Malware Analysis Report

2024-11-15 08:03

Sample ID 220624-2m9pfsade9
Target db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
Tags
phorphiex evasion loader persistence suricata trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5

Threat Level: Known bad

The file db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 was found to be: Known bad.

Malicious Activity Summary

phorphiex evasion loader persistence suricata trojan worm

Phorphiex payload

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

Modifies Windows Defender Real-time Protection settings

Windows security bypass

Phorphiex

Executes dropped EXE

Windows security modification

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-06-24 22:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-24 22:43

Reported

2022-06-24 22:47

Platform

win7-20220414-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\300513490\sysgxhc.exe N/A

Phorphiex

worm trojan loader phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\300513490\sysgxhc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\300513490\sysgxhc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\300513490\\sysgxhc.exe" C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\300513490\\sysgxhc.exe" C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\300513490 C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
File created C:\Windows\300513490\sysgxhc.exe C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
File opened for modification C:\Windows\300513490\sysgxhc.exe C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A
N/A N/A C:\Windows\300513490\sysgxhc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\300513490\sysgxhc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe

"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"

C:\Windows\300513490\sysgxhc.exe

C:\Windows\300513490\sysgxhc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 urusurofhsorhfuuhp.su udp
US 8.8.8.8:53 aeifaeifhutuhuhusp.su udp
US 8.8.8.8:53 bfagzzezgaegzgfaip.su udp
US 8.8.8.8:53 aeufuaehfiuehfuhfp.su udp
US 8.8.8.8:53 eaeuafhuaegfugeudp.su udp
US 8.8.8.8:53 daedagheauehfuuhfp.su udp
US 8.8.8.8:53 rzhsudhugugfugugsp.su udp
US 8.8.8.8:53 aeoughaoheguaoehdp.su udp
RU 185.176.27.132:80 tcp
US 8.8.8.8:53 eguaheoghouughahsp.su udp
US 8.8.8.8:53 huaeokaefoaeguaehp.su udp
RU 185.176.27.132:80 tcp
US 8.8.8.8:53 afaeigaifgsgrhhafp.su udp
US 8.8.8.8:53 afaigaeigieufuifip.su udp
US 8.8.8.8:53 geauhouefheuutiiip.su udp
US 8.8.8.8:53 gaoheeuofhefefhutp.su udp
US 8.8.8.8:53 gaouehaehfoaeajrsp.su udp
US 8.8.8.8:53 gaohrhurhuhruhfsdp.su udp
US 8.8.8.8:53 gaghpaheiafhjefijp.su udp
US 8.8.8.8:53 gaoehuoaoefhuhfugp.su udp
US 8.8.8.8:53 aegohaohuoruitiiep.su udp
US 8.8.8.8:53 befaheaiudeuhughgp.su udp
US 8.8.8.8:53 urusurofhsorhfuuhd.io udp
US 72.251.233.245:80 urusurofhsorhfuuhd.io tcp
US 8.8.8.8:53 aeifaeifhutuhuhusd.io udp
US 72.251.233.245:80 aeifaeifhutuhuhusd.io tcp
US 8.8.8.8:53 rzhsudhugugfugugsd.io udp
US 206.191.152.37:80 rzhsudhugugfugugsd.io tcp
US 8.8.8.8:53 bfagzzezgaegzgfaid.io udp
US 173.231.189.15:80 bfagzzezgaegzgfaid.io tcp
US 8.8.8.8:53 eaeuafhuaegfugeudd.io udp
US 72.251.233.245:80 eaeuafhuaegfugeudd.io tcp
US 8.8.8.8:53 aeufuaehfiuehfuhfd.io udp
US 162.217.98.146:80 aeufuaehfiuehfuhfd.io tcp
US 8.8.8.8:53 daedagheauehfuuhfd.io udp
US 63.251.106.25:80 daedagheauehfuuhfd.io tcp
US 8.8.8.8:53 aeoughaoheguaoehdd.io udp
US 107.6.74.76:80 aeoughaoheguaoehdd.io tcp
US 8.8.8.8:53 eguaheoghouughahsd.io udp
US 107.6.74.76:80 eguaheoghouughahsd.io tcp
US 8.8.8.8:53 huaeokaefoaeguaehd.io udp
SG 72.5.161.12:80 huaeokaefoaeguaehd.io tcp
US 8.8.8.8:53 afaeigaifgsgrhhafd.io udp
US 72.251.233.245:80 afaeigaifgsgrhhafd.io tcp
US 8.8.8.8:53 afaigaeigieufuifid.io udp
SG 72.5.161.12:80 afaigaeigieufuifid.io tcp
US 8.8.8.8:53 geauhouefheuutiiid.io udp
NL 63.251.235.76:80 geauhouefheuutiiid.io tcp
US 8.8.8.8:53 gaoheeuofhefefhutd.io udp
US 199.21.76.81:80 gaoheeuofhefefhutd.io tcp
US 8.8.8.8:53 gaouehaehfoaeajrsd.io udp
US 173.231.184.122:80 gaouehaehfoaeajrsd.io tcp
US 8.8.8.8:53 gaohrhurhuhruhfsdd.io udp
US 72.251.233.245:80 gaohrhurhuhruhfsdd.io tcp
US 8.8.8.8:53 gaghpaheiafhjefijd.io udp
US 107.6.74.76:80 gaghpaheiafhjefijd.io tcp
US 8.8.8.8:53 gaoehuoaoefhuhfugd.io udp
US 206.191.152.37:80 gaoehuoaoefhuhfugd.io tcp
US 8.8.8.8:53 aegohaohuoruitiied.io udp
SG 63.251.126.10:80 aegohaohuoruitiied.io tcp
US 8.8.8.8:53 befaheaiudeuhughgd.io udp
US 173.231.184.124:80 befaheaiudeuhughgd.io tcp
US 8.8.8.8:53 urusurofhsorhfuuhr.cc udp
SG 63.251.126.10:80 urusurofhsorhfuuhr.cc tcp
US 8.8.8.8:53 aeifaeifhutuhuhusr.cc udp
US 173.231.184.122:80 aeifaeifhutuhuhusr.cc tcp
US 8.8.8.8:53 rzhsudhugugfugugsr.cc udp
US 206.191.152.37:80 rzhsudhugugfugugsr.cc tcp
US 8.8.8.8:53 bfagzzezgaegzgfair.cc udp
NL 72.26.218.86:80 bfagzzezgaegzgfair.cc tcp
US 8.8.8.8:53 eaeuafhuaegfugeudr.cc udp
US 173.231.184.124:80 eaeuafhuaegfugeudr.cc tcp
US 8.8.8.8:53 aeufuaehfiuehfuhfr.cc udp
US 107.6.74.76:80 aeufuaehfiuehfuhfr.cc tcp
US 8.8.8.8:53 daedagheauehfuuhfr.cc udp
US 206.191.152.37:80 daedagheauehfuuhfr.cc tcp
US 8.8.8.8:53 aeoughaoheguaoehdr.cc udp
US 107.6.74.76:80 aeoughaoheguaoehdr.cc tcp
US 8.8.8.8:53 eguaheoghouughahsr.cc udp
SG 63.251.126.10:80 eguaheoghouughahsr.cc tcp
US 8.8.8.8:53 huaeokaefoaeguaehr.cc udp
SG 63.251.126.10:80 huaeokaefoaeguaehr.cc tcp
US 8.8.8.8:53 afaeigaifgsgrhhafr.cc udp
NL 63.251.235.76:80 afaeigaifgsgrhhafr.cc tcp
US 8.8.8.8:53 afaigaeigieufuifir.cc udp
US 173.231.189.15:80 afaigaeigieufuifir.cc tcp
US 8.8.8.8:53 geauhouefheuutiiir.cc udp
SG 63.251.126.10:80 geauhouefheuutiiir.cc tcp
US 8.8.8.8:53 gaoheeuofhefefhutr.cc udp
US 107.6.74.76:80 gaoheeuofhefefhutr.cc tcp
US 8.8.8.8:53 gaouehaehfoaeajrsr.cc udp
US 199.21.76.81:80 gaouehaehfoaeajrsr.cc tcp
US 8.8.8.8:53 gaohrhurhuhruhfsdr.cc udp
US 63.251.106.25:80 gaohrhurhuhruhfsdr.cc tcp
US 8.8.8.8:53 gaghpaheiafhjefijr.cc udp
NL 72.26.218.86:80 gaghpaheiafhjefijr.cc tcp
US 8.8.8.8:53 gaoehuoaoefhuhfugr.cc udp
SG 72.5.161.12:80 gaoehuoaoefhuhfugr.cc tcp
US 8.8.8.8:53 aegohaohuoruitiier.cc udp
NL 72.26.218.86:80 aegohaohuoruitiier.cc tcp
US 8.8.8.8:53 befaheaiudeuhughgr.cc udp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 8.8.8.8:53 urusurofhsorhfuuhh.co udp
US 199.21.76.81:80 urusurofhsorhfuuhh.co tcp
US 8.8.8.8:53 aeifaeifhutuhuhush.co udp
US 173.231.189.15:80 aeifaeifhutuhuhush.co tcp
US 8.8.8.8:53 rzhsudhugugfugugsh.co udp
US 208.100.26.245:80 rzhsudhugugfugugsh.co tcp
US 8.8.8.8:53 bfagzzezgaegzgfaih.co udp
SG 63.251.126.10:80 bfagzzezgaegzgfaih.co tcp
US 8.8.8.8:53 eaeuafhuaegfugeudh.co udp
US 63.251.106.25:80 eaeuafhuaegfugeudh.co tcp
US 8.8.8.8:53 aeufuaehfiuehfuhfh.co udp
US 173.231.184.122:80 aeufuaehfiuehfuhfh.co tcp
US 8.8.8.8:53 daedagheauehfuuhfh.co udp
US 162.217.98.146:80 daedagheauehfuuhfh.co tcp
US 8.8.8.8:53 aeoughaoheguaoehdh.co udp
US 162.217.98.146:80 aeoughaoheguaoehdh.co tcp
US 8.8.8.8:53 eguaheoghouughahsh.co udp
US 107.6.74.76:80 eguaheoghouughahsh.co tcp
US 8.8.8.8:53 huaeokaefoaeguaehh.co udp
US 199.21.76.77:80 huaeokaefoaeguaehh.co tcp
US 8.8.8.8:53 afaeigaifgsgrhhafh.co udp
NL 72.26.218.86:80 afaeigaifgsgrhhafh.co tcp
US 8.8.8.8:53 afaigaeigieufuifih.co udp
NL 72.26.218.86:80 afaigaeigieufuifih.co tcp
US 8.8.8.8:53 geauhouefheuutiiih.co udp
US 173.231.189.15:80 geauhouefheuutiiih.co tcp
US 8.8.8.8:53 gaoheeuofhefefhuth.co udp
NL 72.26.218.86:80 gaoheeuofhefefhuth.co tcp
US 8.8.8.8:53 gaouehaehfoaeajrsh.co udp
US 199.21.76.77:80 gaouehaehfoaeajrsh.co tcp
US 8.8.8.8:53 gaohrhurhuhruhfsdh.co udp
US 173.231.189.15:80 gaohrhurhuhruhfsdh.co tcp
US 8.8.8.8:53 gaghpaheiafhjefijh.co udp
NL 72.26.218.86:80 gaghpaheiafhjefijh.co tcp
US 8.8.8.8:53 gaoehuoaoefhuhfugh.co udp
US 206.191.152.58:80 gaoehuoaoefhuhfugh.co tcp
US 8.8.8.8:53 aegohaohuoruitiieh.co udp
SG 63.251.126.10:80 aegohaohuoruitiieh.co tcp
US 8.8.8.8:53 befaheaiudeuhughgh.co udp
US 63.251.106.25:80 befaheaiudeuhughgh.co tcp
US 8.8.8.8:53 urusurofhsorhfuuhe.to udp
US 8.8.8.8:53 aeifaeifhutuhuhuse.to udp
US 8.8.8.8:53 rzhsudhugugfugugse.to udp
US 8.8.8.8:53 eaeuafhuaegfugeude.to udp
US 8.8.8.8:53 aeufuaehfiuehfuhfe.to udp
US 8.8.8.8:53 daedagheauehfuuhfe.to udp
US 8.8.8.8:53 aeoughaoheguaoehde.to udp
US 8.8.8.8:53 eguaheoghouughahse.to udp
US 8.8.8.8:53 huaeokaefoaeguaehe.to udp
US 8.8.8.8:53 afaeigaifgsgrhhafe.to udp
US 8.8.8.8:53 afaigaeigieufuifie.to udp
US 8.8.8.8:53 geauhouefheuutiiie.to udp
US 8.8.8.8:53 gaoheeuofhefefhute.to udp
US 8.8.8.8:53 gaouehaehfoaeajrse.to udp
US 8.8.8.8:53 gaohrhurhuhruhfsde.to udp
US 8.8.8.8:53 gaghpaheiafhjefije.to udp
US 8.8.8.8:53 gaoehuoaoefhuhfuge.to udp
US 8.8.8.8:53 aegohaohuoruitiiee.to udp
US 8.8.8.8:53 befaheaiudeuhughge.to udp
US 8.8.8.8:53 aeifaeifhutuhuhusw.top udp
US 208.100.26.245:80 aeifaeifhutuhuhusw.top tcp
US 8.8.8.8:53 rzhsudhugugfugugsw.top udp
US 8.8.8.8:53 bfagzzezgaegzgfaiw.top udp
US 8.8.8.8:53 eaeuafhuaegfugeudw.top udp
US 8.8.8.8:53 aeufuaehfiuehfuhfw.top udp
US 208.100.26.245:80 aeufuaehfiuehfuhfw.top tcp
US 8.8.8.8:53 daedagheauehfuuhfw.top udp
US 8.8.8.8:53 aeoughaoheguaoehdw.top udp
US 208.100.26.245:80 aeoughaoheguaoehdw.top tcp
US 8.8.8.8:53 eguaheoghouughahsw.top udp
US 8.8.8.8:53 huaeokaefoaeguaehw.top udp
US 8.8.8.8:53 afaeigaifgsgrhhafw.top udp
US 8.8.8.8:53 afaigaeigieufuifiw.top udp
US 8.8.8.8:53 geauhouefheuutiiiw.top udp
US 8.8.8.8:53 thaus.top udp
US 8.8.8.8:53 gaoheeuofhefefhutw.top udp
US 8.8.8.8:53 gaouehaehfoaeajrsw.top udp
US 8.8.8.8:53 gaohrhurhuhruhfsdw.top udp
US 8.8.8.8:53 gaghpaheiafhjefijw.top udp
US 8.8.8.8:53 gaoehuoaoefhuhfugw.top udp
US 8.8.8.8:53 udp

Files

memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp

memory/1180-55-0x0000000000400000-0x0000000000464000-memory.dmp

memory/1180-56-0x00000000001E0000-0x00000000001EA000-memory.dmp

memory/1180-57-0x0000000000400000-0x0000000000464000-memory.dmp

\Windows\300513490\sysgxhc.exe

MD5 87f19914a9966998a89839dbdc978d4f
SHA1 f7a14349ce4d889dac552451c91dddf7bc583245
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA512 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b

\Windows\300513490\sysgxhc.exe

MD5 87f19914a9966998a89839dbdc978d4f
SHA1 f7a14349ce4d889dac552451c91dddf7bc583245
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA512 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b

memory/1880-60-0x0000000000000000-mapping.dmp

C:\Windows\300513490\sysgxhc.exe

MD5 87f19914a9966998a89839dbdc978d4f
SHA1 f7a14349ce4d889dac552451c91dddf7bc583245
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA512 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b

memory/1880-63-0x0000000000400000-0x0000000000464000-memory.dmp

C:\Windows\300513490\sysgxhc.exe

MD5 87f19914a9966998a89839dbdc978d4f
SHA1 f7a14349ce4d889dac552451c91dddf7bc583245
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA512 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b

memory/1880-65-0x0000000000570000-0x000000000057A000-memory.dmp

memory/1880-66-0x0000000000400000-0x0000000000464000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-06-24 22:43

Reported

2022-06-24 22:50

Platform

win10v2004-20220414-en

Max time kernel

192s

Max time network

198s

Command Line

"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"

Signatures

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\1923925090\sysfstx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Windows\1923925090\sysfstx.exe N/A

Phorphiex

worm trojan loader phorphiex

Phorphiex payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\1923925090\sysfstx.exe N/A

suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz

suricata

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\1923925090\sysfstx.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1923925090\\sysfstx.exe" C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1923925090\\sysfstx.exe" C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\1923925090\sysfstx.exe C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
File opened for modification C:\Windows\1923925090\sysfstx.exe C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
File opened for modification C:\Windows\1923925090 C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A
N/A N/A C:\Windows\1923925090\sysfstx.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\1923925090\sysfstx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe

"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"

C:\Windows\1923925090\sysfstx.exe

C:\Windows\1923925090\sysfstx.exe

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
FR 92.243.6.46:443 tcp
IE 20.50.80.210:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.220.29:80 tcp
US 204.79.197.203:80 tcp
NL 20.190.160.132:443 tcp
RU 185.176.27.132:80 tcp
US 8.8.8.8:53 urusurofhsorhfuuhp.su udp
US 8.8.8.8:53 aeifaeifhutuhuhusp.su udp
US 8.8.8.8:53 rzhsudhugugfugugsp.su udp
US 8.8.8.8:53 bfagzzezgaegzgfaip.su udp
US 8.8.8.8:53 eaeuafhuaegfugeudp.su udp
US 8.8.8.8:53 aeufuaehfiuehfuhfp.su udp
US 8.8.8.8:53 daedagheauehfuuhfp.su udp
US 8.8.8.8:53 aeoughaoheguaoehdp.su udp
US 8.8.8.8:53 eguaheoghouughahsp.su udp
US 8.8.8.8:53 huaeokaefoaeguaehp.su udp
US 8.8.8.8:53 afaeigaifgsgrhhafp.su udp
US 8.8.8.8:53 afaigaeigieufuifip.su udp
US 8.8.8.8:53 geauhouefheuutiiip.su udp
US 8.8.8.8:53 gaoheeuofhefefhutp.su udp
US 8.8.8.8:53 gaouehaehfoaeajrsp.su udp
US 8.8.8.8:53 gaohrhurhuhruhfsdp.su udp
US 8.8.8.8:53 gaghpaheiafhjefijp.su udp
US 8.8.8.8:53 gaoehuoaoefhuhfugp.su udp
US 8.8.8.8:53 aegohaohuoruitiiep.su udp
US 8.8.8.8:53 befaheaiudeuhughgp.su udp
US 8.8.8.8:53 urusurofhsorhfuuhd.io udp
US 8.8.8.8:53 rzhsudhugugfugugsd.io udp
US 8.8.8.8:53 aeifaeifhutuhuhusd.io udp
US 72.251.233.245:80 aeifaeifhutuhuhusd.io tcp
US 8.8.8.8:53 bfagzzezgaegzgfaid.io udp
US 206.191.152.37:80 rzhsudhugugfugugsd.io tcp
US 72.251.233.245:80 aeifaeifhutuhuhusd.io tcp
US 8.8.8.8:53 eaeuafhuaegfugeudd.io udp
US 173.231.189.15:80 bfagzzezgaegzgfaid.io tcp
US 8.8.8.8:53 aeufuaehfiuehfuhfd.io udp
US 72.251.233.245:80 eaeuafhuaegfugeudd.io tcp
US 8.8.8.8:53 daedagheauehfuuhfd.io udp
US 162.217.98.146:80 aeufuaehfiuehfuhfd.io tcp
US 8.8.8.8:53 aeoughaoheguaoehdd.io udp
US 63.251.106.25:80 daedagheauehfuuhfd.io tcp
US 8.8.8.8:53 eguaheoghouughahsd.io udp
US 107.6.74.76:80 eguaheoghouughahsd.io tcp
US 8.8.8.8:53 huaeokaefoaeguaehd.io udp
US 107.6.74.76:80 eguaheoghouughahsd.io tcp
US 8.8.8.8:53 afaeigaifgsgrhhafd.io udp
SG 72.5.161.12:80 huaeokaefoaeguaehd.io tcp
US 8.8.8.8:53 afaigaeigieufuifid.io udp
US 72.251.233.245:80 afaeigaifgsgrhhafd.io tcp
US 8.8.8.8:53 geauhouefheuutiiid.io udp
SG 72.5.161.12:80 afaigaeigieufuifid.io tcp
US 8.8.8.8:53 gaoheeuofhefefhutd.io udp
NL 63.251.235.76:80 geauhouefheuutiiid.io tcp
US 8.8.8.8:53 gaouehaehfoaeajrsd.io udp
US 199.21.76.81:80 gaoheeuofhefefhutd.io tcp
US 8.8.8.8:53 gaohrhurhuhruhfsdd.io udp
US 173.231.184.122:80 gaouehaehfoaeajrsd.io tcp
US 8.8.8.8:53 gaghpaheiafhjefijd.io udp
US 72.251.233.245:80 gaohrhurhuhruhfsdd.io tcp
US 8.8.8.8:53 gaoehuoaoefhuhfugd.io udp
US 107.6.74.76:80 gaghpaheiafhjefijd.io tcp
US 8.8.8.8:53 aegohaohuoruitiied.io udp
US 206.191.152.37:80 gaoehuoaoefhuhfugd.io tcp
US 8.8.8.8:53 befaheaiudeuhughgd.io udp
SG 63.251.126.10:80 aegohaohuoruitiied.io tcp
US 8.8.8.8:53 urusurofhsorhfuuhr.cc udp
US 173.231.184.124:80 befaheaiudeuhughgd.io tcp
US 8.8.8.8:53 aeifaeifhutuhuhusr.cc udp
SG 63.251.126.10:80 urusurofhsorhfuuhr.cc tcp
US 8.8.8.8:53 rzhsudhugugfugugsr.cc udp
US 173.231.184.122:80 aeifaeifhutuhuhusr.cc tcp
NL 20.190.160.4:443 tcp
US 8.8.8.8:53 bfagzzezgaegzgfair.cc udp
US 206.191.152.37:80 rzhsudhugugfugugsr.cc tcp
US 8.8.8.8:53 eaeuafhuaegfugeudr.cc udp
NL 72.26.218.86:80 bfagzzezgaegzgfair.cc tcp
US 8.8.8.8:53 aeufuaehfiuehfuhfr.cc udp
US 173.231.184.124:80 eaeuafhuaegfugeudr.cc tcp
US 8.8.8.8:53 daedagheauehfuuhfr.cc udp
US 107.6.74.76:80 aeufuaehfiuehfuhfr.cc tcp
US 8.8.8.8:53 aeoughaoheguaoehdr.cc udp
US 206.191.152.37:80 daedagheauehfuuhfr.cc tcp
US 107.6.74.76:80 aeoughaoheguaoehdr.cc tcp
US 8.8.8.8:53 eguaheoghouughahsr.cc udp
US 8.8.8.8:53 huaeokaefoaeguaehr.cc udp
SG 63.251.126.10:80 huaeokaefoaeguaehr.cc tcp
US 8.8.8.8:53 afaeigaifgsgrhhafr.cc udp
SG 63.251.126.10:80 huaeokaefoaeguaehr.cc tcp
NL 63.251.235.76:80 afaeigaifgsgrhhafr.cc tcp
US 8.8.8.8:53 afaigaeigieufuifir.cc udp
US 8.8.8.8:53 geauhouefheuutiiir.cc udp
US 173.231.189.15:80 afaigaeigieufuifir.cc tcp
US 8.8.8.8:53 gaoheeuofhefefhutr.cc udp
SG 63.251.126.10:80 geauhouefheuutiiir.cc tcp
US 8.8.8.8:53 gaouehaehfoaeajrsr.cc udp
US 107.6.74.76:80 gaoheeuofhefefhutr.cc tcp
US 199.21.76.81:80 gaouehaehfoaeajrsr.cc tcp
US 8.8.8.8:53 gaohrhurhuhruhfsdr.cc udp
US 8.8.8.8:53 gaghpaheiafhjefijr.cc udp
US 63.251.106.25:80 gaohrhurhuhruhfsdr.cc tcp
US 8.8.8.8:53 gaoehuoaoefhuhfugr.cc udp
NL 72.26.218.86:80 gaghpaheiafhjefijr.cc tcp
US 8.8.8.8:53 aegohaohuoruitiier.cc udp
SG 72.5.161.12:80 gaoehuoaoefhuhfugr.cc tcp
NL 72.26.218.86:80 aegohaohuoruitiier.cc tcp
US 8.8.8.8:53 befaheaiudeuhughgr.cc udp
US 8.8.8.8:53 urusurofhsorhfuuhh.co udp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 8.8.8.8:53 aeifaeifhutuhuhush.co udp
US 199.21.76.81:80 urusurofhsorhfuuhh.co tcp
US 8.8.8.8:53 rzhsudhugugfugugsh.co udp
US 173.231.189.15:80 aeifaeifhutuhuhush.co tcp
US 8.8.8.8:53 bfagzzezgaegzgfaih.co udp
US 208.100.26.245:80 rzhsudhugugfugugsh.co tcp
US 8.8.8.8:53 eaeuafhuaegfugeudh.co udp
SG 63.251.126.10:80 bfagzzezgaegzgfaih.co tcp
US 8.8.8.8:53 aeufuaehfiuehfuhfh.co udp
US 63.251.106.25:80 eaeuafhuaegfugeudh.co tcp
US 8.8.8.8:53 daedagheauehfuuhfh.co udp
US 173.231.184.122:80 aeufuaehfiuehfuhfh.co tcp
US 8.8.8.8:53 aeoughaoheguaoehdh.co udp
US 162.217.98.146:80 aeoughaoheguaoehdh.co tcp
US 8.8.8.8:53 eguaheoghouughahsh.co udp
US 162.217.98.146:80 aeoughaoheguaoehdh.co tcp
US 8.8.8.8:53 huaeokaefoaeguaehh.co udp
US 107.6.74.76:80 eguaheoghouughahsh.co tcp
US 8.8.8.8:53 afaeigaifgsgrhhafh.co udp
US 199.21.76.77:80 huaeokaefoaeguaehh.co tcp
US 8.8.8.8:53 afaigaeigieufuifih.co udp
NL 72.26.218.86:80 afaigaeigieufuifih.co tcp
US 8.8.8.8:53 geauhouefheuutiiih.co udp
NL 72.26.218.86:80 afaigaeigieufuifih.co tcp
US 173.231.189.15:80 geauhouefheuutiiih.co tcp
US 8.8.8.8:53 gaoheeuofhefefhuth.co udp
US 8.8.8.8:53 gaouehaehfoaeajrsh.co udp
NL 72.26.218.86:80 gaoheeuofhefefhuth.co tcp
US 8.8.8.8:53 gaohrhurhuhruhfsdh.co udp
US 199.21.76.77:80 gaouehaehfoaeajrsh.co tcp
US 8.8.8.8:53 gaghpaheiafhjefijh.co udp
US 173.231.189.15:80 gaohrhurhuhruhfsdh.co tcp
US 8.8.8.8:53 gaoehuoaoefhuhfugh.co udp
NL 72.26.218.86:80 gaghpaheiafhjefijh.co tcp
US 8.8.8.8:53 aegohaohuoruitiieh.co udp
US 206.191.152.58:80 gaoehuoaoefhuhfugh.co tcp
US 8.8.8.8:53 befaheaiudeuhughgh.co udp
SG 63.251.126.10:80 aegohaohuoruitiieh.co tcp
US 8.8.8.8:53 urusurofhsorhfuuhe.to udp
US 63.251.106.25:80 befaheaiudeuhughgh.co tcp
US 8.8.8.8:53 aeifaeifhutuhuhuse.to udp
US 8.8.8.8:53 rzhsudhugugfugugse.to udp
US 8.8.8.8:53 bfagzzezgaegzgfaie.to udp
US 8.8.8.8:53 eaeuafhuaegfugeude.to udp
US 8.8.8.8:53 aeufuaehfiuehfuhfe.to udp
US 8.8.8.8:53 daedagheauehfuuhfe.to udp
US 8.8.8.8:53 aeoughaoheguaoehde.to udp
US 8.8.8.8:53 eguaheoghouughahse.to udp
US 8.8.8.8:53 huaeokaefoaeguaehe.to udp
US 8.8.8.8:53 afaeigaifgsgrhhafe.to udp
US 8.8.8.8:53 afaigaeigieufuifie.to udp
US 8.8.8.8:53 geauhouefheuutiiie.to udp
US 8.8.8.8:53 gaoheeuofhefefhute.to udp
US 8.8.8.8:53 gaouehaehfoaeajrse.to udp
US 8.8.8.8:53 gaohrhurhuhruhfsde.to udp
US 8.8.8.8:53 gaghpaheiafhjefije.to udp
US 8.8.8.8:53 gaoehuoaoefhuhfuge.to udp
US 8.8.8.8:53 aegohaohuoruitiiee.to udp
US 8.8.8.8:53 befaheaiudeuhughge.to udp
US 8.8.8.8:53 aeifaeifhutuhuhusw.top udp
US 8.8.8.8:53 rzhsudhugugfugugsw.top udp
US 208.100.26.245:80 aeifaeifhutuhuhusw.top tcp
US 8.8.8.8:53 bfagzzezgaegzgfaiw.top udp
US 8.8.8.8:53 eaeuafhuaegfugeudw.top udp
US 8.8.8.8:53 aeufuaehfiuehfuhfw.top udp
US 8.8.8.8:53 daedagheauehfuuhfw.top udp
US 208.100.26.245:80 aeufuaehfiuehfuhfw.top tcp
US 8.8.8.8:53 eguaheoghouughahsw.top udp
US 8.8.8.8:53 huaeokaefoaeguaehw.top udp
US 8.8.8.8:53 afaeigaifgsgrhhafw.top udp
US 8.8.8.8:53 afaigaeigieufuifiw.top udp
US 8.8.8.8:53 geauhouefheuutiiiw.top udp
US 8.8.8.8:53 thaus.top udp
US 8.8.8.8:53 gaoheeuofhefefhutw.top udp
US 8.8.8.8:53 gaouehaehfoaeajrsw.top udp
US 8.8.8.8:53 gaohrhurhuhruhfsdw.top udp
US 8.8.8.8:53 gaghpaheiafhjefijw.top udp
US 8.8.8.8:53 gaoehuoaoefhuhfugw.top udp
US 8.8.8.8:53 aegohaohuoruitiiew.top udp
US 8.8.8.8:53 befaheaiudeuhughgw.top udp
RU 185.176.27.132:80 tcp
RU 185.176.27.132:80 tcp
US 8.8.8.8:53 aeoughaoheguaoehdw.top udp
US 208.100.26.245:80 aeoughaoheguaoehdw.top tcp
RU 185.176.27.132:80 tcp
US 8.8.8.8:53 176.122.125.40.in-addr.arpa udp
RU 185.176.27.132:80 tcp
RU 185.176.27.132:80 tcp
NL 20.190.160.8:443 tcp
RU 185.176.27.132:80 tcp
RU 185.176.27.132:80 tcp
RU 185.176.27.132:80 tcp
US 8.8.8.8:53 urusurofhsorhfuuhp.su udp
US 8.8.8.8:53 aeifaeifhutuhuhusp.su udp
US 8.8.8.8:53 rzhsudhugugfugugsp.su udp
US 8.8.8.8:53 bfagzzezgaegzgfaip.su udp
US 8.8.8.8:53 eaeuafhuaegfugeudp.su udp
US 8.8.8.8:53 aeufuaehfiuehfuhfp.su udp
US 8.8.8.8:53 daedagheauehfuuhfp.su udp
US 8.8.8.8:53 aeoughaoheguaoehdp.su udp
US 8.8.8.8:53 eguaheoghouughahsp.su udp
US 8.8.8.8:53 huaeokaefoaeguaehp.su udp
US 8.8.8.8:53 afaeigaifgsgrhhafp.su udp
US 8.8.8.8:53 afaigaeigieufuifip.su udp
NL 20.190.160.134:443 tcp
US 8.8.8.8:53 geauhouefheuutiiip.su udp
US 8.8.8.8:53 gaoheeuofhefefhutp.su udp
US 8.8.8.8:53 gaouehaehfoaeajrsp.su udp
US 8.8.8.8:53 gaohrhurhuhruhfsdp.su udp
US 8.8.8.8:53 gaghpaheiafhjefijp.su udp
US 8.8.8.8:53 gaoehuoaoefhuhfugp.su udp
US 8.8.8.8:53 aegohaohuoruitiiep.su udp
US 8.8.8.8:53 befaheaiudeuhughgp.su udp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
NL 20.190.160.2:443 tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
NL 20.190.160.6:443 tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 72.251.233.245:80 befaheaiudeuhughgr.cc tcp
US 206.191.152.37:80 daedagheauehfuuhfr.cc tcp
US 206.191.152.37:80 daedagheauehfuuhfr.cc tcp
US 206.191.152.37:80 daedagheauehfuuhfr.cc tcp

Files

memory/3068-130-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3068-131-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3068-132-0x0000000002460000-0x000000000246A000-memory.dmp

memory/2280-133-0x0000000000000000-mapping.dmp

C:\Windows\1923925090\sysfstx.exe

MD5 87f19914a9966998a89839dbdc978d4f
SHA1 f7a14349ce4d889dac552451c91dddf7bc583245
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA512 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b

C:\Windows\1923925090\sysfstx.exe

MD5 87f19914a9966998a89839dbdc978d4f
SHA1 f7a14349ce4d889dac552451c91dddf7bc583245
SHA256 db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
SHA512 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b

memory/2280-136-0x0000000000400000-0x0000000000464000-memory.dmp

memory/3068-137-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2280-138-0x0000000000400000-0x0000000000464000-memory.dmp

memory/2280-139-0x00000000005E0000-0x00000000005EA000-memory.dmp