Analysis Overview
SHA256
43ce59f24af9a723eac0c833352ee4c06722004dbd0e2b74ead114eaf4cd1297
Threat Level: Known bad
The file DS_Store was found to be: Known bad.
Malicious Activity Summary
Phorphiex Worm
Windows security bypass
Phorphiex family
Phorphiex Payload
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-09-05 06:45
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2021-09-05 06:45
Reported
2021-09-05 06:49
Platform
win7v20210408
Max time kernel
151s
Max time network
196s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\248341819513851\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\248341819513851\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\248341819513851\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\248341819513851\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\248341819513851\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\248341819513851\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\248341819513851\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1016 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\248341819513851\svchost.exe |
| PID 1016 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\248341819513851\svchost.exe |
| PID 1016 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\248341819513851\svchost.exe |
| PID 1016 wrote to memory of 1208 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\248341819513851\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DS_Store.exe
"C:\Users\Admin\AppData\Local\Temp\DS_Store.exe"
C:\248341819513851\svchost.exe
C:\248341819513851\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | worm.ws | udp |
| US | 8.8.8.8:53 | seuufhehfueugher.ws | udp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdr.ws | udp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 8.8.8.8:53 | feauhueudughuurr.ws | udp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggr.ws | udp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 8.8.8.8:53 | faugzeazdezgzgfr.ws | udp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 8.8.8.8:53 | wduufbaueeubffgr.ws | udp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 8.8.8.8:53 | okdoekeoehghaoer.ws | udp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 8.8.8.8:53 | efuheruhdehduhgr.ws | udp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 8.8.8.8:53 | eafueudzefverrgr.ws | udp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 8.8.8.8:53 | deauduafzgezzfgr.ws | udp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 8.8.8.8:53 | gaueudbuwdbuguur.ws | udp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 8.8.8.8:53 | efeuafubeubaefur.ws | udp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 8.8.8.8:53 | eafuebdbedbedggr.ws | udp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfr.ws | udp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 8.8.8.8:53 | efaeduvedvzfufur.ws | udp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 8.8.8.8:53 | edhuaudhuedugufr.ws | udp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 8.8.8.8:53 | eaffuebudbeudbbr.ws | udp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 8.8.8.8:53 | seuufhehfueughel.to | udp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdl.to | udp |
| US | 8.8.8.8:53 | feauhueudughuurl.to | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggl.to | udp |
| US | 8.8.8.8:53 | faugzeazdezgzgfl.to | udp |
| US | 8.8.8.8:53 | wduufbaueeubffgl.to | udp |
| US | 8.8.8.8:53 | okdoekeoehghaoel.to | udp |
| US | 8.8.8.8:53 | efuheruhdehduhgl.to | udp |
| US | 8.8.8.8:53 | eafueudzefverrgl.to | udp |
| US | 8.8.8.8:53 | deauduafzgezzfgl.to | udp |
| US | 8.8.8.8:53 | gaueudbuwdbuguul.to | udp |
| US | 8.8.8.8:53 | efeuafubeubaeful.to | udp |
| US | 8.8.8.8:53 | eafuebdbedbedggl.to | udp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfl.to | udp |
| US | 8.8.8.8:53 | efaeduvedvzfuful.to | udp |
| US | 8.8.8.8:53 | edhuaudhuedugufl.to | udp |
| US | 8.8.8.8:53 | eaffuebudbeudbbl.to | udp |
| US | 8.8.8.8:53 | seuufhehfueughes.top | udp |
| US | 208.100.26.245:80 | seuufhehfueughes.top | tcp |
| US | 8.8.8.8:53 | feuhdeuhduhuehds.top | udp |
| US | 8.8.8.8:53 | feauhueudughuurs.top | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggs.top | udp |
| US | 8.8.8.8:53 | faugzeazdezgzgfs.top | udp |
| US | 8.8.8.8:53 | wduufbaueeubffgs.top | udp |
| US | 8.8.8.8:53 | okdoekeoehghaoes.top | udp |
| US | 8.8.8.8:53 | efuheruhdehduhgs.top | udp |
| US | 8.8.8.8:53 | eafueudzefverrgs.top | udp |
| US | 8.8.8.8:53 | deauduafzgezzfgs.top | udp |
| US | 8.8.8.8:53 | gaueudbuwdbuguus.top | udp |
| US | 8.8.8.8:53 | efeuafubeubaefus.top | udp |
| US | 8.8.8.8:53 | eafuebdbedbedggs.top | udp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfs.top | udp |
| US | 8.8.8.8:53 | efaeduvedvzfufus.top | udp |
| US | 8.8.8.8:53 | edhuaudhuedugufs.top | udp |
| US | 8.8.8.8:53 | eaffuebudbeudbbs.top | udp |
| US | 8.8.8.8:53 | tsrv1.ws | udp |
| US | 8.8.8.8:53 | tsrv2.top | udp |
| US | 8.8.8.8:53 | tsrv3.ru | udp |
Files
memory/1016-60-0x0000000075211000-0x0000000075213000-memory.dmp
\248341819513851\svchost.exe
| MD5 | 820c6d166bc9dd13d3bedec142d8306a |
| SHA1 | 7ad5636414b0b56de62fcdc7491c665af79e094c |
| SHA256 | 43ce59f24af9a723eac0c833352ee4c06722004dbd0e2b74ead114eaf4cd1297 |
| SHA512 | 70d7e65220703925477b57ef5a1841a926ad16155fcc80adb10cbca1fdca1373c2683dda4833230a7813f48cf1be023473ab77bda886c4ba73984843ef06fff0 |
memory/1208-62-0x0000000000000000-mapping.dmp
C:\248341819513851\svchost.exe
| MD5 | 820c6d166bc9dd13d3bedec142d8306a |
| SHA1 | 7ad5636414b0b56de62fcdc7491c665af79e094c |
| SHA256 | 43ce59f24af9a723eac0c833352ee4c06722004dbd0e2b74ead114eaf4cd1297 |
| SHA512 | 70d7e65220703925477b57ef5a1841a926ad16155fcc80adb10cbca1fdca1373c2683dda4833230a7813f48cf1be023473ab77bda886c4ba73984843ef06fff0 |
C:\248341819513851\svchost.exe
| MD5 | 820c6d166bc9dd13d3bedec142d8306a |
| SHA1 | 7ad5636414b0b56de62fcdc7491c665af79e094c |
| SHA256 | 43ce59f24af9a723eac0c833352ee4c06722004dbd0e2b74ead114eaf4cd1297 |
| SHA512 | 70d7e65220703925477b57ef5a1841a926ad16155fcc80adb10cbca1fdca1373c2683dda4833230a7813f48cf1be023473ab77bda886c4ba73984843ef06fff0 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-09-05 06:45
Reported
2021-09-05 06:48
Platform
win10v20210408
Max time kernel
152s
Max time network
114s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\287931393624834\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\287931393624834\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\287931393624834\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\287931393624834\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\287931393624834\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\287931393624834\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\287931393624834\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 632 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\287931393624834\svchost.exe |
| PID 632 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\287931393624834\svchost.exe |
| PID 632 wrote to memory of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\DS_Store.exe | C:\287931393624834\svchost.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\DS_Store.exe
"C:\Users\Admin\AppData\Local\Temp\DS_Store.exe"
C:\287931393624834\svchost.exe
C:\287931393624834\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | worm.ws | udp |
| US | 8.8.8.8:53 | seuufhehfueugher.ws | udp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugher.ws | tcp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdr.ws | udp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdr.ws | tcp |
| US | 8.8.8.8:53 | feauhueudughuurr.ws | udp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuurr.ws | tcp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggr.ws | udp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggr.ws | tcp |
| US | 8.8.8.8:53 | faugzeazdezgzgfr.ws | udp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfr.ws | tcp |
| US | 8.8.8.8:53 | wduufbaueeubffgr.ws | udp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgr.ws | tcp |
| US | 8.8.8.8:53 | okdoekeoehghaoer.ws | udp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoer.ws | tcp |
| US | 8.8.8.8:53 | efuheruhdehduhgr.ws | udp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgr.ws | tcp |
| US | 8.8.8.8:53 | eafueudzefverrgr.ws | udp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgr.ws | tcp |
| US | 8.8.8.8:53 | deauduafzgezzfgr.ws | udp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgr.ws | tcp |
| US | 8.8.8.8:53 | gaueudbuwdbuguur.ws | udp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguur.ws | tcp |
| US | 8.8.8.8:53 | efeuafubeubaefur.ws | udp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefur.ws | tcp |
| US | 8.8.8.8:53 | eafuebdbedbedggr.ws | udp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggr.ws | tcp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfr.ws | udp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfr.ws | tcp |
| US | 8.8.8.8:53 | efaeduvedvzfufur.ws | udp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufur.ws | tcp |
| US | 8.8.8.8:53 | edhuaudhuedugufr.ws | udp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufr.ws | tcp |
| US | 8.8.8.8:53 | eaffuebudbeudbbr.ws | udp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbr.ws | tcp |
| US | 8.8.8.8:53 | seuufhehfueughel.to | udp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdl.to | udp |
| US | 8.8.8.8:53 | feauhueudughuurl.to | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggl.to | udp |
| US | 8.8.8.8:53 | faugzeazdezgzgfl.to | udp |
| US | 8.8.8.8:53 | wduufbaueeubffgl.to | udp |
| US | 8.8.8.8:53 | okdoekeoehghaoel.to | udp |
| US | 8.8.8.8:53 | efuheruhdehduhgl.to | udp |
| US | 8.8.8.8:53 | eafueudzefverrgl.to | udp |
| US | 8.8.8.8:53 | deauduafzgezzfgl.to | udp |
| US | 8.8.8.8:53 | gaueudbuwdbuguul.to | udp |
| US | 8.8.8.8:53 | efeuafubeubaeful.to | udp |
| US | 8.8.8.8:53 | eafuebdbedbedggl.to | udp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfl.to | udp |
| US | 8.8.8.8:53 | efaeduvedvzfuful.to | udp |
| US | 8.8.8.8:53 | edhuaudhuedugufl.to | udp |
| US | 8.8.8.8:53 | eaffuebudbeudbbl.to | udp |
| US | 8.8.8.8:53 | seuufhehfueughes.top | udp |
| US | 208.100.26.245:80 | seuufhehfueughes.top | tcp |
| US | 8.8.8.8:53 | feuhdeuhduhuehds.top | udp |
| US | 8.8.8.8:53 | feauhueudughuurs.top | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggs.top | udp |
| US | 8.8.8.8:53 | faugzeazdezgzgfs.top | udp |
| US | 8.8.8.8:53 | wduufbaueeubffgs.top | udp |
| US | 8.8.8.8:53 | okdoekeoehghaoes.top | udp |
| US | 8.8.8.8:53 | efuheruhdehduhgs.top | udp |
| US | 8.8.8.8:53 | eafueudzefverrgs.top | udp |
| US | 8.8.8.8:53 | deauduafzgezzfgs.top | udp |
| US | 8.8.8.8:53 | gaueudbuwdbuguus.top | udp |
| US | 8.8.8.8:53 | efeuafubeubaefus.top | udp |
| US | 8.8.8.8:53 | eafuebdbedbedggs.top | udp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfs.top | udp |
| US | 8.8.8.8:53 | efaeduvedvzfufus.top | udp |
| US | 8.8.8.8:53 | edhuaudhuedugufs.top | udp |
| US | 8.8.8.8:53 | eaffuebudbeudbbs.top | udp |
| US | 8.8.8.8:53 | tsrv1.ws | udp |
| US | 8.8.8.8:53 | tsrv2.top | udp |
| US | 8.8.8.8:53 | tsrv3.ru | udp |
| US | 8.8.8.8:53 | tsrv4.ws | udp |
| US | 8.8.8.8:53 | worm.top | udp |
Files
memory/2940-114-0x0000000000000000-mapping.dmp
C:\287931393624834\svchost.exe
| MD5 | 820c6d166bc9dd13d3bedec142d8306a |
| SHA1 | 7ad5636414b0b56de62fcdc7491c665af79e094c |
| SHA256 | 43ce59f24af9a723eac0c833352ee4c06722004dbd0e2b74ead114eaf4cd1297 |
| SHA512 | 70d7e65220703925477b57ef5a1841a926ad16155fcc80adb10cbca1fdca1373c2683dda4833230a7813f48cf1be023473ab77bda886c4ba73984843ef06fff0 |
C:\287931393624834\svchost.exe
| MD5 | 820c6d166bc9dd13d3bedec142d8306a |
| SHA1 | 7ad5636414b0b56de62fcdc7491c665af79e094c |
| SHA256 | 43ce59f24af9a723eac0c833352ee4c06722004dbd0e2b74ead114eaf4cd1297 |
| SHA512 | 70d7e65220703925477b57ef5a1841a926ad16155fcc80adb10cbca1fdca1373c2683dda4833230a7813f48cf1be023473ab77bda886c4ba73984843ef06fff0 |