Malware Analysis Report

2024-07-11 07:37

Sample ID 231201-w549ssfa3t
Target 66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll
SHA256 66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967

Threat Level: Known bad

The file 66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix

N/A

Analysis: static1

Detonation Overview

Reported

2023-12-01 18:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-01 18:31

Reported

2023-12-01 18:33

Platform

win7-20231020-en

Max time kernel

150s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\46E0.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
N/A N/A C:\ProgramData\WS\Gadget.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = e087f1da8424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 800256b68424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 0027ffe08424da01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F} C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 800256b68424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 403e21a48424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = e087f1da8424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 609434ed8424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = c0b937b08424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 201d7ac88424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 609434ed8424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = e0ea91c88424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 0027ffe08424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = c0b937b08424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 40c55ab68424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 40c55ab68424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadNetworkName = "Network 2" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-33-a4-cd-e4-b7\WpadDecisionTime = 403e21a48424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = 201d7ac88424da01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\WpadDecisionTime = e0ea91c88424da01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2C0E9327-F166-4851-AA2F-E12A7774E63F}\02-33-a4-cd-e4-b7 C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004600310046003700440042003300370036003200420032004600300042000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WS\Gadget.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WS\Gadget.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2156 wrote to memory of 2268 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2268 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46E0.tmp
PID 2268 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46E0.tmp
PID 2268 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46E0.tmp
PID 2268 wrote to memory of 3016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\46E0.tmp
PID 3016 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\46E0.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 3016 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\46E0.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 3016 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\46E0.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 3016 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\46E0.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2304 wrote to memory of 2924 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2924 wrote to memory of 2512 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1

C:\Users\Admin\AppData\Local\Temp\46E0.tmp

C:\Users\Admin\AppData\Local\Temp\46E0.tmp

C:\Users\Admin\AppData\Local\Temp\Gadget.exe

C:\Users\Admin\AppData\Local\Temp\\Gadget.exe

C:\ProgramData\WS\Gadget.exe

C:\ProgramData\WS\Gadget.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2924

Network

Country Destination Domain Proto
US 8.8.8.8:53 fast.bacguarp.com udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp

Files

\Users\Admin\AppData\Local\Temp\46E0.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

\Users\Admin\AppData\Local\Temp\46E0.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

C:\Users\Admin\AppData\Local\Temp\46E0.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

C:\Users\Admin\AppData\Local\Temp\46E0.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

\Users\Admin\AppData\Local\Temp\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\Users\Admin\AppData\Local\Temp\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\Users\Admin\AppData\Local\Temp\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

memory/2688-17-0x0000000000400000-0x0000000000405000-memory.dmp

\Users\Admin\AppData\Local\Temp\Sidebar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

MD5 97c11e7d6b1926cd4be13804b36239ac
SHA1 b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256 a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA512 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

memory/2688-19-0x0000000000660000-0x0000000000760000-memory.dmp

memory/2688-20-0x0000000000290000-0x00000000002C0000-memory.dmp

C:\ProgramData\WS\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\Users\Admin\AppData\Local\Temp\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\ProgramData\WS\SideBar.dll.doc

MD5 97c11e7d6b1926cd4be13804b36239ac
SHA1 b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256 a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA512 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

C:\ProgramData\WS\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

C:\ProgramData\WS\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\ProgramData\WS\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

\ProgramData\WS\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

memory/2304-38-0x0000000000400000-0x0000000000405000-memory.dmp

C:\ProgramData\WS\SideBar.dll.doc

MD5 97c11e7d6b1926cd4be13804b36239ac
SHA1 b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256 a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA512 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

memory/2304-41-0x0000000000540000-0x0000000000570000-memory.dmp

memory/2924-42-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2924-44-0x00000000000A0000-0x00000000000BD000-memory.dmp

memory/2924-45-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2924-47-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2304-48-0x0000000000540000-0x0000000000570000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\46E0.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

memory/2924-46-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-50-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2688-51-0x0000000000290000-0x00000000002C0000-memory.dmp

memory/2924-52-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-62-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2924-63-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-64-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-65-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-67-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-68-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-71-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2924-72-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2512-81-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2512-83-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2512-82-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2512-86-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2512-85-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2512-84-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2924-87-0x0000000000210000-0x0000000000240000-memory.dmp

memory/2512-91-0x0000000000380000-0x00000000003B0000-memory.dmp

memory/2924-94-0x0000000000210000-0x0000000000240000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-01 18:31

Reported

2023-12-01 18:33

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8925.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
N/A N/A C:\ProgramData\WS\Gadget.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
N/A N/A C:\ProgramData\WS\Gadget.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 35003700450036004600350031003400430031004600300041004200360038000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Gadget.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\WS\Gadget.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\WS\Gadget.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2196 wrote to memory of 400 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 400 wrote to memory of 4880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8925.tmp
PID 400 wrote to memory of 4880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8925.tmp
PID 400 wrote to memory of 4880 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8925.tmp
PID 4880 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\8925.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 4880 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\8925.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 4880 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\8925.tmp C:\Users\Admin\AppData\Local\Temp\Gadget.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 116 wrote to memory of 3720 N/A C:\ProgramData\WS\Gadget.exe C:\Windows\SysWOW64\svchost.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3720 wrote to memory of 5040 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\66bca3f92841b7bffae4d27c3ddb5adbf8084ad40ee0edda1edc1d25f5e1b967.dll,#1

C:\Users\Admin\AppData\Local\Temp\8925.tmp

C:\Users\Admin\AppData\Local\Temp\8925.tmp

C:\Users\Admin\AppData\Local\Temp\Gadget.exe

C:\Users\Admin\AppData\Local\Temp\\Gadget.exe

C:\ProgramData\WS\Gadget.exe

C:\ProgramData\WS\Gadget.exe

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 3720

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 152.78.101.95.in-addr.arpa udp
N/A 255.255.255.255:53 fast.bacguarp.com udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
N/A 255.255.255.255:53 fast2.bacguarp.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
N/A 255.255.255.255:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
N/A 255.255.255.255:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
N/A 255.255.255.255:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
US 8.8.8.8:53 fast.bacguarp.com udp
N/A 255.255.255.255:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
US 8.8.8.8:53 fast2.bacguarp.com udp
N/A 255.255.255.255:53 fast.bacguarp.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\8925.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

C:\Users\Admin\AppData\Local\Temp\8925.tmp

MD5 c116cd083284cc599c024c3479ca9b70
SHA1 bf831962162a0446454e3e32d764cc0e5daafde0
SHA256 90a5c1c5dc2278063478fbc8f2ac072ccf0489d7b3f81a6ed35b7d712b4b7b84
SHA512 d89ac7d971e46ee67f6857a71d3712205d28170320386a83d9cdbda97d270626cf2a0e91e0b866d368c65eb3e47766c20c07a2baeb51feb3fe7b8d98d848e560

memory/3112-12-0x0000000000400000-0x0000000000405000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Sidebar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

C:\Users\Admin\AppData\Local\Temp\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

C:\Users\Admin\AppData\Local\Temp\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\Users\Admin\AppData\Local\Temp\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\Users\Admin\AppData\Local\Temp\SideBar.dll.doc

MD5 97c11e7d6b1926cd4be13804b36239ac
SHA1 b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256 a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA512 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

memory/3112-14-0x00000000007C0000-0x00000000008C0000-memory.dmp

memory/3112-15-0x00000000005B0000-0x00000000005E0000-memory.dmp

C:\ProgramData\WS\SideBar.dll.doc

MD5 97c11e7d6b1926cd4be13804b36239ac
SHA1 b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256 a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA512 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

C:\ProgramData\WS\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\ProgramData\WS\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\ProgramData\WS\Gadget.exe

MD5 6b97b3cd2fcfb4b74985143230441463
SHA1 8985c2394ed9a58c36f907962b0724fe66c204a6
SHA256 5c859ca16583d660449fb044677c128a9cdedd603d9598d4670235c52e359bf9
SHA512 736631b2ca37426c3915f496d5c3abdac23ffa91bd90fd8b215be2ad8735403ff9d58d1effe6791fa34a72141a5218f19808c0c4ece4100a525adbdeea4c1715

C:\ProgramData\WS\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

C:\ProgramData\WS\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

C:\ProgramData\WS\SideBar.dll

MD5 901fa02ffd43de5b2d7c8c6b8c2f6a43
SHA1 8bb71adf1c418061510c40240852c3cd61fb214c
SHA256 3144079c68ba00cebfd05239a2f5bd406096ec02e13e8571ca24313df7a5b679
SHA512 6500b1a0e1a5995226bfcdaf1a33867bd9ccd5b84552db73f46dc1ee44461dbb29de6d16e8bf0da0c56d15ea60a4f44f105d005de139924ecb46d274cce90bab

memory/116-33-0x0000000000400000-0x0000000000405000-memory.dmp

C:\ProgramData\WS\SideBar.dll.doc

MD5 97c11e7d6b1926cd4be13804b36239ac
SHA1 b388b86a782ae14fee2a31bc7626a816c3eabc5a
SHA256 a13161d957ef1bf6362cbc488a82ffca8f6f52f48143f1110616b9c540e5997a
SHA512 8ee3c39651b8d5790750436d04178e0d124c6573f1f773265349683635047a8f1adc34195f1a58001e96c57da3d3504a86026d3165a832117f10e9ebb233a121

memory/116-36-0x00000000007B0000-0x00000000007E0000-memory.dmp

memory/3720-37-0x0000000000380000-0x0000000000381000-memory.dmp

memory/3720-39-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/116-40-0x00000000007B0000-0x00000000007E0000-memory.dmp

memory/3112-41-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/3720-42-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-52-0x0000000000380000-0x0000000000381000-memory.dmp

memory/3720-53-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-54-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-55-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-57-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-58-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-60-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/5040-61-0x0000000002BD0000-0x0000000002C00000-memory.dmp

memory/5040-63-0x0000000001300000-0x0000000001301000-memory.dmp

memory/5040-62-0x0000000001030000-0x0000000001031000-memory.dmp

memory/5040-66-0x0000000002BD0000-0x0000000002C00000-memory.dmp

memory/5040-65-0x0000000002BD0000-0x0000000002C00000-memory.dmp

memory/3720-67-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/3720-68-0x0000000000C30000-0x0000000000C60000-memory.dmp

memory/5040-69-0x0000000002BD0000-0x0000000002C00000-memory.dmp

memory/3720-76-0x0000000000C30000-0x0000000000C60000-memory.dmp