Analysis Overview
SHA256
f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241
Threat Level: Known bad
The file f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 was found to be: Known bad.
Malicious Activity Summary
Phorphiex Payload
suricata: ET MALWARE APT-C-23 Activity (GET)
Phorphiex family
Phorphiex Worm
Windows security bypass
Executes dropped EXE
Windows security modification
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-01 16:29
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Phorphiex family
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-01 16:29
Reported
2021-10-01 16:34
Platform
win7v20210408
Max time kernel
304s
Max time network
332s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\16338282331159\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1028510743.exe | N/A |
| N/A | N/A | C:\Windows\wsecsvcmgr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe | N/A |
| N/A | N/A | C:\16338282331159\svchost.exe | N/A |
| N/A | N/A | C:\16338282331159\svchost.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\16338282331159\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\16338282331159\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\16338282331159\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\16338282331159\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wsecsvcmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1028510743.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\16338282331159\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\16338282331159\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wsecsvcmgr.exe | C:\Users\Admin\AppData\Local\Temp\1028510743.exe | N/A |
| File opened for modification | C:\Windows\wsecsvcmgr.exe | C:\Users\Admin\AppData\Local\Temp\1028510743.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"
C:\16338282331159\svchost.exe
C:\16338282331159\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1028510743.exe
C:\Users\Admin\AppData\Local\Temp\1028510743.exe
C:\Windows\wsecsvcmgr.exe
C:\Windows\wsecsvcmgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | api.wipmania.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | trik.ws | udp |
| US | 8.8.8.8:53 | trikhaus.top | udp |
| SC | 185.215.113.84:80 | trikhaus.top | tcp |
| SC | 185.215.113.84:80 | trikhaus.top | tcp |
| US | 8.8.8.8:53 | seuufhehfueugheu.ws | udp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdu.ws | udp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.185.71.28:80 | www.update.microsoft.com | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 8.8.8.8:53 | feauhueudughuuru.ws | udp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggu.ws | udp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| CN | 42.248.182.80:40555 | tcp | |
| KZ | 176.98.240.194:40555 | udp | |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 8.8.8.8:53 | faugzeazdezgzgfu.ws | udp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 8.8.8.8:53 | wduufbaueeubffgu.ws | udp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| YE | 134.35.45.237:40555 | udp | |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 8.8.8.8:53 | okdoekeoehghaoeu.ws | udp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 8.8.8.8:53 | efuheruhdehduhgu.ws | udp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| PK | 39.60.43.90:40555 | udp | |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 8.8.8.8:53 | eafueudzefverrgu.ws | udp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 8.8.8.8:53 | deauduafzgezzfgu.ws | udp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| UZ | 217.30.167.173:40555 | udp | |
| US | 8.8.8.8:53 | gaueudbuwdbuguuu.ws | udp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 8.8.8.8:53 | efeuafubeubaefuu.ws | udp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 8.8.8.8:53 | eafuebdbedbedggu.ws | udp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| MX | 189.244.230.86:40555 | udp | |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfu.ws | udp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 8.8.8.8:53 | efaeduvedvzfufuu.ws | udp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| IR | 93.118.111.44:40555 | udp | |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 8.8.8.8:53 | edhuaudhuedugufu.ws | udp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| CN | 42.248.182.142:40555 | tcp | |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 8.8.8.8:53 | eaffuebudbeudbbu.ws | udp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 8.8.8.8:53 | seuufhehfueugheb.to | udp |
| IR | 94.183.5.63:40555 | udp | |
| US | 8.8.8.8:53 | feuhdeuhduhuehdb.to | udp |
| US | 8.8.8.8:53 | feauhueudughuurb.to | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggb.to | udp |
| US | 8.8.8.8:53 | faugzeazdezgzgfb.to | udp |
| US | 8.8.8.8:53 | wduufbaueeubffgb.to | udp |
| US | 8.8.8.8:53 | okdoekeoehghaoeb.to | udp |
| US | 8.8.8.8:53 | efuheruhdehduhgb.to | udp |
| IR | 2.176.166.168:40555 | udp | |
| US | 8.8.8.8:53 | eafueudzefverrgb.to | udp |
| US | 8.8.8.8:53 | deauduafzgezzfgb.to | udp |
| US | 8.8.8.8:53 | gaueudbuwdbuguub.to | udp |
| US | 8.8.8.8:53 | efeuafubeubaefub.to | udp |
| US | 8.8.8.8:53 | eafuebdbedbedggb.to | udp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfb.to | udp |
| US | 8.8.8.8:53 | efaeduvedvzfufub.to | udp |
| US | 8.8.8.8:53 | edhuaudhuedugufb.to | udp |
| IN | 103.84.129.166:40555 | udp | |
| US | 8.8.8.8:53 | eaffuebudbeudbbb.to | udp |
| US | 8.8.8.8:53 | seuufhehfueugheh.top | udp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdh.top | udp |
| US | 8.8.8.8:53 | feauhueudughuurh.top | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggh.top | udp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| AM | 46.70.75.105:40555 | udp | |
| IR | 5.235.64.192:40555 | udp | |
| IR | 151.238.32.104:40555 | tcp | |
| CN | 42.248.182.230:40555 | udp | |
| UZ | 213.230.121.128:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.145:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 89.36.226.191:40555 | udp | |
| UZ | 92.246.78.62:40555 | udp | |
| UZ | 62.209.149.46:40555 | tcp | |
| CN | 42.248.183.134:40555 | udp | |
| IR | 185.227.66.241:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.182.95:40555 | udp | |
| IR | 78.39.236.195:40555 | udp | |
| TH | 184.22.76.48:40555 | tcp | |
| TZ | 41.59.39.123:40555 | udp | |
| CN | 42.248.182.112:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.17:40555 | udp | |
| IR | 217.77.127.138:40555 | udp | |
| CN | 42.248.182.29:40555 | tcp | |
| IR | 31.57.14.89:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 79.127.101.234:40555 | udp | |
| UZ | 213.230.69.229:40555 | udp | |
| IR | 37.255.84.218:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 2.183.160.186:40555 | udp | |
| CN | 42.248.182.228:40555 | udp | |
| RU | 94.180.63.120:40555 | tcp | |
| IR | 2.178.208.211:40555 | udp | |
| UZ | 217.30.173.106:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 93.118.122.225:40555 | udp | |
| IR | 151.235.51.140:40555 | udp | |
| IR | 46.225.113.73:40555 | udp | |
| CN | 42.248.183.72:40555 | tcp | |
| YE | 89.189.95.52:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.247:40555 | udp | |
| TZ | 41.59.203.60:40555 | udp | |
| IR | 2.184.139.149:40555 | udp | |
| IR | 151.232.202.182:40555 | udp | |
| CN | 42.248.182.90:40555 | tcp | |
| IR | 151.242.250.83:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| UZ | 217.30.163.39:40555 | udp | |
| IR | 151.244.197.160:40555 | udp | |
| IR | 37.255.99.93:40555 | udp | |
| CN | 42.248.183.37:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 188.253.103.108:40555 | tcp | |
| AF | 149.54.20.134:40555 | udp | |
| UZ | 185.248.44.67:40555 | udp | |
| RU | 37.20.21.113:40555 | udp |
Files
memory/1652-60-0x0000000076641000-0x0000000076643000-memory.dmp
\16338282331159\svchost.exe
| MD5 | 4ece4d073b759e00584078490e1424f8 |
| SHA1 | a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc |
| SHA256 | f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 |
| SHA512 | 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654 |
memory/1752-62-0x0000000000000000-mapping.dmp
C:\16338282331159\svchost.exe
| MD5 | 4ece4d073b759e00584078490e1424f8 |
| SHA1 | a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc |
| SHA256 | f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 |
| SHA512 | 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654 |
C:\16338282331159\svchost.exe
| MD5 | 4ece4d073b759e00584078490e1424f8 |
| SHA1 | a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc |
| SHA256 | f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 |
| SHA512 | 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654 |
\Users\Admin\AppData\Local\Temp\1028510743.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
\Users\Admin\AppData\Local\Temp\1028510743.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
C:\Users\Admin\AppData\Local\Temp\1028510743.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
memory/564-68-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1028510743.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
memory/568-72-0x0000000000000000-mapping.dmp
C:\Windows\wsecsvcmgr.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
C:\Windows\wsecsvcmgr.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-01 16:29
Reported
2021-10-01 16:34
Platform
win10-en-20210920
Max time kernel
300s
Max time network
303s
Command Line
Signatures
Phorphiex Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Phorphiex Worm
Windows security bypass
suricata: ET MALWARE APT-C-23 Activity (GET)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\131019982546\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1681017508.exe | N/A |
| N/A | N/A | C:\Windows\wsecsvcmgr.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\131019982546\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\131019982546\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\131019982546\svchost.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\wsecsvcmgr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\131019982546\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\131019982546\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\Host Process for Windows Services = "C:\\131019982546\\svchost.exe" | C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Update Service = "C:\\Windows\\wsecsvcmgr.exe" | C:\Users\Admin\AppData\Local\Temp\1681017508.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\wsecsvcmgr.exe | C:\Users\Admin\AppData\Local\Temp\1681017508.exe | N/A |
| File opened for modification | C:\Windows\wsecsvcmgr.exe | C:\Users\Admin\AppData\Local\Temp\1681017508.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe
"C:\Users\Admin\AppData\Local\Temp\f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241.exe"
C:\131019982546\svchost.exe
C:\131019982546\svchost.exe
C:\Users\Admin\AppData\Local\Temp\1681017508.exe
C:\Users\Admin\AppData\Local\Temp\1681017508.exe
C:\Windows\wsecsvcmgr.exe
C:\Windows\wsecsvcmgr.exe
Network
| Country | Destination | Domain | Proto |
| RU | 194.190.18.122:443 | tcp | |
| US | 8.8.8.8:53 | api.wipmania.com | udp |
| US | 54.243.29.214:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | trik.ws | udp |
| US | 8.8.8.8:53 | trikhaus.top | udp |
| SC | 185.215.113.84:80 | trikhaus.top | tcp |
| SC | 185.215.113.84:80 | trikhaus.top | tcp |
| US | 8.8.8.8:53 | seuufhehfueugheu.ws | udp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 64.70.19.203:80 | seuufhehfueugheu.ws | tcp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdu.ws | udp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 8.8.8.8:53 | www.update.microsoft.com | udp |
| US | 52.185.71.28:80 | www.update.microsoft.com | tcp |
| US | 64.70.19.203:80 | feuhdeuhduhuehdu.ws | tcp |
| US | 8.8.8.8:53 | feauhueudughuuru.ws | udp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| US | 64.70.19.203:80 | feauhueudughuuru.ws | tcp |
| CN | 42.248.183.155:40555 | udp | |
| SC | 185.215.113.57:40555 | tcp | |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggu.ws | udp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 64.70.19.203:80 | fheuhdwdzwgzdggu.ws | tcp |
| US | 8.8.8.8:53 | faugzeazdezgzgfu.ws | udp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 64.70.19.203:80 | faugzeazdezgzgfu.ws | tcp |
| US | 8.8.8.8:53 | wduufbaueeubffgu.ws | udp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| IR | 91.92.189.39:40555 | udp | |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| IE | 52.109.76.31:443 | tcp | |
| US | 64.70.19.203:80 | wduufbaueeubffgu.ws | tcp |
| US | 8.8.8.8:53 | okdoekeoehghaoeu.ws | udp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 64.70.19.203:80 | okdoekeoehghaoeu.ws | tcp |
| US | 8.8.8.8:53 | efuheruhdehduhgu.ws | udp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| YE | 110.238.63.191:40555 | udp | |
| US | 64.70.19.203:80 | efuheruhdehduhgu.ws | tcp |
| US | 8.8.8.8:53 | eafueudzefverrgu.ws | udp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 64.70.19.203:80 | eafueudzefverrgu.ws | tcp |
| US | 8.8.8.8:53 | deauduafzgezzfgu.ws | udp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 64.70.19.203:80 | deauduafzgezzfgu.ws | tcp |
| US | 8.8.8.8:53 | gaueudbuwdbuguuu.ws | udp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| IR | 37.255.240.128:40555 | udp | |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 64.70.19.203:80 | gaueudbuwdbuguuu.ws | tcp |
| US | 8.8.8.8:53 | efeuafubeubaefuu.ws | udp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 64.70.19.203:80 | efeuafubeubaefuu.ws | tcp |
| US | 8.8.8.8:53 | eafuebdbedbedggu.ws | udp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| YE | 134.35.15.160:40555 | udp | |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 64.70.19.203:80 | eafuebdbedbedggu.ws | tcp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfu.ws | udp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 64.70.19.203:80 | wdkowdohwodhfhfu.ws | tcp |
| US | 8.8.8.8:53 | efaeduvedvzfufuu.ws | udp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| US | 64.70.19.203:80 | efaeduvedvzfufuu.ws | tcp |
| MX | 187.157.142.194:40555 | udp | |
| US | 8.8.8.8:53 | edhuaudhuedugufu.ws | udp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| IR | 151.239.133.138:40555 | tcp | |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 64.70.19.203:80 | edhuaudhuedugufu.ws | tcp |
| US | 8.8.8.8:53 | eaffuebudbeudbbu.ws | udp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 64.70.19.203:80 | eaffuebudbeudbbu.ws | tcp |
| US | 8.8.8.8:53 | seuufhehfueugheb.to | udp |
| VE | 186.94.96.58:40555 | udp | |
| US | 8.8.8.8:53 | feuhdeuhduhuehdb.to | udp |
| US | 8.8.8.8:53 | feauhueudughuurb.to | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggb.to | udp |
| US | 8.8.8.8:53 | faugzeazdezgzgfb.to | udp |
| US | 8.8.8.8:53 | wduufbaueeubffgb.to | udp |
| US | 8.8.8.8:53 | okdoekeoehghaoeb.to | udp |
| US | 8.8.8.8:53 | efuheruhdehduhgb.to | udp |
| US | 8.8.8.8:53 | eafueudzefverrgb.to | udp |
| IR | 46.245.56.183:40555 | udp | |
| US | 8.8.8.8:53 | deauduafzgezzfgb.to | udp |
| US | 8.8.8.8:53 | gaueudbuwdbuguub.to | udp |
| US | 8.8.8.8:53 | efeuafubeubaefub.to | udp |
| US | 8.8.8.8:53 | eafuebdbedbedggb.to | udp |
| US | 8.8.8.8:53 | wdkowdohwodhfhfb.to | udp |
| US | 8.8.8.8:53 | efaeduvedvzfufub.to | udp |
| US | 8.8.8.8:53 | edhuaudhuedugufb.to | udp |
| MZ | 197.249.5.69:40555 | udp | |
| US | 8.8.8.8:53 | eaffuebudbeudbbb.to | udp |
| US | 8.8.8.8:53 | seuufhehfueugheh.top | udp |
| US | 8.8.8.8:53 | feuhdeuhduhuehdh.top | udp |
| US | 8.8.8.8:53 | feauhueudughuurh.top | udp |
| US | 8.8.8.8:53 | fheuhdwdzwgzdggh.top | udp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.182.143:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.37:40555 | udp | |
| CN | 42.248.183.162:40555 | tcp | |
| IR | 46.225.105.140:40555 | udp | |
| UZ | 217.30.162.43:40555 | udp | |
| CN | 175.167.31.204:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.182.80:40555 | udp | |
| UZ | 217.30.167.173:40555 | udp | |
| IR | 2.178.208.211:40555 | tcp | |
| CN | 175.147.2.244:40555 | udp | |
| IR | 37.255.228.142:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.251:40555 | udp | |
| CN | 42.248.183.19:40555 | udp | |
| CN | 42.248.183.76:40555 | tcp | |
| IR | 5.237.55.254:40555 | udp | |
| IR | 89.165.23.166:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| UZ | 213.230.69.229:40555 | udp | |
| CN | 42.248.182.234:40555 | udp | |
| UZ | 87.237.236.124:40555 | udp | |
| CN | 42.248.183.218:40555 | tcp | |
| IR | 31.59.189.4:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 78.38.19.56:40555 | udp | |
| IR | 2.182.251.232:40555 | udp | |
| UZ | 217.30.162.138:40555 | udp | |
| RU | 95.179.30.13:40555 | udp | |
| UZ | 213.230.120.120:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 151.238.32.104:40555 | tcp | |
| CN | 42.248.182.40:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| RU | 77.34.211.83:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 31.57.14.89:40555 | udp | |
| RU | 5.227.250.248:40555 | udp | |
| IR | 188.159.38.72:40555 | udp | |
| CN | 42.248.182.182:40555 | tcp | |
| YE | 78.137.64.114:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| UZ | 213.230.111.163:40555 | tcp | |
| CN | 42.248.183.131:40555 | udp | |
| MX | 187.227.202.111:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.182.67:40555 | udp | |
| N/A | 100.88.4.227:40555 | udp | |
| IR | 37.255.205.167:40555 | tcp | |
| IR | 78.38.107.89:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.215:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| YE | 5.255.16.207:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| CN | 42.248.183.55:40555 | udp | |
| CN | 42.248.182.2:40555 | udp | |
| IR | 2.186.162.125:40555 | udp | |
| IR | 5.219.245.43:40555 | tcp | |
| CN | 42.248.183.44:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| IR | 2.191.40.101:40555 | udp | |
| IR | 89.165.122.50:40555 | udp | |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
| BE | 35.205.61.67:80 | fheuhdwdzwgzdggh.top | tcp |
Files
memory/4300-115-0x0000000000000000-mapping.dmp
C:\131019982546\svchost.exe
| MD5 | 4ece4d073b759e00584078490e1424f8 |
| SHA1 | a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc |
| SHA256 | f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 |
| SHA512 | 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654 |
C:\131019982546\svchost.exe
| MD5 | 4ece4d073b759e00584078490e1424f8 |
| SHA1 | a4ec941cfcc1e8151da0bbb5aabe8e5a8d88f6dc |
| SHA256 | f878382efbdcff1151e93bc9ca4c016e72a0c424137728995ad722a36ce37241 |
| SHA512 | 0c79c74c8f7111a9d6904cfa03b64925ab8b64efe6121eac8836371558672017753af22f7cbb9f2ce3e63642dc2c4b039a6860e33e130fa693596b77896f4654 |
memory/4292-118-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\1681017508.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
C:\Users\Admin\AppData\Local\Temp\1681017508.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
memory/4012-121-0x0000000000000000-mapping.dmp
C:\Windows\wsecsvcmgr.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |
C:\Windows\wsecsvcmgr.exe
| MD5 | c532ac418f3e867907c2757a7ca56a53 |
| SHA1 | 0583af526b3825a570237c0d954c445fb30948d3 |
| SHA256 | 555513aa074aca680c4962f0078f43445a0d382e78046623d53203d8436bad99 |
| SHA512 | 4d906dfa69bd84c5a7b37cb1139c9de2ce3025bcc6ee0f5d36444c9f75c31e03c8d06d6379ff7ba526a72cce319f979a9e2cbc18bd096e5d4bff53839761608c |