Analysis Overview
SHA256
78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb
Threat Level: Known bad
The file 9a50980afb1c6a43cf38872e694bb7db.exe was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
Phorphiex family
Windows security bypass
Phorphiex Worm
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-02-04 11:54
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2021-02-04 11:54
Reported
2021-02-04 11:56
Platform
win7v20201028
Max time kernel
151s
Max time network
152s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\13371362720595\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3553427902.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2736435409.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2852011786.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1545610586.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe | N/A |
| N/A | N/A | C:\13371362720595\svchost.exe | N/A |
| N/A | N/A | C:\13371362720595\svchost.exe | N/A |
| N/A | N/A | C:\13371362720595\svchost.exe | N/A |
| N/A | N/A | C:\13371362720595\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\13371362720595\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\13371362720595\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\13371362720595\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\13371362720595\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\13371362720595\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\13371362720595\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\13371362720595\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13371362720595\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\13371362720595\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2852011786.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2852011786.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2852011786.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe
"C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"
C:\13371362720595\svchost.exe
C:\13371362720595\svchost.exe
C:\Users\Admin\AppData\Local\Temp\3553427902.exe
C:\Users\Admin\AppData\Local\Temp\3553427902.exe
C:\Users\Admin\AppData\Local\Temp\2736435409.exe
C:\Users\Admin\AppData\Local\Temp\2736435409.exe
C:\Users\Admin\AppData\Local\Temp\2852011786.exe
C:\Users\Admin\AppData\Local\Temp\2852011786.exe
C:\Users\Admin\AppData\Local\Temp\1545610586.exe
C:\Users\Admin\AppData\Local\Temp\1545610586.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 8.8.8.8:53 | tsrv3.ru | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv4.ws | udp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 8.8.8.8:53 | tsrv5.top | udp |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 8.8.8.8:53 | tldrhaus.top | udp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 8.8.8.8:53 | tldrzone.top | udp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
Files
memory/1096-2-0x0000000075711000-0x0000000075713000-memory.dmp
memory/1684-3-0x000007FEF6930000-0x000007FEF6BAA000-memory.dmp
\13371362720595\svchost.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
memory/1456-5-0x0000000000000000-mapping.dmp
C:\13371362720595\svchost.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
C:\13371362720595\svchost.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
\Users\Admin\AppData\Local\Temp\3553427902.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
memory/824-10-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3553427902.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
\Users\Admin\AppData\Local\Temp\2736435409.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
memory/1960-14-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2736435409.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
\Users\Admin\AppData\Local\Temp\2852011786.exe
| MD5 | d6a8c17bb74138c72a215b9aa9a8f2ca |
| SHA1 | 131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75 |
| SHA256 | 24c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf |
| SHA512 | e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e |
memory/1676-18-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\2852011786.exe
| MD5 | d6a8c17bb74138c72a215b9aa9a8f2ca |
| SHA1 | 131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75 |
| SHA256 | 24c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf |
| SHA512 | e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e |
memory/1676-20-0x0000000000750000-0x0000000000761000-memory.dmp
memory/1676-21-0x0000000002080000-0x0000000002091000-memory.dmp
memory/1676-22-0x0000000000750000-0x0000000000761000-memory.dmp
\Users\Admin\AppData\Local\Temp\1545610586.exe
| MD5 | 959292f2ba7b55140c759ae2f339ea46 |
| SHA1 | 95c0465226700d89551d6a6022351890a7a25bd3 |
| SHA256 | c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457 |
| SHA512 | 9f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343 |
C:\Users\Admin\AppData\Local\Temp\1545610586.exe
| MD5 | 959292f2ba7b55140c759ae2f339ea46 |
| SHA1 | 95c0465226700d89551d6a6022351890a7a25bd3 |
| SHA256 | c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457 |
| SHA512 | 9f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343 |
memory/1020-27-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2021-02-04 11:54
Reported
2021-02-04 11:56
Platform
win10v20201028
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\15889121124699\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1504732362.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1544433843.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3511434783.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\15889121124699\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\15889121124699\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\15889121124699\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\15889121124699\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\15889121124699\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\15889121124699\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\15889121124699\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\15889121124699\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\15889121124699\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3215326350.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe
"C:\Users\Admin\AppData\Local\Temp\9a50980afb1c6a43cf38872e694bb7db.exe"
C:\15889121124699\svchost.exe
C:\15889121124699\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1504732362.exe
C:\Users\Admin\AppData\Local\Temp\1504732362.exe
C:\Users\Admin\AppData\Local\Temp\1544433843.exe
C:\Users\Admin\AppData\Local\Temp\1544433843.exe
C:\Users\Admin\AppData\Local\Temp\3215326350.exe
C:\Users\Admin\AppData\Local\Temp\3215326350.exe
C:\Users\Admin\AppData\Local\Temp\3511434783.exe
C:\Users\Admin\AppData\Local\Temp\3511434783.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 212.83.168.196:80 | api.wipmania.com | tcp |
| N/A | 185.215.113.8:80 | 185.215.113.8 | tcp |
| N/A | 8.8.8.8:53 | tsrv3.ru | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 8.8.8.8:53 | tsrv4.ws | udp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 185.215.113.8:80 | tsrv4.ws | tcp |
| N/A | 8.8.8.8:53 | tsrv5.top | udp |
| N/A | 8.8.8.8:53 | tldrbox.top | udp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 185.215.113.8:80 | tldrbox.top | tcp |
| N/A | 8.8.8.8:53 | tldrhaus.top | udp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 185.215.113.8:80 | tldrhaus.top | tcp |
| N/A | 8.8.8.8:53 | tldrzone.top | udp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 185.215.113.8:80 | tldrzone.top | tcp |
| N/A | 8.8.8.8:53 | worm.ws | udp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
| N/A | 185.215.113.8:80 | worm.ws | tcp |
Files
memory/3116-2-0x0000000000000000-mapping.dmp
C:\15889121124699\svchost.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
C:\15889121124699\svchost.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
C:\Users\Admin\AppData\Local\Temp\1504732362.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
memory/1928-5-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1504732362.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
memory/2856-8-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1544433843.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
C:\Users\Admin\AppData\Local\Temp\1544433843.exe
| MD5 | 9a50980afb1c6a43cf38872e694bb7db |
| SHA1 | 237aa3ee8c912e6f8326782b790327562cef8dd9 |
| SHA256 | 78bb6fe6bde75a9ba11d0d2f69306619290f90aa94448d6aa4da340d2144e1cb |
| SHA512 | fe6aaba3f46b1f2b73899b3dc92865fd803c2415bc80ecc6c07a7efd613b41ba34a4fa8c515c25b43bf3a83e37f688f9655f5668da1d54ffc1fc0f103ec7d9b8 |
memory/2060-11-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3215326350.exe
| MD5 | d6a8c17bb74138c72a215b9aa9a8f2ca |
| SHA1 | 131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75 |
| SHA256 | 24c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf |
| SHA512 | e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e |
C:\Users\Admin\AppData\Local\Temp\3215326350.exe
| MD5 | d6a8c17bb74138c72a215b9aa9a8f2ca |
| SHA1 | 131189712f8ce67bdc6f9b0a8817bd5a3bfbbc75 |
| SHA256 | 24c7961e92a5db4f878806a15b95a24ec84cd16778b8eb8da5474b15c692ebaf |
| SHA512 | e6b81124c1bba77176fd3cd380858b12ffdfc70e8145be0f847e7673a60bbe68fc1374edb5ab92cbe2a540c89e9e572f92fb6ff781e10ec26e60748ef146e33e |
memory/2060-14-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/2060-15-0x00000000031E0000-0x00000000031E1000-memory.dmp
memory/2060-16-0x00000000029E0000-0x00000000029E1000-memory.dmp
memory/3928-20-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3511434783.exe
| MD5 | 959292f2ba7b55140c759ae2f339ea46 |
| SHA1 | 95c0465226700d89551d6a6022351890a7a25bd3 |
| SHA256 | c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457 |
| SHA512 | 9f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343 |
C:\Users\Admin\AppData\Local\Temp\3511434783.exe
| MD5 | 959292f2ba7b55140c759ae2f339ea46 |
| SHA1 | 95c0465226700d89551d6a6022351890a7a25bd3 |
| SHA256 | c749e746d95742175f10ce056bae3a74a6ad4ca21c4d29fb0edc081b737d8457 |
| SHA512 | 9f8a6c7c37359b6c4bac0a574b20109353bd77dfd67895578bc4f7e613e31cd107e527bdb071bd9a7f0898a639db26457b934d834cb278ec7c21d98e7aeaf343 |