

2024-11-30 15:09

Sample ID 210121-q1t8nw8wae
Target ca11a2960b914f9e95a38cfa78aaa6e8.exe
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
Tags
phorphiex evasion loader persistence trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12

Threat Level: Known bad

The file ca11a2960b914f9e95a38cfa78aaa6e8.exe was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence trojan worm

Phorphiex family

Phorphiex Worm

Windows security bypass

Phorphiex Payload

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-01-21 07:07

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A

Phorphiex family

phorphiex

Analysis: behavioral1

Detonation Overview

Submitted

2021-01-21 07:07

Reported

2021-01-21 07:09

Platform

win7v20201028

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\292721996713704\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\292721996713704\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\292721996713704\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\292721996713704\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\292721996713704\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\292721996713704\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\65461135930764\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\292721996713704\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\292721996713704\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\292721996713704\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\65461135930764\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\3819225789.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\65461135930764\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\3819225789.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3413718160.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3413718160.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3413718160.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1064 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe C:\292721996713704\svchost.exe
PID 1064 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe C:\292721996713704\svchost.exe
PID 1064 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe C:\292721996713704\svchost.exe
PID 1064 wrote to memory of 648 N/A C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe C:\292721996713704\svchost.exe
PID 648 wrote to memory of 1792 N/A C:\292721996713704\svchost.exe C:\Users\Admin\AppData\Local\Temp\3819225789.exe
PID 648 wrote to memory of 1792 N/A C:\292721996713704\svchost.exe C:\Users\Admin\AppData\Local\Temp\3819225789.exe
PID 648 wrote to memory of 1792 N/A C:\292721996713704\svchost.exe C:\Users\Admin\AppData\Local\Temp\3819225789.exe
PID 648 wrote to memory of 1792 N/A C:\292721996713704\svchost.exe C:\Users\Admin\AppData\Local\Temp\3819225789.exe
PID 1792 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\3819225789.exe C:\65461135930764\svchost.exe
PID 1792 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\3819225789.exe C:\65461135930764\svchost.exe
PID 1792 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\3819225789.exe C:\65461135930764\svchost.exe
PID 1792 wrote to memory of 1584 N/A C:\Users\Admin\AppData\Local\Temp\3819225789.exe C:\65461135930764\svchost.exe
PID 1584 wrote to memory of 604 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\2780938378.exe
PID 1584 wrote to memory of 604 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\2780938378.exe
PID 1584 wrote to memory of 604 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\2780938378.exe
PID 1584 wrote to memory of 604 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\2780938378.exe
PID 1584 wrote to memory of 908 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3811718682.exe
PID 1584 wrote to memory of 908 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3811718682.exe
PID 1584 wrote to memory of 908 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3811718682.exe
PID 1584 wrote to memory of 908 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3811718682.exe
PID 1584 wrote to memory of 1976 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3413718160.exe
PID 1584 wrote to memory of 1976 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3413718160.exe
PID 1584 wrote to memory of 1976 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3413718160.exe
PID 1584 wrote to memory of 1976 N/A C:\65461135930764\svchost.exe C:\Users\Admin\AppData\Local\Temp\3413718160.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

C:\292721996713704\svchost.exe

C:\292721996713704\svchost.exe

C:\Users\Admin\AppData\Local\Temp\3819225789.exe

C:\Users\Admin\AppData\Local\Temp\3819225789.exe

C:\65461135930764\svchost.exe

C:\65461135930764\svchost.exe

C:\Users\Admin\AppData\Local\Temp\2780938378.exe

C:\Users\Admin\AppData\Local\Temp\2780938378.exe

C:\Users\Admin\AppData\Local\Temp\3811718682.exe

C:\Users\Admin\AppData\Local\Temp\3811718682.exe

C:\Users\Admin\AppData\Local\Temp\3413718160.exe

C:\Users\Admin\AppData\Local\Temp\3413718160.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 8.8.8.8:53 tsrv3.ru udp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 127.0.0.1:80 tcp
N/A 8.8.8.8:53 tsrv4.ws udp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp
N/A 185.215.113.10:80 tsrv4.ws tcp

Files

memory/1064-2-0x0000000076101000-0x0000000076103000-memory.dmp

memory/1572-3-0x000007FEF7140000-0x000007FEF73BA000-memory.dmp

\292721996713704\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

memory/648-5-0x0000000000000000-mapping.dmp

C:\292721996713704\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

C:\292721996713704\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

\Users\Admin\AppData\Local\Temp\3819225789.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

memory/1792-10-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3819225789.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

C:\Users\Admin\AppData\Local\Temp\3819225789.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

\65461135930764\svchost.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

memory/1584-15-0x0000000000000000-mapping.dmp

C:\65461135930764\svchost.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

C:\65461135930764\svchost.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\3O0J2C38\1[1]

MD5 8bbde875a2d097ad682ddbfc002b1fa5
SHA1 519835731f9d08bf1fcd2792b168a4547dfe80ee
SHA256 a6c55d3aa8a5f54b72c75769f72cccb9fb03433e2b5fb99282143d2ccb656b6a
SHA512 be534c8fd5894ac18511eae5f103986930875df55a7cfd27800735fb9a40f1b296b573091f6a3235f657a2238b02b74b9c466c1f48bd1c1c09079e276b74435d

\Users\Admin\AppData\Local\Temp\2780938378.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

C:\Users\Admin\AppData\Local\Temp\2780938378.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

memory/604-21-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\3811718682.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

memory/908-25-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3811718682.exe

MD5 fb232bf61cf722f16aeb69179f497cb9
SHA1 5b91e089c46bd095f238243d8a7e4c63ffa1b120
SHA256 283ac7239cb75b8efa407767ccc8397315a7e7862f920a5bfd6f18ed24fdec6c
SHA512 6398df53a18bca66d71d977eb6844639768d16b220347f59a0a42cb5440ed42c3774458822a022ab69a15314fa61d71e92184c1789835ce637bbc55db9c31048

\Users\Admin\AppData\Local\Temp\3413718160.exe

MD5 60caaf46436402dfd2639937119e7679
SHA1 6f8a3429cd07629036b3f53f47a90c6218e38c78
SHA256 05e762241f8c46db6e1d893b1270d3a4dbd9270bb6df315a185a52caa73c8ceb
SHA512 f21799cd9c0ee27627c4a08e00c3ec9e119b05a111b9c1821379afb64136e76b63da4be74a1b38c6532449313e09c72f89da1c2c5e90de9673053ad540f47047

C:\Users\Admin\AppData\Local\Temp\3413718160.exe

MD5 60caaf46436402dfd2639937119e7679
SHA1 6f8a3429cd07629036b3f53f47a90c6218e38c78
SHA256 05e762241f8c46db6e1d893b1270d3a4dbd9270bb6df315a185a52caa73c8ceb
SHA512 f21799cd9c0ee27627c4a08e00c3ec9e119b05a111b9c1821379afb64136e76b63da4be74a1b38c6532449313e09c72f89da1c2c5e90de9673053ad540f47047

memory/1976-29-0x0000000000000000-mapping.dmp

memory/1976-31-0x0000000001F40000-0x0000000001F51000-memory.dmp

memory/1976-33-0x0000000001F40000-0x0000000001F51000-memory.dmp

memory/1976-32-0x0000000002350000-0x0000000002361000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2021-01-21 07:07

Reported

2021-01-21 07:09

Platform

win10v20201028

Max time kernel

150s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

Signatures

Phorphiex Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Phorphiex Worm

worm trojan loader phorphiex

Windows security bypass

evasion trojan

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\193402632913771\svchost.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\193402632913771\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\193402632913771\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\193402632913771\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" C:\193402632913771\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\193402632913771\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\193402632913771\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\193402632913771\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\193402632913771\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\193402632913771\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe

"C:\Users\Admin\AppData\Local\Temp\ca11a2960b914f9e95a38cfa78aaa6e8.exe"

C:\193402632913771\svchost.exe

C:\193402632913771\svchost.exe

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 api.wipmania.com udp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 212.83.168.196:80 api.wipmania.com tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp
N/A 185.215.113.10:80 185.215.113.10 tcp

Files

memory/4292-2-0x0000000000000000-mapping.dmp

C:\193402632913771\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a

C:\193402632913771\svchost.exe

MD5 ca11a2960b914f9e95a38cfa78aaa6e8
SHA1 ce2d58587cc3d36a3506a9f65bf9aaf41eb520e7
SHA256 2dc0e02fcc1a56c81903905869a396f328813e63eba46f941ff3379430e12d12
SHA512 8eaf1db319fd78518d653cf827881a5c303efb37a90ddd8792f99e1af092cd4666b8ef4d651323eb2fcc32d74921171c15a80f250600fb9e4aa0d77a4cac698a