Analysis Overview
SHA256
a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4
Threat Level: Known bad
The file a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4 was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX Payload
Executes dropped EXE
Deletes itself
Checks computer location settings
Loads dropped DLL
Drops file in System32 directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-06-25 17:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2022-06-25 17:33
Reported
2022-06-25 17:37
Platform
win7-20220414-en
Max time kernel
187s
Max time network
193s
Command Line
Signatures
Detects PlugX Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\AOFVPMJXVT.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 90b1f8d8ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 7006ceecca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 90381cc5ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 30aab8cbca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 90b1f8d8ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 10ff8ddfca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70e47ff3ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\46-32-53-fb-e4-95 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70ba52d2ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70332fe6ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70332fe6ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70ba52d2ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 7006ceecca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 106c42faca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDetectedUrl | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 30aab8cbca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000006000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadNetworkName = "Network 2" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 90381cc5ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 106c42faca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3CA70D7D-21DA-4C88-83CB-2E6F9A9C7437}\WpadDecisionTime = 70cbeebbca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 10ff8ddfca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70cbeebbca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\46-32-53-fb-e4-95\WpadDecisionTime = 70e47ff3ca88d801 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003600450030003600420039004500350035003300370042003900300037000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\TEMP\AOFVPMJXVT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\TEMP\AOFVPMJXVT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe"
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\TEMP\AOFVPMJXVT.exe
"C:\Windows\TEMP\AOFVPMJXVT.exe" Intel(R) Capability Licensing Service Interface CPUMonitor
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 468
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
Files
memory/1968-54-0x0000000075841000-0x0000000075843000-memory.dmp
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
memory/1552-60-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NetSeSS.Cfg
| MD5 | ed3af94dbae43395784af13bb362ef06 |
| SHA1 | 82616c65c6b3453b7e12ccff8694897977710cfb |
| SHA256 | b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621 |
| SHA512 | 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
memory/1552-67-0x0000000000370000-0x00000000003A6000-memory.dmp
memory/1552-68-0x00000000007A0000-0x00000000007F1000-memory.dmp
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\NetSeSS.Cfg
| MD5 | ed3af94dbae43395784af13bb362ef06 |
| SHA1 | 82616c65c6b3453b7e12ccff8694897977710cfb |
| SHA256 | b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621 |
| SHA512 | 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2 |
memory/948-74-0x0000000000790000-0x00000000007E1000-memory.dmp
memory/468-75-0x0000000000100000-0x0000000000132000-memory.dmp
memory/468-77-0x0000000000000000-mapping.dmp
memory/468-79-0x0000000000310000-0x0000000000361000-memory.dmp
\Windows\Temp\AOFVPMJXVT.exe
| MD5 | 6622918d92a44e67175f7aeb3fcb5a05 |
| SHA1 | 0b226563fa229783bea7aa27e28f908967c729e6 |
| SHA256 | b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c |
| SHA512 | 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe |
\Windows\Temp\AOFVPMJXVT.exe
| MD5 | 6622918d92a44e67175f7aeb3fcb5a05 |
| SHA1 | 0b226563fa229783bea7aa27e28f908967c729e6 |
| SHA256 | b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c |
| SHA512 | 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe |
memory/1560-82-0x0000000000000000-mapping.dmp
C:\Windows\Temp\AOFVPMJXVT.exe
| MD5 | 6622918d92a44e67175f7aeb3fcb5a05 |
| SHA1 | 0b226563fa229783bea7aa27e28f908967c729e6 |
| SHA256 | b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c |
| SHA512 | 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe |
memory/1800-86-0x0000000000000000-mapping.dmp
memory/468-88-0x0000000000310000-0x0000000000361000-memory.dmp
memory/1800-89-0x0000000001E10000-0x0000000001E61000-memory.dmp
memory/1800-90-0x0000000001E10000-0x0000000001E61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-06-25 17:33
Reported
2022-06-25 17:37
Platform
win10v2004-20220414-en
Max time kernel
158s
Max time network
162s
Command Line
Signatures
Detects PlugX Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
| N/A | N/A | C:\Windows\TEMP\AOFVPMJXVT.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30004300310037003900450031003900300032003800460034003400360042000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\TEMP\AOFVPMJXVT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\TEMP\AOFVPMJXVT.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe
"C:\Users\Admin\AppData\Local\Temp\a6bd31617a4b11bb7e0d6f551d20bb5cb7e3c83202a423d7cba01684c58378d4.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe"
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
"C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\TEMP\AOFVPMJXVT.exe
"C:\Windows\TEMP\AOFVPMJXVT.exe" Intel(R) Capability Licensing Service Interface CPUMonitor
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 5032
Network
| Country | Destination | Domain | Proto |
| NL | 88.221.144.192:80 | tcp | |
| NL | 88.221.144.192:80 | tcp | |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | pop3.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | www.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
| US | 8.8.8.8:53 | ns.expert-caller.net | udp |
Files
memory/1668-130-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\NetSeSS.Cfg
| MD5 | ed3af94dbae43395784af13bb362ef06 |
| SHA1 | 82616c65c6b3453b7e12ccff8694897977710cfb |
| SHA256 | b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621 |
| SHA512 | 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2 |
memory/1668-136-0x0000000000570000-0x00000000005A6000-memory.dmp
memory/1668-137-0x0000000000760000-0x00000000007B1000-memory.dmp
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\VCIntegrate.exe
| MD5 | 64787351f8dd15fa642b37d2e3d023c8 |
| SHA1 | 62406876a635d5c6f5fa9376fc67a5c2e4af9ed2 |
| SHA256 | 84cce1726ebd16f31bbf2d8209e76d54c49404686b8b8c5c094650c5b9fb4bf0 |
| SHA512 | 8b8cc79b1f7736fe80cb58b50ab86c3df9c291723e895f7c78411a856e1babc06376b99a143f999331547e93ae71b3e35b39d159da71c59db76e205769e81492 |
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\NetSeSS.Cfg
| MD5 | ed3af94dbae43395784af13bb362ef06 |
| SHA1 | 82616c65c6b3453b7e12ccff8694897977710cfb |
| SHA256 | b8d5f0a17e1440367caf8a52c17c10626f533c10580ce5e000129aa7a1b4f621 |
| SHA512 | 6e73620ed03a57f90cbaf6ba797e9ba6a786843c9b46f61d33c07e7b9c05fae3076a6670cf33486676d200a073bbc90735e4790c5cddf3a2e2e96b4e2e8f59d2 |
C:\ProgramData\Intel(R) Capability Licensing Service Interface CPUMonitor\SHFOLDER.dll
| MD5 | 9244fe82fddc1f4ccbda307df165fd71 |
| SHA1 | 3d270662c1d29b686dc2c72bc947a71a211d7a0c |
| SHA256 | 788958888d62e093a2f5b2dd5b5f629319e0ea38ccc9e32c9d81dfaf62844394 |
| SHA512 | 7e996c75c267599873dd14414f7a720304b8813ca58365d41a7143626a0739946f2a2427dd0a9dfae5caaacc4fd8cb046c0cde67e0e9bbf02e5e861771266cb4 |
memory/5032-143-0x0000000000000000-mapping.dmp
memory/724-144-0x0000000000C00000-0x0000000000C51000-memory.dmp
memory/4752-145-0x0000000000000000-mapping.dmp
C:\Windows\Temp\AOFVPMJXVT.exe
| MD5 | 6622918d92a44e67175f7aeb3fcb5a05 |
| SHA1 | 0b226563fa229783bea7aa27e28f908967c729e6 |
| SHA256 | b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c |
| SHA512 | 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe |
C:\Windows\TEMP\AOFVPMJXVT.exe
| MD5 | 6622918d92a44e67175f7aeb3fcb5a05 |
| SHA1 | 0b226563fa229783bea7aa27e28f908967c729e6 |
| SHA256 | b0e1832ff379dfbfeac0aa26ba49188019d2aa7a5ead67256ef7f10ed8a6c62c |
| SHA512 | 65ff16d6d4eb4308f5950dec33b7598c10da54e4ae124107f19159675cc2cc445da8b70a5cb5f509b7c988358f1973b77b3be361d712a3cd44bda6e3697008fe |
memory/5032-148-0x0000000000C00000-0x0000000000C51000-memory.dmp
memory/100-149-0x0000000000000000-mapping.dmp
memory/100-150-0x0000000002F10000-0x0000000002F61000-memory.dmp
memory/5032-151-0x0000000000C00000-0x0000000000C51000-memory.dmp
memory/100-152-0x0000000002F10000-0x0000000002F61000-memory.dmp