Malware Analysis Report

2024-10-19 02:31

Sample ID 220330-rxe8gscgh3
Target 2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7
SHA256 2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7

Threat Level: Known bad

The file 2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX Rat Payload

PlugX

Executes dropped EXE

Deletes itself

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-03-30 14:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-03-30 14:34

Reported

2022-03-30 14:44

Platform

win7-20220310-en

Max time kernel

4294661s

Max time network

366s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe"

Signatures

PlugX

trojan plugx

PlugX Rat Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\NVIDIASmart\SxS.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35004600430034004100320041003800380033003300430037004300310038000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\ProgramData\NVIDIASmart\SxS.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\NVIDIASmart\SxS.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\NVIDIASmart\SxS.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 792 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 2008 wrote to memory of 980 N/A C:\ProgramData\NVIDIASmart\SxS.exe C:\Windows\SysWOW64\svchost.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 980 wrote to memory of 860 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe

"C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 100 792

C:\ProgramData\NVIDIASmart\SxS.exe

"C:\ProgramData\NVIDIASmart\SxS.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 980

Network

Country Destination Domain Proto
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp

Files

memory/792-54-0x00000000000E0000-0x00000000000FA000-memory.dmp

memory/792-55-0x00000000758A1000-0x00000000758A3000-memory.dmp

memory/1964-56-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/1964-59-0x00000000000E0000-0x00000000000F9000-memory.dmp

memory/1964-62-0x0000000000000000-mapping.dmp

memory/792-64-0x00000000002C0000-0x00000000002E9000-memory.dmp

memory/1964-65-0x0000000000200000-0x0000000000229000-memory.dmp

C:\ProgramData\NVIDIASmart\SxS.exe

MD5 ef597052379d2cd098641c3c167bdd73
SHA1 22f037904c15335f912e3a0c34050accc6d82ad9
SHA256 2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7
SHA512 fd02c58016173eb4095a4f8b138ad84d934fd4a9c94bf43baf298ff179558c304b822e5bff68427317fc6b5c62728eef738c1d122394de751d2c84833163d06a

memory/980-75-0x0000000000000000-mapping.dmp

memory/2008-77-0x0000000000150000-0x0000000000179000-memory.dmp

memory/980-78-0x0000000000210000-0x0000000000239000-memory.dmp

memory/860-85-0x0000000000000000-mapping.dmp

memory/860-87-0x0000000000270000-0x0000000000299000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-03-30 14:34

Reported

2022-03-30 14:45

Platform

win10v2004-20220310-en

Max time kernel

603s

Max time network

251s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe"

Signatures

PlugX

trojan plugx

PlugX Rat Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 33003800370037004600430035004500350033004400330043003800340046000000 C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\svchost.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe
PID 2708 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe

"C:\Users\Admin\AppData\Local\Temp\2b3f17b4b7e8e5948ba62005b56c97632dc471eec2800ee1f42dc40d722177d7.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 100 2708

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2708

Network

Country Destination Domain Proto
US 8.8.8.8:53 licensing.mp.microsoft.com udp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 8.8.8.8:53 storesdk.dsx.mp.microsoft.com udp
NL 104.80.229.204:443 storesdk.dsx.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
N/A 127.0.0.1:12345 tcp
US 20.223.25.224:443 licensing.mp.microsoft.com tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp
N/A 127.0.0.1:12345 tcp

Files

memory/2708-134-0x0000000000AE0000-0x0000000000AFA000-memory.dmp

memory/2204-135-0x0000000000000000-mapping.dmp

memory/2204-136-0x0000000001160000-0x0000000001189000-memory.dmp

memory/2708-137-0x0000000000B70000-0x0000000000B99000-memory.dmp

memory/2260-138-0x0000000000000000-mapping.dmp

memory/2260-139-0x0000000002CE0000-0x0000000002D09000-memory.dmp