plugx | a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4

Analysis

max time kernel
187s
max time network
193s
platform
windows7_x64
resource
win7-20220414-en
submitted
25-06-2022 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
Size

333KB
MD5

43fae44518dffc888bed58f0948bf012
SHA1

f2e3c025bf548520b2fdc26317b0d1c6b2d52d71
SHA256

a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4
SHA512

8b0d619d8ca955a615e5003471f429cffc8be47d56536d0bb2f8eac0b9a229d5a773ae765ec7bf25f904cdd769d507151b956ff5d00018e36fdcc417309d9eac

Score

10^/10

plugx trojan

Malware Config

Signatures

Detects PlugX Payload 6 IoCs

resource	yara_rule
behavioral1/memory/1552-68-0x00000000007A0000-0x00000000007F1000-memory.dmp	family_plugx
behavioral1/memory/948-74-0x0000000000790000-0x00000000007E1000-memory.dmp	family_plugx
behavioral1/memory/468-79-0x0000000000310000-0x0000000000361000-memory.dmp	family_plugx
behavioral1/memory/468-88-0x0000000000310000-0x0000000000361000-memory.dmp	family_plugx
behavioral1/memory/1800-89-0x0000000001E10000-0x0000000001E61000-memory.dmp	family_plugx
behavioral1/memory/1800-90-0x0000000001E10000-0x0000000001E61000-memory.dmp	family_plugx

PlugX
PlugX is a RAT (Remote Access Trojan) that has been around since 2008.
trojan plugx

Executes dropped EXE 3 IoCs

pid	Process
1552	VCIntegrate.exe
948	VCIntegrate.exe
1560	AOFVPMJXVT.exe

Deletes itself 1 IoCs

pid	Process
468	svchost.exe

Loads dropped DLL 9 IoCs

pid	Process
1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
1552	VCIntegrate.exe
948	VCIntegrate.exe
468	svchost.exe
468	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 61 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 90b1f8d8ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 7006ceecca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 90381cc5ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 30aab8cbca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 90b1f8d8ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 10ff8ddfca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70e47ff3ca88d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\46-32-53-fb-e4-95	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70ba52d2ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70332fe6ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70332fe6ca88d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionReason = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70ba52d2ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 7006ceecca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 106c42faca88d801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecision = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionReason = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecision = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDetectedUrl	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 30aab8cbca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadNetworkName = "Network 2"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 90381cc5ca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 106c42faca88d801	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70cbeebbca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 10ff8ddfca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70cbeebbca88d801	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70e47ff3ca88d801	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	svchost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\CLASSES\FAST	svchost.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003600450030003600420039004500350035003300370042003900300037000000	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
468	svchost.exe
468	svchost.exe
1560	AOFVPMJXVT.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
468	svchost.exe
468	svchost.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe
1800	msiexec.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeDebugPrivilege	1552	VCIntegrate.exe
Token: SeTcbPrivilege	1552	VCIntegrate.exe
Token: SeDebugPrivilege	948	VCIntegrate.exe
Token: SeTcbPrivilege	948	VCIntegrate.exe
Token: SeDebugPrivilege	468	svchost.exe
Token: SeTcbPrivilege	468	svchost.exe
Token: SeTcbPrivilege	1560	AOFVPMJXVT.exe
Token: SeDebugPrivilege	1560	AOFVPMJXVT.exe
Token: SeDebugPrivilege	1800	msiexec.exe
Token: SeTcbPrivilege	1800	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 1968 wrote to memory of 1552	1968	a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe	27
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 948 wrote to memory of 468	948	VCIntegrate.exe	29
PID 468 wrote to memory of 1560	468	svchost.exe	30
PID 468 wrote to memory of 1560	468	svchost.exe	30
PID 468 wrote to memory of 1560	468	svchost.exe	30
PID 468 wrote to memory of 1560	468	svchost.exe	30
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31
PID 468 wrote to memory of 1800	468	svchost.exe	31

C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:1552

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe 201 0
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\TEMP\AOFVPMJXVT.exe
    "C:\Windows\TEMP\AOFVPMJXVT.exe" Intel(R) Capability Licensing Service Interface CPUMonitor
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1560
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\system32\msiexec.exe 209 468
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\NetSeSS.Cfg

Filesize
212KB

MD5
ed3af94dbae43395784af13bb362ef06

SHA1
82616c65c6b3453b7e12ccff8694897977710cfb

SHA256
b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621

SHA512
6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll

Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NetSeSS.Cfg

Filesize
212KB

MD5
ed3af94dbae43395784af13bb362ef06

SHA1
82616c65c6b3453b7e12ccff8694897977710cfb

SHA256
b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621

SHA512
6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll

Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
C:\Windows\Temp\AOFVPMJXVT.exe

Filesize
11KB

MD5
6622918d92a44e67175f7aeb3fcb5a05

SHA1
0b226563fa229783bea7aa27e28f908967c729e6

SHA256
b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

SHA512
65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

Download Submit
\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll

Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll

Filesize
4KB

MD5
9244fe82fddc1f4ccbda307df165fd71

SHA1
3d270662c1d29b686dc2c72bc947a71a211d7a0c

SHA256
788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394

SHA512
7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe

Filesize
41KB

MD5
64787351f8dd15fa642b37d2e3d023c8

SHA1
62406876a635d5c6f5fa9376fc67a5c2e4af9ed2

SHA256
84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0

SHA512
8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492

Download Submit
\Windows\Temp\AOFVPMJXVT.exe

Filesize
11KB

MD5
6622918d92a44e67175f7aeb3fcb5a05

SHA1
0b226563fa229783bea7aa27e28f908967c729e6

SHA256
b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

SHA512
65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

Download Submit
\Windows\Temp\AOFVPMJXVT.exe

Filesize
11KB

MD5
6622918d92a44e67175f7aeb3fcb5a05

SHA1
0b226563fa229783bea7aa27e28f908967c729e6

SHA256
b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c

SHA512
65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe

Download Submit
memory/468-88-0x0000000000310000-0x0000000000361000-memory.dmp

Filesize
324KB

Download
memory/468-75-0x0000000000100000-0x0000000000132000-memory.dmp

Filesize
200KB

Download
memory/468-79-0x0000000000310000-0x0000000000361000-memory.dmp

Filesize
324KB

Download
memory/948-74-0x0000000000790000-0x00000000007E1000-memory.dmp

Filesize
324KB

Download
memory/1552-67-0x0000000000370000-0x00000000003A6000-memory.dmp

Filesize
216KB

Download
memory/1552-68-0x00000000007A0000-0x00000000007F1000-memory.dmp

Filesize
324KB

Download
memory/1800-89-0x0000000001E10000-0x0000000001E61000-memory.dmp

Filesize
324KB

Download
memory/1800-90-0x0000000001E10000-0x0000000001E61000-memory.dmp

Filesize
324KB

Download
memory/1968-54-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download