Analysis Overview
SHA256
db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5
Threat Level: Known bad
The file db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 was found to be: Known bad.
Malicious Activity Summary
Phorphiex payload
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Phorphiex
Executes dropped EXE
Windows security modification
Loads dropped DLL
Adds Run key to start application
Drops file in Windows directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-24 22:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-24 22:43
Reported
2022-06-24 22:47
Platform
win7-20220414-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
Phorphiex
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\300513490\sysgxhc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\300513490\sysgxhc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\300513490\\sysgxhc.exe" | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\300513490\\sysgxhc.exe" | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\300513490 | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| File created | C:\Windows\300513490\sysgxhc.exe | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| File opened for modification | C:\Windows\300513490\sysgxhc.exe | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\300513490\sysgxhc.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1180 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\300513490\sysgxhc.exe |
| PID 1180 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\300513490\sysgxhc.exe |
| PID 1180 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\300513490\sysgxhc.exe |
| PID 1180 wrote to memory of 1880 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\300513490\sysgxhc.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe
"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"
C:\Windows\300513490\sysgxhc.exe
C:\Windows\300513490\sysgxhc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | urusurofhsorhfuuhp.su | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusp.su | udp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaip.su | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfp.su | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudp.su | udp |
| US | 8.8.8.8:53 | daedagheauehfuuhfp.su | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsp.su | udp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdp.su | udp |
| RU | 185.176.27.132:80 | tcp | |
| US | 8.8.8.8:53 | eguaheoghouughahsp.su | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehp.su | udp |
| RU | 185.176.27.132:80 | tcp | |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafp.su | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifip.su | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiip.su | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutp.su | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsp.su | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdp.su | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijp.su | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugp.su | udp |
| US | 8.8.8.8:53 | aegohaohuoruitiiep.su | udp |
| US | 8.8.8.8:53 | befaheaiudeuhughgp.su | udp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhd.io | udp |
| US | 72.251.233.245:80 | urusurofhsorhfuuhd.io | tcp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusd.io | udp |
| US | 72.251.233.245:80 | aeifaeifhutuhuhusd.io | tcp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsd.io | udp |
| US | 206.191.152.37:80 | rzhsudhugugfugugsd.io | tcp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaid.io | udp |
| US | 173.231.189.15:80 | bfagzzezgaegzgfaid.io | tcp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudd.io | udp |
| US | 72.251.233.245:80 | eaeuafhuaegfugeudd.io | tcp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfd.io | udp |
| US | 162.217.98.146:80 | aeufuaehfiuehfuhfd.io | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfd.io | udp |
| US | 63.251.106.25:80 | daedagheauehfuuhfd.io | tcp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdd.io | udp |
| US | 107.6.74.76:80 | aeoughaoheguaoehdd.io | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsd.io | udp |
| US | 107.6.74.76:80 | eguaheoghouughahsd.io | tcp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehd.io | udp |
| SG | 72.5.161.12:80 | huaeokaefoaeguaehd.io | tcp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafd.io | udp |
| US | 72.251.233.245:80 | afaeigaifgsgrhhafd.io | tcp |
| US | 8.8.8.8:53 | afaigaeigieufuifid.io | udp |
| SG | 72.5.161.12:80 | afaigaeigieufuifid.io | tcp |
| US | 8.8.8.8:53 | geauhouefheuutiiid.io | udp |
| NL | 63.251.235.76:80 | geauhouefheuutiiid.io | tcp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutd.io | udp |
| US | 199.21.76.81:80 | gaoheeuofhefefhutd.io | tcp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsd.io | udp |
| US | 173.231.184.122:80 | gaouehaehfoaeajrsd.io | tcp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdd.io | udp |
| US | 72.251.233.245:80 | gaohrhurhuhruhfsdd.io | tcp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijd.io | udp |
| US | 107.6.74.76:80 | gaghpaheiafhjefijd.io | tcp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugd.io | udp |
| US | 206.191.152.37:80 | gaoehuoaoefhuhfugd.io | tcp |
| US | 8.8.8.8:53 | aegohaohuoruitiied.io | udp |
| SG | 63.251.126.10:80 | aegohaohuoruitiied.io | tcp |
| US | 8.8.8.8:53 | befaheaiudeuhughgd.io | udp |
| US | 173.231.184.124:80 | befaheaiudeuhughgd.io | tcp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhr.cc | udp |
| SG | 63.251.126.10:80 | urusurofhsorhfuuhr.cc | tcp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusr.cc | udp |
| US | 173.231.184.122:80 | aeifaeifhutuhuhusr.cc | tcp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsr.cc | udp |
| US | 206.191.152.37:80 | rzhsudhugugfugugsr.cc | tcp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfair.cc | udp |
| NL | 72.26.218.86:80 | bfagzzezgaegzgfair.cc | tcp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudr.cc | udp |
| US | 173.231.184.124:80 | eaeuafhuaegfugeudr.cc | tcp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfr.cc | udp |
| US | 107.6.74.76:80 | aeufuaehfiuehfuhfr.cc | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfr.cc | udp |
| US | 206.191.152.37:80 | daedagheauehfuuhfr.cc | tcp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdr.cc | udp |
| US | 107.6.74.76:80 | aeoughaoheguaoehdr.cc | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsr.cc | udp |
| SG | 63.251.126.10:80 | eguaheoghouughahsr.cc | tcp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehr.cc | udp |
| SG | 63.251.126.10:80 | huaeokaefoaeguaehr.cc | tcp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafr.cc | udp |
| NL | 63.251.235.76:80 | afaeigaifgsgrhhafr.cc | tcp |
| US | 8.8.8.8:53 | afaigaeigieufuifir.cc | udp |
| US | 173.231.189.15:80 | afaigaeigieufuifir.cc | tcp |
| US | 8.8.8.8:53 | geauhouefheuutiiir.cc | udp |
| SG | 63.251.126.10:80 | geauhouefheuutiiir.cc | tcp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutr.cc | udp |
| US | 107.6.74.76:80 | gaoheeuofhefefhutr.cc | tcp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsr.cc | udp |
| US | 199.21.76.81:80 | gaouehaehfoaeajrsr.cc | tcp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdr.cc | udp |
| US | 63.251.106.25:80 | gaohrhurhuhruhfsdr.cc | tcp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijr.cc | udp |
| NL | 72.26.218.86:80 | gaghpaheiafhjefijr.cc | tcp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugr.cc | udp |
| SG | 72.5.161.12:80 | gaoehuoaoefhuhfugr.cc | tcp |
| US | 8.8.8.8:53 | aegohaohuoruitiier.cc | udp |
| NL | 72.26.218.86:80 | aegohaohuoruitiier.cc | tcp |
| US | 8.8.8.8:53 | befaheaiudeuhughgr.cc | udp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhh.co | udp |
| US | 199.21.76.81:80 | urusurofhsorhfuuhh.co | tcp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhush.co | udp |
| US | 173.231.189.15:80 | aeifaeifhutuhuhush.co | tcp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsh.co | udp |
| US | 208.100.26.245:80 | rzhsudhugugfugugsh.co | tcp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaih.co | udp |
| SG | 63.251.126.10:80 | bfagzzezgaegzgfaih.co | tcp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudh.co | udp |
| US | 63.251.106.25:80 | eaeuafhuaegfugeudh.co | tcp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfh.co | udp |
| US | 173.231.184.122:80 | aeufuaehfiuehfuhfh.co | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfh.co | udp |
| US | 162.217.98.146:80 | daedagheauehfuuhfh.co | tcp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdh.co | udp |
| US | 162.217.98.146:80 | aeoughaoheguaoehdh.co | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsh.co | udp |
| US | 107.6.74.76:80 | eguaheoghouughahsh.co | tcp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehh.co | udp |
| US | 199.21.76.77:80 | huaeokaefoaeguaehh.co | tcp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafh.co | udp |
| NL | 72.26.218.86:80 | afaeigaifgsgrhhafh.co | tcp |
| US | 8.8.8.8:53 | afaigaeigieufuifih.co | udp |
| NL | 72.26.218.86:80 | afaigaeigieufuifih.co | tcp |
| US | 8.8.8.8:53 | geauhouefheuutiiih.co | udp |
| US | 173.231.189.15:80 | geauhouefheuutiiih.co | tcp |
| US | 8.8.8.8:53 | gaoheeuofhefefhuth.co | udp |
| NL | 72.26.218.86:80 | gaoheeuofhefefhuth.co | tcp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsh.co | udp |
| US | 199.21.76.77:80 | gaouehaehfoaeajrsh.co | tcp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdh.co | udp |
| US | 173.231.189.15:80 | gaohrhurhuhruhfsdh.co | tcp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijh.co | udp |
| NL | 72.26.218.86:80 | gaghpaheiafhjefijh.co | tcp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugh.co | udp |
| US | 206.191.152.58:80 | gaoehuoaoefhuhfugh.co | tcp |
| US | 8.8.8.8:53 | aegohaohuoruitiieh.co | udp |
| SG | 63.251.126.10:80 | aegohaohuoruitiieh.co | tcp |
| US | 8.8.8.8:53 | befaheaiudeuhughgh.co | udp |
| US | 63.251.106.25:80 | befaheaiudeuhughgh.co | tcp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhe.to | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhuse.to | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugse.to | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeude.to | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfe.to | udp |
| US | 8.8.8.8:53 | daedagheauehfuuhfe.to | udp |
| US | 8.8.8.8:53 | aeoughaoheguaoehde.to | udp |
| US | 8.8.8.8:53 | eguaheoghouughahse.to | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehe.to | udp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafe.to | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifie.to | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiie.to | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhute.to | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrse.to | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsde.to | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefije.to | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfuge.to | udp |
| US | 8.8.8.8:53 | aegohaohuoruitiiee.to | udp |
| US | 8.8.8.8:53 | befaheaiudeuhughge.to | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusw.top | udp |
| US | 208.100.26.245:80 | aeifaeifhutuhuhusw.top | tcp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsw.top | udp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaiw.top | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudw.top | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfw.top | udp |
| US | 208.100.26.245:80 | aeufuaehfiuehfuhfw.top | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfw.top | udp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdw.top | udp |
| US | 208.100.26.245:80 | aeoughaoheguaoehdw.top | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsw.top | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehw.top | udp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafw.top | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifiw.top | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiiw.top | udp |
| US | 8.8.8.8:53 | thaus.top | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutw.top | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsw.top | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdw.top | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijw.top | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugw.top | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1180-54-0x0000000076C81000-0x0000000076C83000-memory.dmp
memory/1180-55-0x0000000000400000-0x0000000000464000-memory.dmp
memory/1180-56-0x00000000001E0000-0x00000000001EA000-memory.dmp
memory/1180-57-0x0000000000400000-0x0000000000464000-memory.dmp
\Windows\300513490\sysgxhc.exe
| MD5 | 87f19914a9966998a89839dbdc978d4f |
| SHA1 | f7a14349ce4d889dac552451c91dddf7bc583245 |
| SHA256 | db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 |
| SHA512 | 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b |
\Windows\300513490\sysgxhc.exe
| MD5 | 87f19914a9966998a89839dbdc978d4f |
| SHA1 | f7a14349ce4d889dac552451c91dddf7bc583245 |
| SHA256 | db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 |
| SHA512 | 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b |
memory/1880-60-0x0000000000000000-mapping.dmp
C:\Windows\300513490\sysgxhc.exe
| MD5 | 87f19914a9966998a89839dbdc978d4f |
| SHA1 | f7a14349ce4d889dac552451c91dddf7bc583245 |
| SHA256 | db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 |
| SHA512 | 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b |
memory/1880-63-0x0000000000400000-0x0000000000464000-memory.dmp
C:\Windows\300513490\sysgxhc.exe
| MD5 | 87f19914a9966998a89839dbdc978d4f |
| SHA1 | f7a14349ce4d889dac552451c91dddf7bc583245 |
| SHA256 | db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 |
| SHA512 | 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b |
memory/1880-65-0x0000000000570000-0x000000000057A000-memory.dmp
memory/1880-66-0x0000000000400000-0x0000000000464000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-24 22:43
Reported
2022-06-24 22:50
Platform
win10v2004-20220414-en
Max time kernel
192s
Max time network
198s
Command Line
Signatures
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
Phorphiex
Phorphiex payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
suricata: ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\1923925090\sysfstx.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Windows\1923925090\sysfstx.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1923925090\\sysfstx.exe" | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Driver = "C:\\Windows\\1923925090\\sysfstx.exe" | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\1923925090\sysfstx.exe | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| File opened for modification | C:\Windows\1923925090\sysfstx.exe | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| File opened for modification | C:\Windows\1923925090 | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\1923925090\sysfstx.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3068 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\1923925090\sysfstx.exe |
| PID 3068 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\1923925090\sysfstx.exe |
| PID 3068 wrote to memory of 2280 | N/A | C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe | C:\Windows\1923925090\sysfstx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe
"C:\Users\Admin\AppData\Local\Temp\db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5.exe"
C:\Windows\1923925090\sysfstx.exe
C:\Windows\1923925090\sysfstx.exe
Network
| Country | Destination | Domain | Proto |
| US | 93.184.221.240:80 | tcp | |
| FR | 92.243.6.46:443 | tcp | |
| IE | 20.50.80.210:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.220.29:80 | tcp | |
| US | 204.79.197.203:80 | tcp | |
| NL | 20.190.160.132:443 | tcp | |
| RU | 185.176.27.132:80 | tcp | |
| US | 8.8.8.8:53 | urusurofhsorhfuuhp.su | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusp.su | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsp.su | udp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaip.su | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudp.su | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfp.su | udp |
| US | 8.8.8.8:53 | daedagheauehfuuhfp.su | udp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdp.su | udp |
| US | 8.8.8.8:53 | eguaheoghouughahsp.su | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehp.su | udp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafp.su | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifip.su | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiip.su | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutp.su | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsp.su | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdp.su | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijp.su | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugp.su | udp |
| US | 8.8.8.8:53 | aegohaohuoruitiiep.su | udp |
| US | 8.8.8.8:53 | befaheaiudeuhughgp.su | udp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhd.io | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsd.io | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusd.io | udp |
| US | 72.251.233.245:80 | aeifaeifhutuhuhusd.io | tcp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaid.io | udp |
| US | 206.191.152.37:80 | rzhsudhugugfugugsd.io | tcp |
| US | 72.251.233.245:80 | aeifaeifhutuhuhusd.io | tcp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudd.io | udp |
| US | 173.231.189.15:80 | bfagzzezgaegzgfaid.io | tcp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfd.io | udp |
| US | 72.251.233.245:80 | eaeuafhuaegfugeudd.io | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfd.io | udp |
| US | 162.217.98.146:80 | aeufuaehfiuehfuhfd.io | tcp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdd.io | udp |
| US | 63.251.106.25:80 | daedagheauehfuuhfd.io | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsd.io | udp |
| US | 107.6.74.76:80 | eguaheoghouughahsd.io | tcp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehd.io | udp |
| US | 107.6.74.76:80 | eguaheoghouughahsd.io | tcp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafd.io | udp |
| SG | 72.5.161.12:80 | huaeokaefoaeguaehd.io | tcp |
| US | 8.8.8.8:53 | afaigaeigieufuifid.io | udp |
| US | 72.251.233.245:80 | afaeigaifgsgrhhafd.io | tcp |
| US | 8.8.8.8:53 | geauhouefheuutiiid.io | udp |
| SG | 72.5.161.12:80 | afaigaeigieufuifid.io | tcp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutd.io | udp |
| NL | 63.251.235.76:80 | geauhouefheuutiiid.io | tcp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsd.io | udp |
| US | 199.21.76.81:80 | gaoheeuofhefefhutd.io | tcp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdd.io | udp |
| US | 173.231.184.122:80 | gaouehaehfoaeajrsd.io | tcp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijd.io | udp |
| US | 72.251.233.245:80 | gaohrhurhuhruhfsdd.io | tcp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugd.io | udp |
| US | 107.6.74.76:80 | gaghpaheiafhjefijd.io | tcp |
| US | 8.8.8.8:53 | aegohaohuoruitiied.io | udp |
| US | 206.191.152.37:80 | gaoehuoaoefhuhfugd.io | tcp |
| US | 8.8.8.8:53 | befaheaiudeuhughgd.io | udp |
| SG | 63.251.126.10:80 | aegohaohuoruitiied.io | tcp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhr.cc | udp |
| US | 173.231.184.124:80 | befaheaiudeuhughgd.io | tcp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusr.cc | udp |
| SG | 63.251.126.10:80 | urusurofhsorhfuuhr.cc | tcp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsr.cc | udp |
| US | 173.231.184.122:80 | aeifaeifhutuhuhusr.cc | tcp |
| NL | 20.190.160.4:443 | tcp | |
| US | 8.8.8.8:53 | bfagzzezgaegzgfair.cc | udp |
| US | 206.191.152.37:80 | rzhsudhugugfugugsr.cc | tcp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudr.cc | udp |
| NL | 72.26.218.86:80 | bfagzzezgaegzgfair.cc | tcp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfr.cc | udp |
| US | 173.231.184.124:80 | eaeuafhuaegfugeudr.cc | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfr.cc | udp |
| US | 107.6.74.76:80 | aeufuaehfiuehfuhfr.cc | tcp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdr.cc | udp |
| US | 206.191.152.37:80 | daedagheauehfuuhfr.cc | tcp |
| US | 107.6.74.76:80 | aeoughaoheguaoehdr.cc | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsr.cc | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehr.cc | udp |
| SG | 63.251.126.10:80 | huaeokaefoaeguaehr.cc | tcp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafr.cc | udp |
| SG | 63.251.126.10:80 | huaeokaefoaeguaehr.cc | tcp |
| NL | 63.251.235.76:80 | afaeigaifgsgrhhafr.cc | tcp |
| US | 8.8.8.8:53 | afaigaeigieufuifir.cc | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiir.cc | udp |
| US | 173.231.189.15:80 | afaigaeigieufuifir.cc | tcp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutr.cc | udp |
| SG | 63.251.126.10:80 | geauhouefheuutiiir.cc | tcp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsr.cc | udp |
| US | 107.6.74.76:80 | gaoheeuofhefefhutr.cc | tcp |
| US | 199.21.76.81:80 | gaouehaehfoaeajrsr.cc | tcp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdr.cc | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijr.cc | udp |
| US | 63.251.106.25:80 | gaohrhurhuhruhfsdr.cc | tcp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugr.cc | udp |
| NL | 72.26.218.86:80 | gaghpaheiafhjefijr.cc | tcp |
| US | 8.8.8.8:53 | aegohaohuoruitiier.cc | udp |
| SG | 72.5.161.12:80 | gaoehuoaoefhuhfugr.cc | tcp |
| NL | 72.26.218.86:80 | aegohaohuoruitiier.cc | tcp |
| US | 8.8.8.8:53 | befaheaiudeuhughgr.cc | udp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhh.co | udp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhush.co | udp |
| US | 199.21.76.81:80 | urusurofhsorhfuuhh.co | tcp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsh.co | udp |
| US | 173.231.189.15:80 | aeifaeifhutuhuhush.co | tcp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaih.co | udp |
| US | 208.100.26.245:80 | rzhsudhugugfugugsh.co | tcp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudh.co | udp |
| SG | 63.251.126.10:80 | bfagzzezgaegzgfaih.co | tcp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfh.co | udp |
| US | 63.251.106.25:80 | eaeuafhuaegfugeudh.co | tcp |
| US | 8.8.8.8:53 | daedagheauehfuuhfh.co | udp |
| US | 173.231.184.122:80 | aeufuaehfiuehfuhfh.co | tcp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdh.co | udp |
| US | 162.217.98.146:80 | aeoughaoheguaoehdh.co | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsh.co | udp |
| US | 162.217.98.146:80 | aeoughaoheguaoehdh.co | tcp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehh.co | udp |
| US | 107.6.74.76:80 | eguaheoghouughahsh.co | tcp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafh.co | udp |
| US | 199.21.76.77:80 | huaeokaefoaeguaehh.co | tcp |
| US | 8.8.8.8:53 | afaigaeigieufuifih.co | udp |
| NL | 72.26.218.86:80 | afaigaeigieufuifih.co | tcp |
| US | 8.8.8.8:53 | geauhouefheuutiiih.co | udp |
| NL | 72.26.218.86:80 | afaigaeigieufuifih.co | tcp |
| US | 173.231.189.15:80 | geauhouefheuutiiih.co | tcp |
| US | 8.8.8.8:53 | gaoheeuofhefefhuth.co | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsh.co | udp |
| NL | 72.26.218.86:80 | gaoheeuofhefefhuth.co | tcp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdh.co | udp |
| US | 199.21.76.77:80 | gaouehaehfoaeajrsh.co | tcp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijh.co | udp |
| US | 173.231.189.15:80 | gaohrhurhuhruhfsdh.co | tcp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugh.co | udp |
| NL | 72.26.218.86:80 | gaghpaheiafhjefijh.co | tcp |
| US | 8.8.8.8:53 | aegohaohuoruitiieh.co | udp |
| US | 206.191.152.58:80 | gaoehuoaoefhuhfugh.co | tcp |
| US | 8.8.8.8:53 | befaheaiudeuhughgh.co | udp |
| SG | 63.251.126.10:80 | aegohaohuoruitiieh.co | tcp |
| US | 8.8.8.8:53 | urusurofhsorhfuuhe.to | udp |
| US | 63.251.106.25:80 | befaheaiudeuhughgh.co | tcp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhuse.to | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugse.to | udp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaie.to | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeude.to | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfe.to | udp |
| US | 8.8.8.8:53 | daedagheauehfuuhfe.to | udp |
| US | 8.8.8.8:53 | aeoughaoheguaoehde.to | udp |
| US | 8.8.8.8:53 | eguaheoghouughahse.to | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehe.to | udp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafe.to | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifie.to | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiie.to | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhute.to | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrse.to | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsde.to | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefije.to | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfuge.to | udp |
| US | 8.8.8.8:53 | aegohaohuoruitiiee.to | udp |
| US | 8.8.8.8:53 | befaheaiudeuhughge.to | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusw.top | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsw.top | udp |
| US | 208.100.26.245:80 | aeifaeifhutuhuhusw.top | tcp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaiw.top | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudw.top | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfw.top | udp |
| US | 8.8.8.8:53 | daedagheauehfuuhfw.top | udp |
| US | 208.100.26.245:80 | aeufuaehfiuehfuhfw.top | tcp |
| US | 8.8.8.8:53 | eguaheoghouughahsw.top | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehw.top | udp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafw.top | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifiw.top | udp |
| US | 8.8.8.8:53 | geauhouefheuutiiiw.top | udp |
| US | 8.8.8.8:53 | thaus.top | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutw.top | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsw.top | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdw.top | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijw.top | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugw.top | udp |
| US | 8.8.8.8:53 | aegohaohuoruitiiew.top | udp |
| US | 8.8.8.8:53 | befaheaiudeuhughgw.top | udp |
| RU | 185.176.27.132:80 | tcp | |
| RU | 185.176.27.132:80 | tcp | |
| US | 8.8.8.8:53 | aeoughaoheguaoehdw.top | udp |
| US | 208.100.26.245:80 | aeoughaoheguaoehdw.top | tcp |
| RU | 185.176.27.132:80 | tcp | |
| US | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| RU | 185.176.27.132:80 | tcp | |
| RU | 185.176.27.132:80 | tcp | |
| NL | 20.190.160.8:443 | tcp | |
| RU | 185.176.27.132:80 | tcp | |
| RU | 185.176.27.132:80 | tcp | |
| RU | 185.176.27.132:80 | tcp | |
| US | 8.8.8.8:53 | urusurofhsorhfuuhp.su | udp |
| US | 8.8.8.8:53 | aeifaeifhutuhuhusp.su | udp |
| US | 8.8.8.8:53 | rzhsudhugugfugugsp.su | udp |
| US | 8.8.8.8:53 | bfagzzezgaegzgfaip.su | udp |
| US | 8.8.8.8:53 | eaeuafhuaegfugeudp.su | udp |
| US | 8.8.8.8:53 | aeufuaehfiuehfuhfp.su | udp |
| US | 8.8.8.8:53 | daedagheauehfuuhfp.su | udp |
| US | 8.8.8.8:53 | aeoughaoheguaoehdp.su | udp |
| US | 8.8.8.8:53 | eguaheoghouughahsp.su | udp |
| US | 8.8.8.8:53 | huaeokaefoaeguaehp.su | udp |
| US | 8.8.8.8:53 | afaeigaifgsgrhhafp.su | udp |
| US | 8.8.8.8:53 | afaigaeigieufuifip.su | udp |
| NL | 20.190.160.134:443 | tcp | |
| US | 8.8.8.8:53 | geauhouefheuutiiip.su | udp |
| US | 8.8.8.8:53 | gaoheeuofhefefhutp.su | udp |
| US | 8.8.8.8:53 | gaouehaehfoaeajrsp.su | udp |
| US | 8.8.8.8:53 | gaohrhurhuhruhfsdp.su | udp |
| US | 8.8.8.8:53 | gaghpaheiafhjefijp.su | udp |
| US | 8.8.8.8:53 | gaoehuoaoefhuhfugp.su | udp |
| US | 8.8.8.8:53 | aegohaohuoruitiiep.su | udp |
| US | 8.8.8.8:53 | befaheaiudeuhughgp.su | udp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| NL | 20.190.160.2:443 | tcp | |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| NL | 20.190.160.6:443 | tcp | |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 72.251.233.245:80 | befaheaiudeuhughgr.cc | tcp |
| US | 206.191.152.37:80 | daedagheauehfuuhfr.cc | tcp |
| US | 206.191.152.37:80 | daedagheauehfuuhfr.cc | tcp |
| US | 206.191.152.37:80 | daedagheauehfuuhfr.cc | tcp |
Files
memory/3068-130-0x0000000000400000-0x0000000000464000-memory.dmp
memory/3068-131-0x0000000000400000-0x0000000000464000-memory.dmp
memory/3068-132-0x0000000002460000-0x000000000246A000-memory.dmp
memory/2280-133-0x0000000000000000-mapping.dmp
C:\Windows\1923925090\sysfstx.exe
| MD5 | 87f19914a9966998a89839dbdc978d4f |
| SHA1 | f7a14349ce4d889dac552451c91dddf7bc583245 |
| SHA256 | db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 |
| SHA512 | 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b |
C:\Windows\1923925090\sysfstx.exe
| MD5 | 87f19914a9966998a89839dbdc978d4f |
| SHA1 | f7a14349ce4d889dac552451c91dddf7bc583245 |
| SHA256 | db627ff946ff64910cf909c81ae51294c4bb6477ee2c620aae1d0f7a7208b6b5 |
| SHA512 | 6c25271d3a52c9f82c34789ed278a8b42565739eedb016cf622a7b488202d6b32bcab4d31edd2db500993b1a24a8debc2ec9e8f5270185ade362f8a28c89cf6b |
memory/2280-136-0x0000000000400000-0x0000000000464000-memory.dmp
memory/3068-137-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2280-138-0x0000000000400000-0x0000000000464000-memory.dmp
memory/2280-139-0x00000000005E0000-0x00000000005EA000-memory.dmp