Analysis Overview
SHA256
3244606c4d740afa7a0c8f5e89a99c9ed8940103213451e23c1d9af3c89e3f75
Threat Level: Known bad
The file Injected_LoadExe_Malware.zip was found to be: Known bad.
Malicious Activity Summary
PlugX
Detects PlugX payload
Deletes itself
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Drops file in System32 directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-03-20 15:15
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-20 15:15
Reported
2024-03-20 15:18
Platform
win10-20240221-en
Max time kernel
160s
Max time network
170s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003800460046004400390043003300350043003600300033004300430034000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1232
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
| MD5 | 9166c1276b296bc78fa816cd8448cd32 |
| SHA1 | b5e48ccae94269ca95904fc58440113e9a4cae00 |
| SHA256 | 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395 |
| SHA512 | 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
| MD5 | 53c8cecfec9def827dd79eba8894c073 |
| SHA1 | 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a |
| SHA256 | 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388 |
| SHA512 | 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
| MD5 | 9b697afa24fa4e8e32c97bfe3f791344 |
| SHA1 | 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa |
| SHA256 | 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e |
| SHA512 | d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082 |
memory/5116-13-0x0000000001220000-0x000000000126B000-memory.dmp
memory/5116-14-0x00000000011E0000-0x0000000001219000-memory.dmp
memory/5116-18-0x0000000002670000-0x00000000026C8000-memory.dmp
memory/5116-20-0x0000000002670000-0x00000000026C8000-memory.dmp
C:\log\haha.txt
| MD5 | 8f2be62f5052567463e5c8005142dd3b |
| SHA1 | afd8d2f7cb68d0386444a64795307be85ee85bc4 |
| SHA256 | 32daf8a2fcc2f471e59e56fc656208b56d3818bda4719fc4627dd7e75f1a82fd |
| SHA512 | 92a3e7e92114c9d4a557edc4e5d02ce5cf42e8e5523a56216b2767d6807077a46fd4f8ed994abc83f7ab8ecb27558afb96be324e47a50ca448910cdde4950cbd |
memory/4640-50-0x0000000000EF0000-0x0000000000F48000-memory.dmp
\??\c:\log\haha.txt
| MD5 | c0ad846b51359657cff772197cf39967 |
| SHA1 | 5993729b0c6f678dac013f2927d5ffd0386e094d |
| SHA256 | f5be449e92d65e542d7d77c91b39f511b9b1adde14eed250773ba89075a4799b |
| SHA512 | bd716892b1e114c23a16e2d139ed892463c278f6fac5633b0ad02ccea63328368bfb14241b858239c950d5b70dd813205516b43d83ab5c68e10d439e4fddd737 |
memory/4640-45-0x0000000000B80000-0x0000000000BCB000-memory.dmp
memory/1232-62-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/4640-61-0x0000000000EF0000-0x0000000000F48000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 99d18bf27bee9b499eb7fe5f10ae27fe |
| SHA1 | 475e0a5839cf87a5708d538ed33e46f132783942 |
| SHA256 | ce34b519cc52753e59500b0b53c54bdbb66146d9e85f5127b055563085f39361 |
| SHA512 | 1d444805a01c0fc047306364588ab3d75057e54c4f2c7006d1874a43e6689bbec46b249b2e9c50a4f89808fa346d9ce2740ae86f515157b5f8c6ea41ba8b3954 |
memory/1232-74-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-60-0x0000000003450000-0x00000000034A8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 029cfb72ffdcacbcf4a6cfe53c348b52 |
| SHA1 | 458b71b5fa06a55c0b41bf5a45e1713d2321096c |
| SHA256 | 199f09bfae0ca09128e9c6ef2527e8345c0ed49c8400cd0e5eaad8f4a2588932 |
| SHA512 | 707a4a87019876978cb402d2a95d1eecda8842aeff9621ed362f20a66017f9dc1d60ba3cde4dd670c77eda81c03de5d26c74ab97d583f12c39f5dc18ec3d56b6 |
memory/5116-79-0x0000000002670000-0x00000000026C8000-memory.dmp
memory/1232-80-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-90-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/1232-91-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-92-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-95-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-102-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-103-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-105-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-108-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/1232-113-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/4856-130-0x0000000004E80000-0x0000000004ED8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 063da9b7999489a10d25beedc6a278f7 |
| SHA1 | 2eb413ed2705917e2af288a1b38e2a9bfa187d9f |
| SHA256 | 60f4907e1122c756400e77003462299f57ec2f72aaa7ed25115d7ae2110688f8 |
| SHA512 | 1f17c054024f9f16376731d91ae8744b872cd9f08c3df97eb1e7a9ea7298ab0fbde95576a763383dcc068a4937d7db982c3dc440ffabf63e8872cd395fc51443 |
memory/4856-124-0x00000000032D0000-0x00000000032D1000-memory.dmp
memory/4856-135-0x0000000003220000-0x0000000003221000-memory.dmp
memory/4856-136-0x0000000004E80000-0x0000000004ED8000-memory.dmp
memory/4856-137-0x0000000004E80000-0x0000000004ED8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | db2adba81ac47e23fa478dbc7a67e824 |
| SHA1 | a0e8b92b9f54243f74ee9ca92ebc98989bf897f1 |
| SHA256 | 5632c8e0f0b32e74ce4ca78b869a8c3ec762a095bc5986f51bf10b0743e074cf |
| SHA512 | c929abd1310351f6adfb32588dcf85a002e1221cf5ea260ccab7d3bc9af994995d83f8a395f7d509684f7dd3d8b95c01c158efdda2de891e93e00a2268437e71 |
memory/1232-141-0x0000000003450000-0x00000000034A8000-memory.dmp
memory/4856-318-0x0000000004E80000-0x0000000004ED8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-20 15:15
Reported
2024-03-20 15:18
Platform
win7-20240221-en
Max time kernel
153s
Max time network
159s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 907f4499d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 709b85a7d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000015000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadNetworkName = "Network 2" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecision = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 30487acdd97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 90b2398fd97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 907f4499d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 304df9d0d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 104c4ab0d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 70d30fc7d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000012000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = f0781c95d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d07f62c2d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f0795ddad97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d0e1f8c9d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 30487acdd97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f03141b7d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 5098c2bad97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 5098c2bad97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d0cab2bdd97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 70d30fc7d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 304df9d0d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\76-74-29-a7-90-73 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 709b85a7d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 104c4ab0d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d0cab2bdd97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d0599fabd97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d09f70a3d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000013000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 90bb43d6d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f0781c95d97ada01 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionReason = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004600350035003100300043004500350038004400440044003700440045000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2868
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
Files
\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
| MD5 | 9166c1276b296bc78fa816cd8448cd32 |
| SHA1 | b5e48ccae94269ca95904fc58440113e9a4cae00 |
| SHA256 | 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395 |
| SHA512 | 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
| MD5 | 53c8cecfec9def827dd79eba8894c073 |
| SHA1 | 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a |
| SHA256 | 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388 |
| SHA512 | 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
| MD5 | 9b697afa24fa4e8e32c97bfe3f791344 |
| SHA1 | 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa |
| SHA256 | 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e |
| SHA512 | d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082 |
memory/2500-22-0x0000000000E00000-0x0000000000E4B000-memory.dmp
memory/2500-23-0x00000000001E0000-0x0000000000219000-memory.dmp
memory/2500-24-0x0000000000460000-0x00000000004B8000-memory.dmp
memory/2500-29-0x0000000000460000-0x00000000004B8000-memory.dmp
memory/2452-59-0x0000000000870000-0x00000000008C8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | d56867a49c9eaf834dc416bfde9034a6 |
| SHA1 | 36433329d6971acedd0f88c4601d736537b53d50 |
| SHA256 | fc26fa6e029934274d8a07325abf7034b9708b0a54bdb8c48568b25864391453 |
| SHA512 | d9bf63e24c171400c989b117191d54f20e344e9c62e689ba3da176c6aa752b4bb969e7c3cac78efcae26d7c003d81181679dede68d464808422e621ba13e8a5e |
memory/2452-54-0x0000000000A20000-0x0000000000A6B000-memory.dmp
C:\log\haha.txt
| MD5 | e9a5d0321439cb69ad4a3805042128a1 |
| SHA1 | f80004d9380e0e94edbed91f1b0c4ecdc393473d |
| SHA256 | 477df02ec43ddb2287c7ccde765f114d5391f91ef6452603c9b991f757a31447 |
| SHA512 | e435ae289aa7e5f61297229398eb5686aa5dacbca96728274625ed8f7e8bbdff5a8d70a4bf606a1bf142ad8c7fc022eadfb2563484307f0b6e28f2bfc1539136 |
memory/2868-66-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2868-70-0x00000000000A0000-0x00000000000D6000-memory.dmp
memory/2868-72-0x0000000000120000-0x0000000000122000-memory.dmp
memory/2868-74-0x0000000000080000-0x0000000000081000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 990dd9e4255660503ce6efdfbbf40774 |
| SHA1 | 7f0974a0c6f517f5f596256963e4ecf636b3fa7f |
| SHA256 | 195dab4e2c9a2d9307eb0e4190fb261b4c705e4ca83555f43df36d5ec47178c9 |
| SHA512 | 4b9fcc86b97cdaee9a398d7e30f43e4fbd5c6c0431b6c1816cfab16e0402db9b5c3eae306142e56501422fa463a74408e19cf0ab768cdc31cfa72588dfcb405c |
memory/2868-80-0x0000000000410000-0x0000000000468000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 136fe31318b808f8b6421d152e3e3b7a |
| SHA1 | c0679372c0badeb73e71641fdb38fb09e52afa86 |
| SHA256 | 4aecaf094ff8eacf42f1dcef4b145cd8a79722046621739fed20cc517fab480f |
| SHA512 | c95a8704c30e495831323cfb13fc26e8935aa87c6c000223914f489596beaefd6aa2023874728eda1d4f3bca1f07c22823d8125183cb82727e3fc09e3c1df0a3 |
memory/2452-86-0x0000000000870000-0x00000000008C8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 39f4c9e71513fa2e7e09defc1a8c6d9e |
| SHA1 | c4244d3b9197a11a8bf30e850196373937a45f8a |
| SHA256 | 24cf0ff50eb18eb3a74749814e3afe6613750ac9619b6b41427e354b1cc4e8f7 |
| SHA512 | 51ca54b025fbe9b04caf3c26efca93f6de2c56bc573b3ed7c350188208c50c9822fbcb8b7d8007deefb18cd3899cb21fa49ae01a623277f54319526a37dafb24 |
\??\c:\log\haha.txt
| MD5 | 0abecb5b6951a43445a6d2ca9daeeb7d |
| SHA1 | b89aeb913cec4bd6d787cbcd9202213be4fc442c |
| SHA256 | f71e383959c368664c1670baf62db39932f1cc8c7b2bf46533c9151fcadd4b6c |
| SHA512 | 2ba083d11f09821c4d45e731fc804ab3dfeea6eac7a90ab7e2d1bee64803ab71bda368bcb02334d05870dac99a63635d1694434e347b4494fed848689276cf92 |
memory/2500-96-0x0000000000460000-0x00000000004B8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | c050898ccc96e1fd1b1240690e1df6b9 |
| SHA1 | 3655fc41138983eb224de6e9a7bac5b2ec56abc4 |
| SHA256 | ff2d9ceabf53c3f180a45b85a65b168ab0b10701aeebb43f812dace1d25d68fa |
| SHA512 | c60aec9983ade23c9086a2edd6b277f4b453a1941ccc79d6855d2015c6ab3ab6a93ea141f6f950c1dfa1eac87c3ea616e1c57f313b0885a0be356c487efe1e05 |
memory/2868-99-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-109-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2868-110-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-111-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-114-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-121-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-123-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-127-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-132-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2868-166-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2768-180-0x0000000000090000-0x0000000000091000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 71be2e1148489794f02f049eec1e64fa |
| SHA1 | ae6281b653f8ac5f5d12f55e3a16973e738f46bf |
| SHA256 | 955b4dbda39904d535dc013ebb08722c259506106ef824a43fcefbff4bf34627 |
| SHA512 | d0d1a0826eae0693181e3ff74faba76e227d5a19d0d3333b040e2884a3cc0aad60ec45d15191d63a6cd89813efbdb57de03bd09bad789436f3e4856e1f9ebe0a |
memory/2768-181-0x0000000000300000-0x0000000000358000-memory.dmp
memory/2768-187-0x0000000000090000-0x0000000000091000-memory.dmp
memory/2768-189-0x0000000000300000-0x0000000000358000-memory.dmp
memory/2768-188-0x0000000000300000-0x0000000000358000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 77bd5c48ed49f08ca7c5c950c6cd6f4d |
| SHA1 | 9165e2c7fbd15906eaac8d1186727528741e2e6b |
| SHA256 | 0fd10bd7ea44348fc96de391a48632f328dc8303c4eac46a81ab45b805cea817 |
| SHA512 | 1901afbad383da275dc821f8048b5afa7963e5b6db8a56928b6ff0d225ddca1dff7492368acaec6ee29a777ce43c581e2e2bc9bc4ef19456799dfeaea8f53109 |
memory/2868-197-0x0000000000410000-0x0000000000468000-memory.dmp
memory/2768-352-0x0000000000300000-0x0000000000358000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-03-20 15:15
Reported
2024-03-20 15:18
Platform
win10-20240221-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat | C:\Windows\SysWOW64\svchost.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 | C:\Windows\SysWOW64\svchost.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004400390030004200430044003100420036003500460033003500360038000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 3692
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
| MD5 | 9166c1276b296bc78fa816cd8448cd32 |
| SHA1 | b5e48ccae94269ca95904fc58440113e9a4cae00 |
| SHA256 | 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395 |
| SHA512 | 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
| MD5 | 53c8cecfec9def827dd79eba8894c073 |
| SHA1 | 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a |
| SHA256 | 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388 |
| SHA512 | 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
| MD5 | 9b697afa24fa4e8e32c97bfe3f791344 |
| SHA1 | 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa |
| SHA256 | 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e |
| SHA512 | d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082 |
memory/1904-13-0x00000000000A0000-0x00000000000EB000-memory.dmp
memory/1904-14-0x00000000028F0000-0x0000000002929000-memory.dmp
memory/1904-19-0x0000000002930000-0x0000000002988000-memory.dmp
C:\log\haha.txt
| MD5 | b896d1d25142488dc7fc5a8ca4082daa |
| SHA1 | 3043e4023ef8a83f946d91deab2f3ece1ac0fb9e |
| SHA256 | 8651bbbfb4954c85e391019fdc0943f6be95bf9a3b75afcc585126b9422fb16f |
| SHA512 | a5666da25998e9bc16da3b915dc7cc19ff505972241b192e413dbf5c637c37fb19cb5d9b973cc7225f332a9593b21e5ae0d220f82694afdb554716e5fb61216d |
memory/1904-39-0x0000000002930000-0x0000000002988000-memory.dmp
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe.mui
| MD5 | 7d06055a1226eaac88e8050adcd938e1 |
| SHA1 | 971639945181013991426595ddd39d3f2f92bcde |
| SHA256 | cd0d6bc8a0c3e7639cc7eb85a0653c59860a35fcf552c3b1ff05a116d656258c |
| SHA512 | b569326038bc5d67707467e390ecd97e8e6b97ae240f8300d365dc5164acade61cb081f9c27e8e112d356c688ac8bf8f63adc85e6938261d9fb2240274f5ab1e |
memory/700-45-0x0000000000260000-0x00000000002AB000-memory.dmp
memory/700-51-0x0000000001C10000-0x0000000001C68000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 009f58953030fe989683118d1df566e1 |
| SHA1 | cf583c448446b352b68ff0179ec953737b12ebfe |
| SHA256 | 1ac49ef0996b5bb3c51eded325b10329cffcaf941da4adb5ff2e6bf71f389a75 |
| SHA512 | 07359bd3fd0263f9967b8730be543d8434ee5b7c09329e8c7928c0ba9fc361534155b6f327c2ef764987f2f1761b3474f14b74423f30f011ceb405ffbe237c99 |
C:\log\haha.txt
| MD5 | 0461bd484a6b6f13b2b33698e51d2ed6 |
| SHA1 | 63479eeb49a0d6446b73918ee6ee8097ae9eebfb |
| SHA256 | fd0ff959f726639ed7ec4e9e4399a49742c2921559471ad58bac1bb71e3831d6 |
| SHA512 | 6e6f1631f574ed0d0eba1fb53f902335b2c1afc29946be96282b922c8901872fc0899718bdb9d210a0a93f0be300bfd19c55d57a749215337d1d1ffa358b1b1d |
\??\c:\log\haha.txt
| MD5 | ad1abdb019ca095eb2e27db49456b50c |
| SHA1 | fd8a9162710d7e952a676780393dd84a5d7b0d80 |
| SHA256 | e964c783084836bfb07f6bfb327a12049998268e8fa20a568e40054f7d3fe519 |
| SHA512 | fd57a96c1c0ff7f8455bc9c726676312815c0ecdfe0c00d36f1a9116e8d122a375c0d82cdde8721a56735c526fd0260b5aaf4c302844447a70189bf6a9e34d9e |
\??\c:\log\haha.txt
| MD5 | 8d7be8f439c3764ee4630e4ab8866be7 |
| SHA1 | 8aebe8f15b194993bba5c839e441ca2c78a879a2 |
| SHA256 | 063b81b18559f86a3340d2181a72b863f43484aefebff7184adb11cbb91078a2 |
| SHA512 | 6732481a497d8345beef61eec41d5081dee9a2722c2e6971e6e36340a947db2af285e52853300bd2fa75bcc32ef6c1248452212647dcb3d9f18e9092b106a479 |
memory/700-71-0x0000000001C10000-0x0000000001C68000-memory.dmp
memory/3692-62-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-57-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 405dad9ecb690e09aecbe749f30009a2 |
| SHA1 | bcb9c048adf3b7c8c6b279d8e71784a10ffe5c90 |
| SHA256 | b4b52d53da4afd13805e8419933f13bed512e1f5d67b0b9d40ec1d5bacf4bea9 |
| SHA512 | 9139f58f5b61dfb7f2249ffac040f649ac8648535eb1203cbf3e3946a665328ecab9ef19ceebc207abf350db8300681209b8819db306a4a99a34b07ed786f9be |
memory/3692-81-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-91-0x0000000000BA0000-0x0000000000BA1000-memory.dmp
memory/3692-92-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-93-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-96-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-101-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-106-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-109-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/3692-114-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/780-141-0x00000000036B0000-0x0000000003708000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 57afaa5c88231beb720a034162c5149c |
| SHA1 | 73ea9206d5f6648c714adc120bdb0f733ae8e9a4 |
| SHA256 | 4cd587c078adb376848ff1c756e34d9bf7cc29f79883b8c1967042067d006998 |
| SHA512 | 49856f32976ee024c49598903ffdde6b13b7342397d610456b9c54994b4f70a16b59042187a2820612c52e1f25e80186357125450966a6ed50289e7cf910f44f |
memory/780-142-0x0000000001040000-0x0000000001041000-memory.dmp
memory/780-149-0x00000000036B0000-0x0000000003708000-memory.dmp
memory/780-147-0x0000000000F90000-0x0000000000F91000-memory.dmp
memory/780-148-0x00000000036B0000-0x0000000003708000-memory.dmp
memory/780-150-0x00000000036B0000-0x0000000003708000-memory.dmp
\??\c:\log\haha.txt
| MD5 | e402713c3d733248eb967522fe012b2b |
| SHA1 | e9790ff2abd32731278522d2ee21eef8846cdfdc |
| SHA256 | 6db89137efc3538b9686478a87e5cc3dfa1241cd9f6c91b753b365b7da8752ab |
| SHA512 | b78dd26064f6c32f6c5a5c7cf3f266a87a99990bd366addc59c07f00f2e5d64408f29f07f6fd998399eba3beeaaacd153faed8d5d32333a49599cc6559ec480c |
memory/3692-158-0x00000000030D0000-0x0000000003128000-memory.dmp
memory/780-314-0x00000000036B0000-0x0000000003708000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-03-20 15:15
Reported
2024-03-20 15:18
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
157s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003600350045003900350044004100300032003200310030003700340041000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1052
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| NL | 142.251.39.106:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | 106.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | 123.10.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
| MD5 | 9166c1276b296bc78fa816cd8448cd32 |
| SHA1 | b5e48ccae94269ca95904fc58440113e9a4cae00 |
| SHA256 | 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395 |
| SHA512 | 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
| MD5 | 53c8cecfec9def827dd79eba8894c073 |
| SHA1 | 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a |
| SHA256 | 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388 |
| SHA512 | 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
| MD5 | 9b697afa24fa4e8e32c97bfe3f791344 |
| SHA1 | 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa |
| SHA256 | 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e |
| SHA512 | d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082 |
memory/3648-19-0x0000000000780000-0x00000000007CB000-memory.dmp
memory/3648-20-0x0000000000BE0000-0x0000000000C19000-memory.dmp
memory/3648-21-0x00000000022D0000-0x0000000002328000-memory.dmp
memory/3648-26-0x00000000022D0000-0x0000000002328000-memory.dmp
C:\log\haha.txt
| MD5 | 8177d115fbb097b4ff4d26de644ecfea |
| SHA1 | 2e1efffc510673e56c59dc8aea41e19e0f177841 |
| SHA256 | cb0dd62e96fc15a1cefe599fc59fac32465319f7b66b3f83020b1e59125890d4 |
| SHA512 | 8d6e6895ecb09fff00b86ad7113cc312e992d275ae092d3e3a3aa5da36c77e414e96878a63277cfc2e03412db05c89a87a6263136c64bac2b4c1b66ac34b7fff |
memory/4108-51-0x0000000000620000-0x000000000066B000-memory.dmp
memory/4108-52-0x0000000001500000-0x0000000001558000-memory.dmp
memory/4108-57-0x0000000001500000-0x0000000001558000-memory.dmp
\??\c:\log\haha.txt
| MD5 | cec8e976c9152a5bfcabfea4834f2f44 |
| SHA1 | 2edc7b303f7c19718f608632334fac3d2f6325fc |
| SHA256 | 6b02268f3f14d7963167fa7c61a57ca0f584837a773cdfda42ff9da904b9218a |
| SHA512 | 69bd756273ba554aa832c0f11923ff5935aa0d070abf142f89f7b5446df25d7cce51900c6929a95f85a882591275235acc34c42455ae4208dd9755bcbed0d88e |
C:\log\haha.txt
| MD5 | 6a05d5c1b7a7fa21263f1431f402d90a |
| SHA1 | 0b65f67e7926667f0a128c19da6d8223addf49b4 |
| SHA256 | 537817e02c2c784da4bbed912d085eedaf560cd13d003f31337cf2d88da2ed6d |
| SHA512 | 8607f375fcb4c2a4b3069e5259c2a20ecd69555ba0663bdcf4831852120a799a08b9def622a2c844e62e65c4770214477f69c6ab09ba79700c87034f63bdfd47 |
memory/1052-68-0x0000000000F90000-0x0000000000FE8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 7d92c3a71d23b9085aa008a1a20138bb |
| SHA1 | d4e5ccd17039403df03c73f93c8a8ca70d7c69be |
| SHA256 | 01af4cfb0c244f0cbda1b4abdbc517d36a3da35dd7dda41bc3cd765163daacd4 |
| SHA512 | f8877245ec57820e0ac58f80018b06d001ceab5614381b3a08b78a7e069b1ac991ac89be16b1b903ac0d46135aeb866bbd7f7f626cd5e52173708ffd44cc03a6 |
memory/1052-63-0x0000000000640000-0x0000000000641000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 983f3166c29099d02ec9ec99d597ab11 |
| SHA1 | 6ab7abfece1893614b17d2335572617a0ce8bf52 |
| SHA256 | f9c9edea44946beab38289f2cb680d3f295a520a43df9bcfe27168244b1c4ab5 |
| SHA512 | 63f08eb5e720035b3266bc5f82df434636f7ee686b653d43b4b84b1b2822764535e811fa4e49bf997c7b767b52f176942ce97f2469bc57170d0b74b3bb8fcae1 |
memory/4108-73-0x0000000001500000-0x0000000001558000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 814e67ba68e89969d4a8722d44601981 |
| SHA1 | 921a07413babfb01426b42c40e104ace61a8dcf3 |
| SHA256 | 4d780633bb2eed165db8cb1074634f2354da202f1006e575810a12894fd26d7c |
| SHA512 | 3a072078551f55dc0b23c0751686a7e2aedaf9cbeeffcf4c0b10f3a3c5478b3eec0d0c1fcdaec99a005e6eeecf5431e8903a67d1a5107f76df6389b0f9440d75 |
memory/3648-85-0x00000000022D0000-0x0000000002328000-memory.dmp
\??\c:\log\haha.txt
| MD5 | a0f136b67c71ca312bd5e92d0da141b4 |
| SHA1 | 11d21036aa790cfeb7d6f318e25352b5899f4b23 |
| SHA256 | d94850679b283df25960e29605f43d75b303723275910b728c24cab94ab30b64 |
| SHA512 | 0f71c36af37db890d142389cc28b416a2b2f382f5883039b1d4bedfae12dd58e86431abd78848c3f73b7481963e15803146789c20a5ec9b9b6e0f06f34ec61ab |
memory/1052-86-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-96-0x0000000000640000-0x0000000000641000-memory.dmp
memory/1052-97-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-98-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-101-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-108-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-109-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-114-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/1052-119-0x0000000000F90000-0x0000000000FE8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 73b6ae6197e0d44208a2d60637ee5d05 |
| SHA1 | c476d7e9c716c53093512bd860c7ff6b69a0fee3 |
| SHA256 | 0443929b53fb4683de4b49e64082b5683eb31ea37cf62de67418cc2da0e31d9d |
| SHA512 | 4477f90b3811e3063cb95114ffe3ad4b55197216e8a4369c86b3d40812807f4b81aaa21abd713c3f4452fce66098fc232ae1cab947d69b32cb9a19c7077b1797 |
memory/3416-156-0x00000000003B0000-0x00000000003B1000-memory.dmp
memory/3416-161-0x0000000000D30000-0x0000000000D88000-memory.dmp
memory/3416-168-0x0000000000D30000-0x0000000000D88000-memory.dmp
memory/3416-167-0x0000000000CA0000-0x0000000000CA1000-memory.dmp
memory/3416-169-0x0000000000D30000-0x0000000000D88000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 030fb70c441e7b5b920935b501726715 |
| SHA1 | fb830f85daa9f1e19c40f1446d69dc298ca4bb87 |
| SHA256 | 5a095ce4561460118bb77377ff287ff458925c409c291286b152096fc196de87 |
| SHA512 | e0c8b31f81d5160a1716578edebb5f7f3a345f36b27c92d04369263cd486c27b0affb42ec008fe5a0706e6713e52f0f90c4c9df2059ad49117fdaa6a15a1cdd3 |
memory/1052-177-0x0000000000F90000-0x0000000000FE8000-memory.dmp
memory/3416-322-0x0000000000D30000-0x0000000000D88000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-03-20 15:15
Reported
2024-03-20 15:18
Platform
win11-20240221-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| N/A | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003900420030003900330033003000420034004600410042003000300030000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe
"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"
C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe
"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2180
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | ns.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | pop3.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
| US | 8.8.8.8:53 | www.million-customers.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
| MD5 | 9166c1276b296bc78fa816cd8448cd32 |
| SHA1 | b5e48ccae94269ca95904fc58440113e9a4cae00 |
| SHA256 | 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395 |
| SHA512 | 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll
| MD5 | 53c8cecfec9def827dd79eba8894c073 |
| SHA1 | 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a |
| SHA256 | 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388 |
| SHA512 | 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui
| MD5 | 9b697afa24fa4e8e32c97bfe3f791344 |
| SHA1 | 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa |
| SHA256 | 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e |
| SHA512 | d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082 |
memory/1708-19-0x0000000000C20000-0x0000000000C6B000-memory.dmp
memory/1708-24-0x00000000023A0000-0x00000000023F8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 4a6f661fb536266e74b5f19c0ec8a670 |
| SHA1 | 914d2eecf296e50fcbec35a44ca6a02ba8d748f3 |
| SHA256 | eea55c60cb8e9e4e73d0f30aa4c5269c77778c988f51a3711809f862ee8adcda |
| SHA512 | dddc2f6fb08fa473fe0c9a6e0c695178ff7aa8a90f2622fa0e6ea3d3e13eaf1cd8ee60aecc45cfd7f1312403bec3402f68b633a9585617d7b69c7fdf124210b0 |
memory/1708-27-0x0000000000BD0000-0x0000000000C09000-memory.dmp
C:\log\haha.txt
| MD5 | 2252430978385da76aa25f6a8dc1c5b9 |
| SHA1 | 834103ea84b02a5def72c10d48bb11d9246994e9 |
| SHA256 | 5de23a22ecdd0fc8775c2b04f7648a11a78a7912c5dab6b19fe9b336bae92ccf |
| SHA512 | 012b2833e8542ac47c1fe997b487ea8012312a4706d9d45556416225d72f2c53a4afdd95bfb88c54aa9f77b6b29a9b3d91ea68393acd4b633a4192de6be310c2 |
memory/2180-63-0x0000000000840000-0x0000000000841000-memory.dmp
memory/2180-68-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 614e4f64e9211e160a4cbcaa2a559e1e |
| SHA1 | 73c5868606c572e5dafc358c721d54c4b99840e4 |
| SHA256 | 2e7509f2c30b38d463d4b1f26e191e71025ff1a07ba6faadfdceb3dcd5443b3e |
| SHA512 | 3e2f0e287f58b8c3087956f06840e9cb764a8c4d19e27885d4429b788a40eab8e09de3ed603390627b90e853a791a6415f637ff6e7835f640c564f8cf85e2629 |
memory/2180-80-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2280-79-0x00000000017F0000-0x0000000001848000-memory.dmp
memory/2280-57-0x0000000000C70000-0x0000000000CBB000-memory.dmp
memory/1708-46-0x00000000023A0000-0x00000000023F8000-memory.dmp
memory/2280-56-0x00000000017F0000-0x0000000001848000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 80857c5feb763592ae39703b25175fe5 |
| SHA1 | f02797750931e4ac374dc16ca701b82799e31563 |
| SHA256 | d3711cc8bfdbd0f3b2774765a5436ceeeec2adeadeff32a943c1ba7f958334ca |
| SHA512 | ffb9a8cb0bec6bc7cbb70e7390b8ef2c07ff7ae9f191da33d460f063c314c6218e75ead8b4da851762c214c64939d952d94dc182d54385de3dd4606148629a97 |
memory/2180-84-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-94-0x0000000000840000-0x0000000000841000-memory.dmp
memory/2180-95-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-96-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-99-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-104-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-107-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-109-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-112-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/2180-117-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/132-175-0x0000000002EB0000-0x0000000002F08000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 1f612158771f44a03af09bde9a837af6 |
| SHA1 | e18d623ff9e75847e0cc63f3e203ec0aba58bc9e |
| SHA256 | 43cbe756b1af809a0502d322a01c5b5f04a13cd0f06783f4f8082002e7b8deec |
| SHA512 | f98cdda2f3d45040ef548d632729d0a78cc5d0ee69bb09a44b6b486ea4564409f4190503c61f11e2aab68e6c784d65ab4a7ca96ddbc50c6f89e9787fcd883a9f |
memory/132-170-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
memory/132-180-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/132-181-0x0000000002EB0000-0x0000000002F08000-memory.dmp
memory/132-182-0x0000000002EB0000-0x0000000002F08000-memory.dmp
\??\c:\log\haha.txt
| MD5 | 151409124bedfae949e399ea0a0b9432 |
| SHA1 | 980dec2ecc515c7a6c9d0b93b34d8b9b7a24e952 |
| SHA256 | 22ee1a865f5d40c93179db5da916d99fad38656235a7f429011939156a7fba78 |
| SHA512 | c8e4a938786e2fb5e943a295c8d094f8cd26ac60bb3b130891adbd487dca3428d57a2a53f8c1afe0d15b13c0a205791721d23287fd30e7eb34800634c120d3ad |
memory/2180-191-0x0000000000FA0000-0x0000000000FF8000-memory.dmp
memory/132-347-0x0000000002EB0000-0x0000000002F08000-memory.dmp