Malware Analysis Report

2024-07-11 07:38

Sample ID 240207-zrnaxabce4
Target NvSmartMax.rar
SHA256 e49e2826c4d9fae960ca6baecd6754400e5da74446c5b511beb15831b42f2b1d
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e49e2826c4d9fae960ca6baecd6754400e5da74446c5b511beb15831b42f2b1d

Threat Level: Known bad

The file NvSmartMax.rar was found to be: Known bad.

Malicious Activity Summary

plugx trojan

Detects PlugX payload

PlugX

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Modifies data under HKEY_USERS

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-02-07 20:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-07 20:57

Reported

2024-02-07 21:02

Platform

win7-20231215-en

Max time kernel

300s

Max time network

301s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229} C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecisionTime = 50c3f4cc085ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\be-23-f0-4f-e6-3d C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecisionTime = 50c3f4cc085ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f002d000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{F9CFB05F-5D2C-4498-8341-80F1C9A9D229}\WpadDecisionTime = f0deeb65085ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-23-f0-4f-e6-3d\WpadDecisionTime = f0deeb65085ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003700350035003200370035004200340030003300300041003200300031000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2772 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2772 wrote to memory of 2800 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 2160 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 2160 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 2160 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 2160 wrote to memory of 300 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1332 wrote to memory of 1400 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1400 wrote to memory of 432 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar"

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap19207:100:7zEvent6980

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\Nv.exe

nv

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 100 300

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 200 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 1400

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 exchange.from-sc.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Nv.exe

MD5 09b8b54f78a10c435cd319070aa13c28
SHA1 6474d0369f97e72e01e4971128d1062f5c2b3656
SHA256 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512 c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

C:\Users\Admin\AppData\Local\Temp\NvSmartMax.dll

MD5 0b21678ed8e2b117344cfceba8f097dd
SHA1 db53bb022cb6de016713f1570f2ae501f20f9c76
SHA256 eaaa7899b37a3b04dcd02ad6d51e83e035be535f129773621ef0f399a2a98ee3
SHA512 182268649b360f44f021570ddc9290f5051a8be556ffd66355bc325027ba48c5fe824e1bea925411bdaef4c17e0f3d81a1d3c710b59c4462540d567da625a41a

C:\Users\Admin\AppData\Local\Temp\Nv.mp3

MD5 5ef7c3bcbc11cd02c95e509b226eebe9
SHA1 794a90212d226628c8ce4441c3418c1ecca0e3b8
SHA256 3d64e638f961b922398e2efaf75504da007e41ea979f213f8eb4f83e00efeebb
SHA512 c86f464f736125d8fb499efe2555cae1aea5d67fbf15be816883e058ad9107eb399d3ade6c5afe811a2eb59ebdc1d52c992124359fa26085a650eb940fe2eae4

memory/300-35-0x0000000000410000-0x0000000000510000-memory.dmp

memory/300-37-0x0000000000280000-0x00000000002B0000-memory.dmp

memory/300-36-0x0000000000280000-0x00000000002B0000-memory.dmp

C:\ProgramData\SxS\Nv.exe

MD5 567454f23114827bb6394cb2a39b7558
SHA1 348df1cf1896359afb60e377844e42e6b6cecbd5
SHA256 12cc8beee16c16ab409971054335a73bec15e94210e5d388660ab6b1a69faeb1
SHA512 132faf68816aef41c369b1b20de453e7a83522eeab3d03b3608b972ec1393403e67195c72d1a65ac9d8e4037d535cafe75db4bce77ec7b9525eee73101e60b82

C:\ProgramData\SxS\NvSmartMax.dll

MD5 364aedd62318de58603f5cbe59be1f2b
SHA1 929fd4750f7c9bc235477464c164a9034b5b0332
SHA256 fa9a0fec3ed1c6a008ed862ca53559039183e4288b0e8bd2ceebef430d850d1a
SHA512 261e85eb361e53d51996dcba71a7e761bc875ddaaf71f31a18d2ddb3d7c07af9f337584b7b7440e8f2368b5aa33ee9035540cae7ea3e52c4ee71bc6e4f854b3c

C:\ProgramData\SxS\Nv.mp3

MD5 56e2d0804ef02eb06b67198316438ede
SHA1 44801d650f56beab5eaa1ba5527d8799adb4e727
SHA256 8728bd42eed8b4c4b558992531d0c44697d47c7bfcf60c2aa1e54eb1743b535d
SHA512 32c33413a93d5d0261b50be454fbf2d74f3b4d63b5585b50523fb4826aea454c23659d6d0c109aee5620d59771861b83e8ce910ed07abc3e693779e3db2783b3

C:\ProgramData\SxS\Nv.mp3

MD5 8181e25b82b809075936cd5871307499
SHA1 d442f3e6367593cdb4d1b04857a3e2347860570e
SHA256 aca64c47b8d224d84e1a30ed841fb67540629d6955710d19d466f6f778440101
SHA512 70b8575ad3da85c8e180f91a8f62858ed48f8ef2c52e520172e43c43b514a6e73c86c7dcde47a8c09bc33355ea2dd33753bf621ce3f8dc908699d9b6d75eaa2f

memory/868-57-0x0000000000280000-0x00000000002B0000-memory.dmp

memory/868-56-0x0000000000280000-0x00000000002B0000-memory.dmp

\ProgramData\SxS\NvSmartMax.dll

MD5 efbc7e63b808809fb97023ff97d43e93
SHA1 121f600b8e378d7c5f4f1b761b81f5b210c97f58
SHA256 d6c84f55958192cd12715bb52b8ca130c2df4f93ea3c8adfcc929263ce29902e
SHA512 7a36aa0cbb546e7b3425c109e241b4e8645d51175bb7d3525bd408d967d860455cc376e757c2ef00d4a99a3ba76c73727b6397876b88d267a04d27a82bf7d990

memory/1400-66-0x0000000000140000-0x0000000000142000-memory.dmp

memory/1400-71-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-93-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-97-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-96-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-94-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-95-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-92-0x0000000000180000-0x00000000001B0000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 5a9f634c4d5f649b9b8ab461c26af052
SHA1 b4a10800ea5198e0d9dd7e3136ab06d96eab43bb
SHA256 8484070442fbfcac840caeba03b383b4e82fa5bf7aba6e85728ff65043e3e933
SHA512 4721f5d1f76d159d3d6537da7e75872ba5665094b14ffa313139c74eb6068b9e0170e0ae531938360be00a26ba0893cacbf285bfc5bff028b4e7ec17521e933c

memory/1400-88-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-87-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-86-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-85-0x0000000000020000-0x0000000000021000-memory.dmp

memory/300-76-0x0000000000280000-0x00000000002B0000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 517274021f580090e3b05ffcf8049ffe
SHA1 013bafab4586b02209594039e633c08139b2c517
SHA256 0669976ab7464092d492ec079fb18c2c3c2b390cd1a5cdd581000255287095c5
SHA512 8f4b4eaf1c25c0046d249d4009bfd00d752a7673f863f77cbc5030b157da4d3099d9a04474f729aa4542749379c96eab1512a6afa0f90880f180268effca9745

memory/1400-69-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/1400-67-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1400-65-0x0000000000120000-0x000000000013D000-memory.dmp

memory/1400-63-0x0000000000100000-0x0000000000101000-memory.dmp

memory/1332-62-0x0000000000410000-0x0000000000440000-memory.dmp

memory/1332-61-0x0000000000410000-0x0000000000440000-memory.dmp

C:\ProgramData\SxS\Nv.exe

MD5 6fb42249972ff72e4394978cada4b151
SHA1 a1fdd01e6ba9f6a003ff1e9db35e1ab2975a67ec
SHA256 aaf8f9a8be670616731a5f5b41ad3e9d20e601c9dd46d1acb3908483d2cce7c3
SHA512 ce47cf4b800ab0db9c6785716611c58ded64e421f3290dc44b8a615f2d35738e6a728981c5844eea735a7edf1b6e519a1fd50c44679f8048d6b4384c1af51e41

memory/868-98-0x0000000000280000-0x00000000002B0000-memory.dmp

memory/1400-100-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/432-108-0x0000000000260000-0x0000000000290000-memory.dmp

memory/432-113-0x0000000000260000-0x0000000000290000-memory.dmp

memory/432-112-0x0000000000260000-0x0000000000290000-memory.dmp

memory/432-110-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1400-115-0x0000000000180000-0x00000000001B0000-memory.dmp

memory/432-116-0x0000000000260000-0x0000000000290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-07 20:57

Reported

2024-02-07 21:02

Platform

win10-20231215-en

Max time kernel

300s

Max time network

303s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38004200330045003200350031003200440037003200410033004300340038000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5092 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 5092 wrote to memory of 3824 N/A C:\Windows\system32\cmd.exe C:\Program Files\7-Zip\7zFM.exe
PID 4928 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 4928 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 4928 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\Nv.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 3564 wrote to memory of 4960 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 4960 wrote to memory of 4976 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\NvSmartMax.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap22787:100:7zEvent812

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Users\Admin\AppData\Local\Temp\Nv.exe

nv

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 100 4516

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 4960

Network

Country Destination Domain Proto
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 exchange.from-sc.com udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp
US 8.8.8.8:53 143.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 exchange.from-sc.com udp
US 8.8.8.8:53 exchange.from-sc.com udp

Files

C:\Users\Admin\AppData\Local\Temp\Nv.exe

MD5 09b8b54f78a10c435cd319070aa13c28
SHA1 6474d0369f97e72e01e4971128d1062f5c2b3656
SHA256 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512 c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

\Users\Admin\AppData\Local\Temp\NvSmartMax.dll

MD5 0b21678ed8e2b117344cfceba8f097dd
SHA1 db53bb022cb6de016713f1570f2ae501f20f9c76
SHA256 eaaa7899b37a3b04dcd02ad6d51e83e035be535f129773621ef0f399a2a98ee3
SHA512 182268649b360f44f021570ddc9290f5051a8be556ffd66355bc325027ba48c5fe824e1bea925411bdaef4c17e0f3d81a1d3c710b59c4462540d567da625a41a

C:\Users\Admin\AppData\Local\Temp\Nv.mp3

MD5 5ef7c3bcbc11cd02c95e509b226eebe9
SHA1 794a90212d226628c8ce4441c3418c1ecca0e3b8
SHA256 3d64e638f961b922398e2efaf75504da007e41ea979f213f8eb4f83e00efeebb
SHA512 c86f464f736125d8fb499efe2555cae1aea5d67fbf15be816883e058ad9107eb399d3ade6c5afe811a2eb59ebdc1d52c992124359fa26085a650eb940fe2eae4

memory/4516-12-0x0000000002000000-0x0000000002100000-memory.dmp

memory/4516-13-0x0000000002150000-0x0000000002180000-memory.dmp

memory/4516-28-0x0000000002150000-0x0000000002180000-memory.dmp

memory/5084-36-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/3564-41-0x0000000000E40000-0x0000000000E70000-memory.dmp

memory/3564-46-0x0000000000E40000-0x0000000000E70000-memory.dmp

memory/4960-61-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-67-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-68-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-72-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-70-0x0000000000850000-0x0000000000880000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 4cf794ec5abcb3e69e4a338a0d3d1ebb
SHA1 6f52c69df3405b6c9e9e8fe9e4efa5b194880a64
SHA256 249f9f61f14f594a2dac007e190d61906fa1c7b397819e368729aae53a6aaa3e
SHA512 3b0ff750819e33509687f9eec3f1693f8c2fd9473bb8396181e74c45aa79656371b2dc828cedb2ff2b1c8b8bc5d00d0610fe9969f35060f88d27ebb443cd9f4c

memory/4960-74-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-63-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-62-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-60-0x00000000000B0000-0x00000000000B1000-memory.dmp

C:\ProgramData\SxS\bug.log

MD5 1b0a71ad841631d5ee160f1d786c03a8
SHA1 94a8c754f5fc57c5ecdd7c1213dbcccb8d00bc84
SHA256 14983e7d3bb47bc69525630eb9b88a05de1566a5088d8f901427394eac64579c
SHA512 41c02f2d60536f5145fded609ea977925f9cea1a55d6469e3d22c31a5ef93fcd4dc18a8edd1a3dccb84f02f23a868038058e8462fc49b353f2ea96a1d9ed9278

memory/4960-45-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-44-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-43-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4960-42-0x00000000001A0000-0x00000000001A1000-memory.dmp

memory/5084-35-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/5084-75-0x00000000005B0000-0x00000000005E0000-memory.dmp

memory/4976-79-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/4976-78-0x00000000032A0000-0x00000000032D0000-memory.dmp

memory/4976-82-0x00000000032A0000-0x00000000032D0000-memory.dmp

memory/4976-80-0x00000000032A0000-0x00000000032D0000-memory.dmp

memory/4960-83-0x0000000000850000-0x0000000000880000-memory.dmp

memory/4976-84-0x00000000032A0000-0x00000000032D0000-memory.dmp