Overview

overview

10

Static

static

FBDDC2BF72...51.exe

windows7_x64

10

FBDDC2BF72...51.exe

windows10_x64

10

Analysis

  • max time kernel
    54s
  • max time network
    175s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    08-06-2021 07:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FBDDC2BF724AF868D8AA5F0D08700151.exe

  • Size

    5.3MB

  • MD5

    fbddc2bf724af868d8aa5f0d08700151

  • SHA1

    2cab05f7d25f9503ab5a5ea133cefcc356908a2d

  • SHA256

    3acec6ce8556a3f24033df05f6e71ab604577eb541b437acd3ebfdb6644c4931

  • SHA512

    63b26cf28460eaf96a0f8cfbc2598c5bbf80b0e1345470d32df2b5cbc43116efbd8eb77a8f49a7b8f2e1430ae20772d48b6403e8bcff91d32619a126d5bcc449

Score
10/10
plugxdiscoveryevasionpersistencetrojanupxvmprotect

Malware Config

Signatures

  • PlugX

    PlugX is a RAT (Remote Access Trojan) that has been around since 2008.

    trojanplugx
  • Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs
  • Checks for common network interception software 1 TTPs

    Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.

    evasion
  • Downloads MZ/PE file
  • Drops file in Drivers directory 2 IoCs
  • Executes dropped EXE 32 IoCs
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Loads dropped DLL 61 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 45 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 29 IoCs
  • Modifies registry class 15 IoCs
  • Modifies system certificate store 2 TTPs 12 IoCs
    evasionspywaretrojan
  • Script User-Agent 6 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: CmdExeWriteProcessMemorySpam 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 7 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:464
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in System32 directory
        • Suspicious use of SetThreadContext
        • Drops file in Windows directory
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:856
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:1388
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Drops file in System32 directory
        • Checks processor information in registry
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:2800
      • C:\Windows\system32\msiexec.exe
        C:\Windows\system32\msiexec.exe /V
        2⤵
          PID:3488
          • C:\Windows\syswow64\MsiExec.exe
            C:\Windows\syswow64\MsiExec.exe -Embedding 1527511733965CDDA7F8478C5EDBDB7D C
            3⤵
              PID:3868
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding 86DE46422EF4FC24AA2729C0599FCC4D
              3⤵
                PID:3344
                • C:\Windows\SysWOW64\taskkill.exe
                  "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
                  4⤵
                  • Kills process with taskkill
                  PID:3740
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding DCC231D4E149FC81A32C524E3287E0C4 M Global\MSI0000
                3⤵
                  PID:3692
            • C:\Users\Admin\AppData\Local\Temp\FBDDC2BF724AF868D8AA5F0D08700151.exe
              "C:\Users\Admin\AppData\Local\Temp\FBDDC2BF724AF868D8AA5F0D08700151.exe"
              1⤵
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of WriteProcessMemory
              PID:916
              • C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe
                "C:\Program Files (x86)\Data Finder\Versium Research\hjjgaa.exe"
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1492
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  3⤵
                  • Executes dropped EXE
                  PID:1596
                • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                  C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                  3⤵
                  • Executes dropped EXE
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2164
              • C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe
                "C:\Program Files (x86)\Data Finder\Versium Research\RunWW.exe"
                2⤵
                • Executes dropped EXE
                • Modifies system certificate store
                PID:1164
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 1320
                  3⤵
                  • Loads dropped DLL
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  PID:2104
              • C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe
                "C:\Program Files (x86)\Data Finder\Versium Research\guihuali-game.exe"
                2⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:1956
                • C:\Windows\SysWOW64\rUNdlL32.eXe
                  "C:\Windows\system32\rUNdlL32.eXe" "C:\Users\Admin\AppData\Local\Temp\install.dll",install
                  3⤵
                  • Loads dropped DLL
                  • Modifies registry class
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:948
              • C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe
                "C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                2⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1736
                • C:\Users\Admin\AppData\Local\Temp\is-SS4KJ.tmp\LabPicV3.tmp
                  "C:\Users\Admin\AppData\Local\Temp\is-SS4KJ.tmp\LabPicV3.tmp" /SL5="$2015E,140559,56832,C:\Program Files (x86)\Data Finder\Versium Research\LabPicV3.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:2012
                  • C:\Users\Admin\AppData\Local\Temp\is-DN0P1.tmp\___________23.exe
                    "C:\Users\Admin\AppData\Local\Temp\is-DN0P1.tmp\___________23.exe" /S /UID=lab214
                    4⤵
                    • Drops file in Drivers directory
                    • Executes dropped EXE
                    • Adds Run key to start application
                    • Drops file in Program Files directory
                    PID:1600
                    • C:\Program Files\Windows Media Player\QBDVZCPDJW\prolab.exe
                      "C:\Program Files\Windows Media Player\QBDVZCPDJW\prolab.exe" /VERYSILENT
                      5⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      PID:2196
                      • C:\Users\Admin\AppData\Local\Temp\is-R26U1.tmp\prolab.tmp
                        "C:\Users\Admin\AppData\Local\Temp\is-R26U1.tmp\prolab.tmp" /SL5="$7001C,575243,216576,C:\Program Files\Windows Media Player\QBDVZCPDJW\prolab.exe" /VERYSILENT
                        6⤵
                        • Executes dropped EXE
                        • Loads dropped DLL
                        • Drops file in Program Files directory
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of FindShellTrayWindow
                        PID:2260
                    • C:\Users\Admin\AppData\Local\Temp\1e-99014-684-b83bc-63238a576845c\ZHetohyvexi.exe
                      "C:\Users\Admin\AppData\Local\Temp\1e-99014-684-b83bc-63238a576845c\ZHetohyvexi.exe"
                      5⤵
                      • Executes dropped EXE
                      • Modifies system certificate store
                      PID:2228
                      • C:\Program Files\Internet Explorer\iexplore.exe
                        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                        6⤵
                        • Modifies Internet Explorer settings
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SetWindowsHookEx
                        PID:2616
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
                          7⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          PID:2724
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275460 /prefetch:2
                          7⤵
                          • Modifies Internet Explorer settings
                          • Suspicious use of SetWindowsHookEx
                          PID:2892
                        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:1061904 /prefetch:2
                          7⤵
                            PID:3696
                      • C:\Users\Admin\AppData\Local\Temp\85-c2f0c-1a4-531be-2812193c8d880\Puhodozhesha.exe
                        "C:\Users\Admin\AppData\Local\Temp\85-c2f0c-1a4-531be-2812193c8d880\Puhodozhesha.exe"
                        5⤵
                        • Executes dropped EXE
                        • Modifies system certificate store
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2284
                        • C:\Windows\System32\cmd.exe
                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0uvpaa4n.w5q\001.exe & exit
                          6⤵
                            PID:1056
                            • C:\Users\Admin\AppData\Local\Temp\0uvpaa4n.w5q\001.exe
                              C:\Users\Admin\AppData\Local\Temp\0uvpaa4n.w5q\001.exe
                              7⤵
                                PID:3024
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\d1yfxuvb.qwy\installer.exe /qn CAMPAIGN="654" & exit
                              6⤵
                                PID:1504
                                • C:\Users\Admin\AppData\Local\Temp\d1yfxuvb.qwy\installer.exe
                                  C:\Users\Admin\AppData\Local\Temp\d1yfxuvb.qwy\installer.exe /qn CAMPAIGN="654"
                                  7⤵
                                  • Executes dropped EXE
                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                  PID:2240
                              • C:\Windows\System32\cmd.exe
                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\qpqzz5nv.c2d\gaoou.exe & exit
                                6⤵
                                  PID:1628
                                  • C:\Users\Admin\AppData\Local\Temp\qpqzz5nv.c2d\gaoou.exe
                                    C:\Users\Admin\AppData\Local\Temp\qpqzz5nv.c2d\gaoou.exe
                                    7⤵
                                    • Executes dropped EXE
                                    • Loads dropped DLL
                                    • Adds Run key to start application
                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                    PID:3004
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      8⤵
                                      • Executes dropped EXE
                                      PID:3096
                                    • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                      C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                      8⤵
                                        PID:3944
                                  • C:\Windows\System32\cmd.exe
                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\um5f1flc.33p\Setup3310.exe /Verysilent /subid=623 & exit
                                    6⤵
                                      PID:1716
                                      • C:\Users\Admin\AppData\Local\Temp\um5f1flc.33p\Setup3310.exe
                                        C:\Users\Admin\AppData\Local\Temp\um5f1flc.33p\Setup3310.exe /Verysilent /subid=623
                                        7⤵
                                        • Executes dropped EXE
                                        • Loads dropped DLL
                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                        PID:2100
                                        • C:\Users\Admin\AppData\Local\Temp\is-NG847.tmp\Setup3310.tmp
                                          "C:\Users\Admin\AppData\Local\Temp\is-NG847.tmp\Setup3310.tmp" /SL5="$2039A,138429,56832,C:\Users\Admin\AppData\Local\Temp\um5f1flc.33p\Setup3310.exe" /Verysilent /subid=623
                                          8⤵
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Suspicious use of FindShellTrayWindow
                                          PID:2604
                                          • C:\Users\Admin\AppData\Local\Temp\is-RKKLB.tmp\Setup.exe
                                            "C:\Users\Admin\AppData\Local\Temp\is-RKKLB.tmp\Setup.exe" /Verysilent
                                            9⤵
                                              PID:2828
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\aeeh01lt.w0j\google-game.exe & exit
                                        6⤵
                                          PID:3380
                                          • C:\Users\Admin\AppData\Local\Temp\aeeh01lt.w0j\google-game.exe
                                            C:\Users\Admin\AppData\Local\Temp\aeeh01lt.w0j\google-game.exe
                                            7⤵
                                              PID:3472
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\wl5sdgvk.rhi\005.exe & exit
                                            6⤵
                                              PID:2488
                                              • C:\Users\Admin\AppData\Local\Temp\wl5sdgvk.rhi\005.exe
                                                C:\Users\Admin\AppData\Local\Temp\wl5sdgvk.rhi\005.exe
                                                7⤵
                                                  PID:3264
                                              • C:\Windows\System32\cmd.exe
                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zbdzpyz4.1c3\toolspab1.exe & exit
                                                6⤵
                                                  PID:3240
                                                  • C:\Users\Admin\AppData\Local\Temp\zbdzpyz4.1c3\toolspab1.exe
                                                    C:\Users\Admin\AppData\Local\Temp\zbdzpyz4.1c3\toolspab1.exe
                                                    7⤵
                                                      PID:2772
                                                      • C:\Users\Admin\AppData\Local\Temp\zbdzpyz4.1c3\toolspab1.exe
                                                        C:\Users\Admin\AppData\Local\Temp\zbdzpyz4.1c3\toolspab1.exe
                                                        8⤵
                                                          PID:3716
                                                    • C:\Windows\System32\cmd.exe
                                                      "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\lkdibzlq.dkl\installer.exe /qn CAMPAIGN="654" & exit
                                                      6⤵
                                                        PID:768
                                                        • C:\Users\Admin\AppData\Local\Temp\lkdibzlq.dkl\installer.exe
                                                          C:\Users\Admin\AppData\Local\Temp\lkdibzlq.dkl\installer.exe /qn CAMPAIGN="654"
                                                          7⤵
                                                            PID:3100
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\ogmocjw0.kux\702564a0.exe & exit
                                                          6⤵
                                                            PID:3524
                                                            • C:\Users\Admin\AppData\Local\Temp\ogmocjw0.kux\702564a0.exe
                                                              C:\Users\Admin\AppData\Local\Temp\ogmocjw0.kux\702564a0.exe
                                                              7⤵
                                                                PID:3680
                                                    • C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe
                                                      "C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                      2⤵
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      • Suspicious use of WriteProcessMemory
                                                      PID:1912
                                                      • C:\Users\Admin\AppData\Local\Temp\is-5TAUS.tmp\lylal220.tmp
                                                        "C:\Users\Admin\AppData\Local\Temp\is-5TAUS.tmp\lylal220.tmp" /SL5="$30176,140518,56832,C:\Program Files (x86)\Data Finder\Versium Research\lylal220.exe"
                                                        3⤵
                                                        • Executes dropped EXE
                                                        • Loads dropped DLL
                                                        • Suspicious use of WriteProcessMemory
                                                        PID:908
                                                        • C:\Users\Admin\AppData\Local\Temp\is-PG3BV.tmp\___________RUb__________y.exe
                                                          "C:\Users\Admin\AppData\Local\Temp\is-PG3BV.tmp\___________RUb__________y.exe" /S /UID=lylal220
                                                          4⤵
                                                          • Drops file in Drivers directory
                                                          • Executes dropped EXE
                                                          • Adds Run key to start application
                                                          • Drops file in Program Files directory
                                                          PID:1580
                                                          • C:\Program Files\Google\QBDVZCPDJW\irecord.exe
                                                            "C:\Program Files\Google\QBDVZCPDJW\irecord.exe" /VERYSILENT
                                                            5⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            PID:2340
                                                            • C:\Users\Admin\AppData\Local\Temp\is-8I81I.tmp\irecord.tmp
                                                              "C:\Users\Admin\AppData\Local\Temp\is-8I81I.tmp\irecord.tmp" /SL5="$101D6,6139911,56832,C:\Program Files\Google\QBDVZCPDJW\irecord.exe" /VERYSILENT
                                                              6⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Drops file in Program Files directory
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              • Suspicious use of FindShellTrayWindow
                                                              PID:2376
                                                              • C:\Program Files (x86)\recording\i-record.exe
                                                                "C:\Program Files (x86)\recording\i-record.exe" -silent -desktopShortcut -programMenu
                                                                7⤵
                                                                • Executes dropped EXE
                                                                • Loads dropped DLL
                                                                PID:2560
                                                          • C:\Users\Admin\AppData\Local\Temp\1f-635a6-29f-a2090-28fc8cb8df773\Saehobedojae.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\1f-635a6-29f-a2090-28fc8cb8df773\Saehobedojae.exe"
                                                            5⤵
                                                            • Executes dropped EXE
                                                            PID:2388
                                                            • C:\Program Files\Internet Explorer\iexplore.exe
                                                              "C:\Program Files\Internet Explorer\iexplore.exe" https://www.profitabletrustednetwork.com/e2q8zu9hu?key=a971bbe4a40a7216a1a87d8f455f71e6
                                                              6⤵
                                                                PID:2856
                                                            • C:\Users\Admin\AppData\Local\Temp\a9-441bb-20b-09688-97f9c92a097a5\Raegidujygae.exe
                                                              "C:\Users\Admin\AppData\Local\Temp\a9-441bb-20b-09688-97f9c92a097a5\Raegidujygae.exe"
                                                              5⤵
                                                              • Executes dropped EXE
                                                              • Suspicious behavior: EnumeratesProcesses
                                                              PID:2444
                                                              • C:\Windows\System32\cmd.exe
                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\q3dzbj5v.uqc\001.exe & exit
                                                                6⤵
                                                                  PID:3036
                                                                  • C:\Users\Admin\AppData\Local\Temp\q3dzbj5v.uqc\001.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\q3dzbj5v.uqc\001.exe
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    PID:2352
                                                                • C:\Windows\System32\cmd.exe
                                                                  "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\zv430zxo.04b\installer.exe /qn CAMPAIGN="654" & exit
                                                                  6⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                  PID:3024
                                                                  • C:\Users\Admin\AppData\Local\Temp\zv430zxo.04b\installer.exe
                                                                    C:\Users\Admin\AppData\Local\Temp\zv430zxo.04b\installer.exe /qn CAMPAIGN="654"
                                                                    7⤵
                                                                    • Executes dropped EXE
                                                                    • Loads dropped DLL
                                                                    • Modifies system certificate store
                                                                    • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                    • Suspicious use of FindShellTrayWindow
                                                                    PID:1344
                                                                    • C:\Windows\SysWOW64\msiexec.exe
                                                                      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=654 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\zv430zxo.04b\installer.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\zv430zxo.04b\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1622877451 /qn CAMPAIGN=""654"" " CAMPAIGN="654"
                                                                      8⤵
                                                                        PID:2764
                                                                  • C:\Windows\System32\cmd.exe
                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\etn4x1fw.acz\gaoou.exe & exit
                                                                    6⤵
                                                                      PID:2844
                                                                      • C:\Users\Admin\AppData\Local\Temp\etn4x1fw.acz\gaoou.exe
                                                                        C:\Users\Admin\AppData\Local\Temp\etn4x1fw.acz\gaoou.exe
                                                                        7⤵
                                                                        • Executes dropped EXE
                                                                        • Loads dropped DLL
                                                                        • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                        PID:2440
                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                          8⤵
                                                                          • Executes dropped EXE
                                                                          PID:2676
                                                                        • C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
                                                                          C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
                                                                          8⤵
                                                                            PID:4004
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\srsk5qbh.evc\Setup3310.exe /Verysilent /subid=623 & exit
                                                                        6⤵
                                                                          PID:2404
                                                                          • C:\Users\Admin\AppData\Local\Temp\srsk5qbh.evc\Setup3310.exe
                                                                            C:\Users\Admin\AppData\Local\Temp\srsk5qbh.evc\Setup3310.exe /Verysilent /subid=623
                                                                            7⤵
                                                                            • Executes dropped EXE
                                                                            • Loads dropped DLL
                                                                            • Suspicious behavior: CmdExeWriteProcessMemorySpam
                                                                            PID:2544
                                                                            • C:\Users\Admin\AppData\Local\Temp\is-CP7HJ.tmp\Setup3310.tmp
                                                                              "C:\Users\Admin\AppData\Local\Temp\is-CP7HJ.tmp\Setup3310.tmp" /SL5="$20354,138429,56832,C:\Users\Admin\AppData\Local\Temp\srsk5qbh.evc\Setup3310.exe" /Verysilent /subid=623
                                                                              8⤵
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Suspicious use of FindShellTrayWindow
                                                                              PID:3128
                                                                              • C:\Users\Admin\AppData\Local\Temp\is-RMIDD.tmp\Setup.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\is-RMIDD.tmp\Setup.exe" /Verysilent
                                                                                9⤵
                                                                                  PID:3396
                                                                          • C:\Windows\System32\cmd.exe
                                                                            "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\hfazjrh1.4bs\google-game.exe & exit
                                                                            6⤵
                                                                              PID:3440
                                                                              • C:\Users\Admin\AppData\Local\Temp\hfazjrh1.4bs\google-game.exe
                                                                                C:\Users\Admin\AppData\Local\Temp\hfazjrh1.4bs\google-game.exe
                                                                                7⤵
                                                                                  PID:3556
                                                                              • C:\Windows\System32\cmd.exe
                                                                                "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3v01x0bd.ddm\005.exe & exit
                                                                                6⤵
                                                                                  PID:3180
                                                                                  • C:\Users\Admin\AppData\Local\Temp\3v01x0bd.ddm\005.exe
                                                                                    C:\Users\Admin\AppData\Local\Temp\3v01x0bd.ddm\005.exe
                                                                                    7⤵
                                                                                      PID:3424
                                                                                  • C:\Windows\System32\cmd.exe
                                                                                    "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\kufv3x4p.ncs\toolspab1.exe & exit
                                                                                    6⤵
                                                                                      PID:3836
                                                                                      • C:\Users\Admin\AppData\Local\Temp\kufv3x4p.ncs\toolspab1.exe
                                                                                        C:\Users\Admin\AppData\Local\Temp\kufv3x4p.ncs\toolspab1.exe
                                                                                        7⤵
                                                                                          PID:3132
                                                                                          • C:\Users\Admin\AppData\Local\Temp\kufv3x4p.ncs\toolspab1.exe
                                                                                            C:\Users\Admin\AppData\Local\Temp\kufv3x4p.ncs\toolspab1.exe
                                                                                            8⤵
                                                                                              PID:3632
                                                                                        • C:\Windows\System32\cmd.exe
                                                                                          "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\3derx0qz.nfp\installer.exe /qn CAMPAIGN="654" & exit
                                                                                          6⤵
                                                                                            PID:2404
                                                                                            • C:\Users\Admin\AppData\Local\Temp\3derx0qz.nfp\installer.exe
                                                                                              C:\Users\Admin\AppData\Local\Temp\3derx0qz.nfp\installer.exe /qn CAMPAIGN="654"
                                                                                              7⤵
                                                                                                PID:3184
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              "C:\Windows\System32\cmd.exe" /k C:\Users\Admin\AppData\Local\Temp\0v2a4ym4.pdw\702564a0.exe & exit
                                                                                              6⤵
                                                                                                PID:1220
                                                                                                • C:\Users\Admin\AppData\Local\Temp\0v2a4ym4.pdw\702564a0.exe
                                                                                                  C:\Users\Admin\AppData\Local\Temp\0v2a4ym4.pdw\702564a0.exe
                                                                                                  7⤵
                                                                                                    PID:3132
                                                                                      • C:\Windows\system32\conhost.exe
                                                                                        \??\C:\Windows\system32\conhost.exe "615383198-1425619420-1123554660-92367967-509079240950801080-893986628250251160"
                                                                                        1⤵
                                                                                          PID:1056
                                                                                        • C:\Windows\system32\AUDIODG.EXE
                                                                                          C:\Windows\system32\AUDIODG.EXE 0x5cc
                                                                                          1⤵
                                                                                            PID:3116

                                                                                          Network

                                                                                          MITRE ATT&CK Enterprise v6

                                                                                          Replay Monitor

                                                                                          Loading Replay Monitor...

                                                                                          Downloads

                                                                                          • memory/856-120-0x00000000016D0000-0x0000000001740000-memory.dmp

                                                                                            Filesize

                                                                                            448KB

                                                                                            Download

                                                                                          • memory/856-119-0x0000000000A50000-0x0000000000A9B000-memory.dmp

                                                                                            Filesize

                                                                                            300KB

                                                                                            Download

                                                                                          • memory/908-103-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/916-60-0x0000000075011000-0x0000000075013000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/948-113-0x0000000010000000-0x0000000010002000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/948-114-0x0000000000BA0000-0x0000000000CA1000-memory.dmp

                                                                                            Filesize

                                                                                            1.0MB

                                                                                            Download

                                                                                          • memory/948-115-0x0000000000280000-0x00000000002DC000-memory.dmp

                                                                                            Filesize

                                                                                            368KB

                                                                                            Download

                                                                                          • memory/1164-140-0x0000000001C70000-0x0000000001D07000-memory.dmp

                                                                                            Filesize

                                                                                            604KB

                                                                                            Download

                                                                                          • memory/1164-141-0x0000000000400000-0x00000000004A5000-memory.dmp

                                                                                            Filesize

                                                                                            660KB

                                                                                            Download

                                                                                          • memory/1344-227-0x00000000001C0000-0x000000000025D000-memory.dmp

                                                                                            Filesize

                                                                                            628KB

                                                                                            Download

                                                                                          • memory/1388-122-0x00000000004C0000-0x0000000000530000-memory.dmp

                                                                                            Filesize

                                                                                            448KB

                                                                                            Download

                                                                                          • memory/1492-83-0x00000000003F0000-0x0000000000A4F000-memory.dmp

                                                                                            Filesize

                                                                                            6.4MB

                                                                                            Download

                                                                                          • memory/1580-137-0x0000000000BA0000-0x0000000000BA2000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/1600-136-0x0000000000A40000-0x0000000000A42000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/1736-82-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                            Filesize

                                                                                            80KB

                                                                                            Download

                                                                                          • memory/1912-84-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                            Filesize

                                                                                            80KB

                                                                                            Download

                                                                                          • memory/2012-104-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2100-240-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                            Filesize

                                                                                            80KB

                                                                                            Download

                                                                                          • memory/2104-156-0x00000000007E0000-0x0000000000885000-memory.dmp

                                                                                            Filesize

                                                                                            660KB

                                                                                            Download

                                                                                          • memory/2196-167-0x0000000000400000-0x000000000043B000-memory.dmp

                                                                                            Filesize

                                                                                            236KB

                                                                                            Download

                                                                                          • memory/2228-174-0x0000000001F00000-0x0000000001F02000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/2260-177-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2260-182-0x0000000073771000-0x0000000073773000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/2284-181-0x000007FEF1B30000-0x000007FEF2BC6000-memory.dmp

                                                                                            Filesize

                                                                                            16.6MB

                                                                                            Download

                                                                                          • memory/2284-211-0x0000000001F36000-0x0000000001F55000-memory.dmp

                                                                                            Filesize

                                                                                            124KB

                                                                                            Download

                                                                                          • memory/2284-176-0x0000000001F30000-0x0000000001F32000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/2340-180-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                            Filesize

                                                                                            80KB

                                                                                            Download

                                                                                          • memory/2376-190-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2388-189-0x0000000000B20000-0x0000000000B22000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/2444-192-0x000007FEF1B30000-0x000007FEF2BC6000-memory.dmp

                                                                                            Filesize

                                                                                            16.6MB

                                                                                            Download

                                                                                          • memory/2444-210-0x0000000000636000-0x0000000000655000-memory.dmp

                                                                                            Filesize

                                                                                            124KB

                                                                                            Download

                                                                                          • memory/2444-191-0x0000000000630000-0x0000000000632000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/2544-245-0x0000000000400000-0x0000000000414000-memory.dmp

                                                                                            Filesize

                                                                                            80KB

                                                                                            Download

                                                                                          • memory/2560-200-0x0000000065EC0000-0x0000000067271000-memory.dmp

                                                                                            Filesize

                                                                                            19.7MB

                                                                                            Download

                                                                                          • memory/2560-212-0x00000000007B2000-0x00000000007B3000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2560-213-0x00000000007B7000-0x00000000007C8000-memory.dmp

                                                                                            Filesize

                                                                                            68KB

                                                                                            Download

                                                                                          • memory/2560-207-0x00000000007B1000-0x00000000007B2000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2560-195-0x00000000007B0000-0x00000000007B1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2560-198-0x0000000000F80000-0x0000000000FD1000-memory.dmp

                                                                                            Filesize

                                                                                            324KB

                                                                                            Download

                                                                                          • memory/2560-201-0x000000006AB00000-0x000000006AD71000-memory.dmp

                                                                                            Filesize

                                                                                            2.4MB

                                                                                            Download

                                                                                          • memory/2560-202-0x0000000000F81000-0x0000000000FC3000-memory.dmp

                                                                                            Filesize

                                                                                            264KB

                                                                                            Download

                                                                                          • memory/2604-262-0x0000000001EB0000-0x0000000001EB1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-257-0x0000000000820000-0x0000000000821000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-265-0x0000000003730000-0x0000000003731000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-263-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-266-0x0000000003740000-0x0000000003741000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-267-0x0000000003800000-0x0000000003801000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-279-0x0000000003970000-0x00000000045BA000-memory.dmp

                                                                                            Filesize

                                                                                            12.3MB

                                                                                            Download

                                                                                          • memory/2604-271-0x0000000003970000-0x00000000045BA000-memory.dmp

                                                                                            Filesize

                                                                                            12.3MB

                                                                                            Download

                                                                                          • memory/2604-268-0x0000000003810000-0x0000000003811000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-264-0x0000000003710000-0x0000000003711000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-269-0x0000000003820000-0x0000000003821000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2604-250-0x0000000003450000-0x000000000348C000-memory.dmp

                                                                                            Filesize

                                                                                            240KB

                                                                                            Download

                                                                                          • memory/2604-270-0x0000000003970000-0x00000000045BA000-memory.dmp

                                                                                            Filesize

                                                                                            12.3MB

                                                                                            Download

                                                                                          • memory/2604-272-0x0000000003970000-0x00000000045BA000-memory.dmp

                                                                                            Filesize

                                                                                            12.3MB

                                                                                            Download

                                                                                          • memory/2604-255-0x0000000000240000-0x0000000000241000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/2800-208-0x0000000002770000-0x0000000002876000-memory.dmp

                                                                                            Filesize

                                                                                            1.0MB

                                                                                            Download

                                                                                          • memory/2800-209-0x0000000000270000-0x000000000028B000-memory.dmp

                                                                                            Filesize

                                                                                            108KB

                                                                                            Download

                                                                                          • memory/2800-203-0x0000000000060000-0x00000000000AB000-memory.dmp

                                                                                            Filesize

                                                                                            300KB

                                                                                            Download

                                                                                          • memory/2800-204-0x00000000004F0000-0x0000000000561000-memory.dmp

                                                                                            Filesize

                                                                                            452KB

                                                                                            Download

                                                                                          • memory/3024-221-0x00000000002F0000-0x0000000000302000-memory.dmp

                                                                                            Filesize

                                                                                            72KB

                                                                                            Download

                                                                                          • memory/3024-220-0x00000000002C0000-0x00000000002D0000-memory.dmp

                                                                                            Filesize

                                                                                            64KB

                                                                                            Download

                                                                                          • memory/3128-260-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/3128-259-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/3128-261-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/3128-256-0x0000000001D80000-0x0000000001DBC000-memory.dmp

                                                                                            Filesize

                                                                                            240KB

                                                                                            Download

                                                                                          • memory/3128-258-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

                                                                                            Filesize

                                                                                            4KB

                                                                                            Download

                                                                                          • memory/3488-280-0x000007FEFBB51000-0x000007FEFBB53000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/3696-286-0x0000000000800000-0x0000000000802000-memory.dmp

                                                                                            Filesize

                                                                                            8KB

                                                                                            Download

                                                                                          • memory/3716-309-0x0000000000400000-0x000000000040C000-memory.dmp

                                                                                            Filesize

                                                                                            48KB

                                                                                            Download