Malware Analysis Report

2024-07-11 07:37

Sample ID 240320-sm7qesbe48
Target Injected_LoadExe_Malware.zip
SHA256 3244606c4d740afa7a0c8f5e89a99c9ed8940103213451e23c1d9af3c89e3f75
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3244606c4d740afa7a0c8f5e89a99c9ed8940103213451e23c1d9af3c89e3f75

Threat Level: Known bad

The file Injected_LoadExe_Malware.zip was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Deletes itself

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-03-20 15:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-20 15:15

Reported

2024-03-20 15:18

Platform

win10-20240221-en

Max time kernel

160s

Max time network

170s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 30003800460046004400390043003300350043003600300033004300430034000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 412 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4640 wrote to memory of 1232 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1232 wrote to memory of 4856 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe

"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 1232

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.million-customers.net udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

MD5 9166c1276b296bc78fa816cd8448cd32
SHA1 b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

MD5 53c8cecfec9def827dd79eba8894c073
SHA1 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA256 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA512 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

MD5 9b697afa24fa4e8e32c97bfe3f791344
SHA1 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA256 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512 d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

memory/5116-13-0x0000000001220000-0x000000000126B000-memory.dmp

memory/5116-14-0x00000000011E0000-0x0000000001219000-memory.dmp

memory/5116-18-0x0000000002670000-0x00000000026C8000-memory.dmp

memory/5116-20-0x0000000002670000-0x00000000026C8000-memory.dmp

C:\log\haha.txt

MD5 8f2be62f5052567463e5c8005142dd3b
SHA1 afd8d2f7cb68d0386444a64795307be85ee85bc4
SHA256 32daf8a2fcc2f471e59e56fc656208b56d3818bda4719fc4627dd7e75f1a82fd
SHA512 92a3e7e92114c9d4a557edc4e5d02ce5cf42e8e5523a56216b2767d6807077a46fd4f8ed994abc83f7ab8ecb27558afb96be324e47a50ca448910cdde4950cbd

memory/4640-50-0x0000000000EF0000-0x0000000000F48000-memory.dmp

\??\c:\log\haha.txt

MD5 c0ad846b51359657cff772197cf39967
SHA1 5993729b0c6f678dac013f2927d5ffd0386e094d
SHA256 f5be449e92d65e542d7d77c91b39f511b9b1adde14eed250773ba89075a4799b
SHA512 bd716892b1e114c23a16e2d139ed892463c278f6fac5633b0ad02ccea63328368bfb14241b858239c950d5b70dd813205516b43d83ab5c68e10d439e4fddd737

memory/4640-45-0x0000000000B80000-0x0000000000BCB000-memory.dmp

memory/1232-62-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/4640-61-0x0000000000EF0000-0x0000000000F48000-memory.dmp

\??\c:\log\haha.txt

MD5 99d18bf27bee9b499eb7fe5f10ae27fe
SHA1 475e0a5839cf87a5708d538ed33e46f132783942
SHA256 ce34b519cc52753e59500b0b53c54bdbb66146d9e85f5127b055563085f39361
SHA512 1d444805a01c0fc047306364588ab3d75057e54c4f2c7006d1874a43e6689bbec46b249b2e9c50a4f89808fa346d9ce2740ae86f515157b5f8c6ea41ba8b3954

memory/1232-74-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-60-0x0000000003450000-0x00000000034A8000-memory.dmp

\??\c:\log\haha.txt

MD5 029cfb72ffdcacbcf4a6cfe53c348b52
SHA1 458b71b5fa06a55c0b41bf5a45e1713d2321096c
SHA256 199f09bfae0ca09128e9c6ef2527e8345c0ed49c8400cd0e5eaad8f4a2588932
SHA512 707a4a87019876978cb402d2a95d1eecda8842aeff9621ed362f20a66017f9dc1d60ba3cde4dd670c77eda81c03de5d26c74ab97d583f12c39f5dc18ec3d56b6

memory/5116-79-0x0000000002670000-0x00000000026C8000-memory.dmp

memory/1232-80-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-90-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/1232-91-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-92-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-95-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-102-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-103-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-105-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-108-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/1232-113-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/4856-130-0x0000000004E80000-0x0000000004ED8000-memory.dmp

\??\c:\log\haha.txt

MD5 063da9b7999489a10d25beedc6a278f7
SHA1 2eb413ed2705917e2af288a1b38e2a9bfa187d9f
SHA256 60f4907e1122c756400e77003462299f57ec2f72aaa7ed25115d7ae2110688f8
SHA512 1f17c054024f9f16376731d91ae8744b872cd9f08c3df97eb1e7a9ea7298ab0fbde95576a763383dcc068a4937d7db982c3dc440ffabf63e8872cd395fc51443

memory/4856-124-0x00000000032D0000-0x00000000032D1000-memory.dmp

memory/4856-135-0x0000000003220000-0x0000000003221000-memory.dmp

memory/4856-136-0x0000000004E80000-0x0000000004ED8000-memory.dmp

memory/4856-137-0x0000000004E80000-0x0000000004ED8000-memory.dmp

\??\c:\log\haha.txt

MD5 db2adba81ac47e23fa478dbc7a67e824
SHA1 a0e8b92b9f54243f74ee9ca92ebc98989bf897f1
SHA256 5632c8e0f0b32e74ce4ca78b869a8c3ec762a095bc5986f51bf10b0743e074cf
SHA512 c929abd1310351f6adfb32588dcf85a002e1221cf5ea260ccab7d3bc9af994995d83f8a395f7d509684f7dd3d8b95c01c158efdda2de891e93e00a2268437e71

memory/1232-141-0x0000000003450000-0x00000000034A8000-memory.dmp

memory/4856-318-0x0000000004E80000-0x0000000004ED8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-20 15:15

Reported

2024-03-20 15:18

Platform

win7-20240221-en

Max time kernel

153s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 907f4499d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 709b85a7d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000a000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000015000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadNetworkName = "Network 2" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 30487acdd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 90b2398fd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 907f4499d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000009000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 304df9d0d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 104c4ab0d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000f000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 70d30fc7d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000012000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = f0781c95d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000c000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d07f62c2d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f0795ddad97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d0e1f8c9d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 30487acdd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f03141b7d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 5098c2bad97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 5098c2bad97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = d0cab2bdd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 70d30fc7d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 304df9d0d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\76-74-29-a7-90-73 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 709b85a7d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionTime = 104c4ab0d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d0cab2bdd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813} C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000007000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d0599fabd97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = d09f70a3d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000b000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000013000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = 90bb43d6d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000008000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 460000000e000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000005000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\76-74-29-a7-90-73\WpadDecisionTime = f0781c95d97ada01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{84A23D09-A220-42C2-8421-5B466F22E813}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44004600350035003100300043004500350038004400440044003700440045000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2904 wrote to memory of 2500 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2452 wrote to memory of 2868 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2868 wrote to memory of 2768 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe

"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2868

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

MD5 9166c1276b296bc78fa816cd8448cd32
SHA1 b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

MD5 53c8cecfec9def827dd79eba8894c073
SHA1 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA256 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA512 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

MD5 9b697afa24fa4e8e32c97bfe3f791344
SHA1 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA256 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512 d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

memory/2500-22-0x0000000000E00000-0x0000000000E4B000-memory.dmp

memory/2500-23-0x00000000001E0000-0x0000000000219000-memory.dmp

memory/2500-24-0x0000000000460000-0x00000000004B8000-memory.dmp

memory/2500-29-0x0000000000460000-0x00000000004B8000-memory.dmp

memory/2452-59-0x0000000000870000-0x00000000008C8000-memory.dmp

\??\c:\log\haha.txt

MD5 d56867a49c9eaf834dc416bfde9034a6
SHA1 36433329d6971acedd0f88c4601d736537b53d50
SHA256 fc26fa6e029934274d8a07325abf7034b9708b0a54bdb8c48568b25864391453
SHA512 d9bf63e24c171400c989b117191d54f20e344e9c62e689ba3da176c6aa752b4bb969e7c3cac78efcae26d7c003d81181679dede68d464808422e621ba13e8a5e

memory/2452-54-0x0000000000A20000-0x0000000000A6B000-memory.dmp

C:\log\haha.txt

MD5 e9a5d0321439cb69ad4a3805042128a1
SHA1 f80004d9380e0e94edbed91f1b0c4ecdc393473d
SHA256 477df02ec43ddb2287c7ccde765f114d5391f91ef6452603c9b991f757a31447
SHA512 e435ae289aa7e5f61297229398eb5686aa5dacbca96728274625ed8f7e8bbdff5a8d70a4bf606a1bf142ad8c7fc022eadfb2563484307f0b6e28f2bfc1539136

memory/2868-66-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2868-70-0x00000000000A0000-0x00000000000D6000-memory.dmp

memory/2868-72-0x0000000000120000-0x0000000000122000-memory.dmp

memory/2868-74-0x0000000000080000-0x0000000000081000-memory.dmp

\??\c:\log\haha.txt

MD5 990dd9e4255660503ce6efdfbbf40774
SHA1 7f0974a0c6f517f5f596256963e4ecf636b3fa7f
SHA256 195dab4e2c9a2d9307eb0e4190fb261b4c705e4ca83555f43df36d5ec47178c9
SHA512 4b9fcc86b97cdaee9a398d7e30f43e4fbd5c6c0431b6c1816cfab16e0402db9b5c3eae306142e56501422fa463a74408e19cf0ab768cdc31cfa72588dfcb405c

memory/2868-80-0x0000000000410000-0x0000000000468000-memory.dmp

\??\c:\log\haha.txt

MD5 136fe31318b808f8b6421d152e3e3b7a
SHA1 c0679372c0badeb73e71641fdb38fb09e52afa86
SHA256 4aecaf094ff8eacf42f1dcef4b145cd8a79722046621739fed20cc517fab480f
SHA512 c95a8704c30e495831323cfb13fc26e8935aa87c6c000223914f489596beaefd6aa2023874728eda1d4f3bca1f07c22823d8125183cb82727e3fc09e3c1df0a3

memory/2452-86-0x0000000000870000-0x00000000008C8000-memory.dmp

\??\c:\log\haha.txt

MD5 39f4c9e71513fa2e7e09defc1a8c6d9e
SHA1 c4244d3b9197a11a8bf30e850196373937a45f8a
SHA256 24cf0ff50eb18eb3a74749814e3afe6613750ac9619b6b41427e354b1cc4e8f7
SHA512 51ca54b025fbe9b04caf3c26efca93f6de2c56bc573b3ed7c350188208c50c9822fbcb8b7d8007deefb18cd3899cb21fa49ae01a623277f54319526a37dafb24

\??\c:\log\haha.txt

MD5 0abecb5b6951a43445a6d2ca9daeeb7d
SHA1 b89aeb913cec4bd6d787cbcd9202213be4fc442c
SHA256 f71e383959c368664c1670baf62db39932f1cc8c7b2bf46533c9151fcadd4b6c
SHA512 2ba083d11f09821c4d45e731fc804ab3dfeea6eac7a90ab7e2d1bee64803ab71bda368bcb02334d05870dac99a63635d1694434e347b4494fed848689276cf92

memory/2500-96-0x0000000000460000-0x00000000004B8000-memory.dmp

\??\c:\log\haha.txt

MD5 c050898ccc96e1fd1b1240690e1df6b9
SHA1 3655fc41138983eb224de6e9a7bac5b2ec56abc4
SHA256 ff2d9ceabf53c3f180a45b85a65b168ab0b10701aeebb43f812dace1d25d68fa
SHA512 c60aec9983ade23c9086a2edd6b277f4b453a1941ccc79d6855d2015c6ab3ab6a93ea141f6f950c1dfa1eac87c3ea616e1c57f313b0885a0be356c487efe1e05

memory/2868-99-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-109-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2868-110-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-111-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-114-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-121-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-123-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-127-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-132-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2868-166-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2768-180-0x0000000000090000-0x0000000000091000-memory.dmp

\??\c:\log\haha.txt

MD5 71be2e1148489794f02f049eec1e64fa
SHA1 ae6281b653f8ac5f5d12f55e3a16973e738f46bf
SHA256 955b4dbda39904d535dc013ebb08722c259506106ef824a43fcefbff4bf34627
SHA512 d0d1a0826eae0693181e3ff74faba76e227d5a19d0d3333b040e2884a3cc0aad60ec45d15191d63a6cd89813efbdb57de03bd09bad789436f3e4856e1f9ebe0a

memory/2768-181-0x0000000000300000-0x0000000000358000-memory.dmp

memory/2768-187-0x0000000000090000-0x0000000000091000-memory.dmp

memory/2768-189-0x0000000000300000-0x0000000000358000-memory.dmp

memory/2768-188-0x0000000000300000-0x0000000000358000-memory.dmp

\??\c:\log\haha.txt

MD5 77bd5c48ed49f08ca7c5c950c6cd6f4d
SHA1 9165e2c7fbd15906eaac8d1186727528741e2e6b
SHA256 0fd10bd7ea44348fc96de391a48632f328dc8303c4eac46a81ab45b805cea817
SHA512 1901afbad383da275dc821f8048b5afa7963e5b6db8a56928b6ff0d225ddca1dff7492368acaec6ee29a777ce43c581e2e2bc9bc4ef19456799dfeaea8f53109

memory/2868-197-0x0000000000410000-0x0000000000468000-memory.dmp

memory/2768-352-0x0000000000300000-0x0000000000358000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-20 15:15

Reported

2024-03-20 15:18

Platform

win10-20240221-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat C:\Windows\SysWOW64\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 31004400390030004200430044003100420036003500460033003500360038000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2812 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2812 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2812 wrote to memory of 1904 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 700 wrote to memory of 3692 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 3692 wrote to memory of 780 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe

"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 3692

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.million-customers.net udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

MD5 9166c1276b296bc78fa816cd8448cd32
SHA1 b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

MD5 53c8cecfec9def827dd79eba8894c073
SHA1 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA256 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA512 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

MD5 9b697afa24fa4e8e32c97bfe3f791344
SHA1 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA256 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512 d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

memory/1904-13-0x00000000000A0000-0x00000000000EB000-memory.dmp

memory/1904-14-0x00000000028F0000-0x0000000002929000-memory.dmp

memory/1904-19-0x0000000002930000-0x0000000002988000-memory.dmp

C:\log\haha.txt

MD5 b896d1d25142488dc7fc5a8ca4082daa
SHA1 3043e4023ef8a83f946d91deab2f3ece1ac0fb9e
SHA256 8651bbbfb4954c85e391019fdc0943f6be95bf9a3b75afcc585126b9422fb16f
SHA512 a5666da25998e9bc16da3b915dc7cc19ff505972241b192e413dbf5c637c37fb19cb5d9b973cc7225f332a9593b21e5ae0d220f82694afdb554716e5fb61216d

memory/1904-39-0x0000000002930000-0x0000000002988000-memory.dmp

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe.mui

MD5 7d06055a1226eaac88e8050adcd938e1
SHA1 971639945181013991426595ddd39d3f2f92bcde
SHA256 cd0d6bc8a0c3e7639cc7eb85a0653c59860a35fcf552c3b1ff05a116d656258c
SHA512 b569326038bc5d67707467e390ecd97e8e6b97ae240f8300d365dc5164acade61cb081f9c27e8e112d356c688ac8bf8f63adc85e6938261d9fb2240274f5ab1e

memory/700-45-0x0000000000260000-0x00000000002AB000-memory.dmp

memory/700-51-0x0000000001C10000-0x0000000001C68000-memory.dmp

\??\c:\log\haha.txt

MD5 009f58953030fe989683118d1df566e1
SHA1 cf583c448446b352b68ff0179ec953737b12ebfe
SHA256 1ac49ef0996b5bb3c51eded325b10329cffcaf941da4adb5ff2e6bf71f389a75
SHA512 07359bd3fd0263f9967b8730be543d8434ee5b7c09329e8c7928c0ba9fc361534155b6f327c2ef764987f2f1761b3474f14b74423f30f011ceb405ffbe237c99

C:\log\haha.txt

MD5 0461bd484a6b6f13b2b33698e51d2ed6
SHA1 63479eeb49a0d6446b73918ee6ee8097ae9eebfb
SHA256 fd0ff959f726639ed7ec4e9e4399a49742c2921559471ad58bac1bb71e3831d6
SHA512 6e6f1631f574ed0d0eba1fb53f902335b2c1afc29946be96282b922c8901872fc0899718bdb9d210a0a93f0be300bfd19c55d57a749215337d1d1ffa358b1b1d

\??\c:\log\haha.txt

MD5 ad1abdb019ca095eb2e27db49456b50c
SHA1 fd8a9162710d7e952a676780393dd84a5d7b0d80
SHA256 e964c783084836bfb07f6bfb327a12049998268e8fa20a568e40054f7d3fe519
SHA512 fd57a96c1c0ff7f8455bc9c726676312815c0ecdfe0c00d36f1a9116e8d122a375c0d82cdde8721a56735c526fd0260b5aaf4c302844447a70189bf6a9e34d9e

\??\c:\log\haha.txt

MD5 8d7be8f439c3764ee4630e4ab8866be7
SHA1 8aebe8f15b194993bba5c839e441ca2c78a879a2
SHA256 063b81b18559f86a3340d2181a72b863f43484aefebff7184adb11cbb91078a2
SHA512 6732481a497d8345beef61eec41d5081dee9a2722c2e6971e6e36340a947db2af285e52853300bd2fa75bcc32ef6c1248452212647dcb3d9f18e9092b106a479

memory/700-71-0x0000000001C10000-0x0000000001C68000-memory.dmp

memory/3692-62-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-57-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

\??\c:\log\haha.txt

MD5 405dad9ecb690e09aecbe749f30009a2
SHA1 bcb9c048adf3b7c8c6b279d8e71784a10ffe5c90
SHA256 b4b52d53da4afd13805e8419933f13bed512e1f5d67b0b9d40ec1d5bacf4bea9
SHA512 9139f58f5b61dfb7f2249ffac040f649ac8648535eb1203cbf3e3946a665328ecab9ef19ceebc207abf350db8300681209b8819db306a4a99a34b07ed786f9be

memory/3692-81-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-91-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

memory/3692-92-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-93-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-96-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-101-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-106-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-109-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/3692-114-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/780-141-0x00000000036B0000-0x0000000003708000-memory.dmp

\??\c:\log\haha.txt

MD5 57afaa5c88231beb720a034162c5149c
SHA1 73ea9206d5f6648c714adc120bdb0f733ae8e9a4
SHA256 4cd587c078adb376848ff1c756e34d9bf7cc29f79883b8c1967042067d006998
SHA512 49856f32976ee024c49598903ffdde6b13b7342397d610456b9c54994b4f70a16b59042187a2820612c52e1f25e80186357125450966a6ed50289e7cf910f44f

memory/780-142-0x0000000001040000-0x0000000001041000-memory.dmp

memory/780-149-0x00000000036B0000-0x0000000003708000-memory.dmp

memory/780-147-0x0000000000F90000-0x0000000000F91000-memory.dmp

memory/780-148-0x00000000036B0000-0x0000000003708000-memory.dmp

memory/780-150-0x00000000036B0000-0x0000000003708000-memory.dmp

\??\c:\log\haha.txt

MD5 e402713c3d733248eb967522fe012b2b
SHA1 e9790ff2abd32731278522d2ee21eef8846cdfdc
SHA256 6db89137efc3538b9686478a87e5cc3dfa1241cd9f6c91b753b365b7da8752ab
SHA512 b78dd26064f6c32f6c5a5c7cf3f266a87a99990bd366addc59c07f00f2e5d64408f29f07f6fd998399eba3beeaaacd153faed8d5d32333a49599cc6559ec480c

memory/3692-158-0x00000000030D0000-0x0000000003128000-memory.dmp

memory/780-314-0x00000000036B0000-0x0000000003708000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-20 15:15

Reported

2024-03-20 15:18

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 46003600350045003900350044004100300032003200310030003700340041000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2480 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2480 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2480 wrote to memory of 3648 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 4108 wrote to memory of 1052 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 1052 wrote to memory of 3416 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe

"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1032 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
NL 142.251.39.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 106.39.251.142.in-addr.arpa udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

MD5 9166c1276b296bc78fa816cd8448cd32
SHA1 b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

MD5 53c8cecfec9def827dd79eba8894c073
SHA1 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA256 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA512 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

MD5 9b697afa24fa4e8e32c97bfe3f791344
SHA1 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA256 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512 d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

memory/3648-19-0x0000000000780000-0x00000000007CB000-memory.dmp

memory/3648-20-0x0000000000BE0000-0x0000000000C19000-memory.dmp

memory/3648-21-0x00000000022D0000-0x0000000002328000-memory.dmp

memory/3648-26-0x00000000022D0000-0x0000000002328000-memory.dmp

C:\log\haha.txt

MD5 8177d115fbb097b4ff4d26de644ecfea
SHA1 2e1efffc510673e56c59dc8aea41e19e0f177841
SHA256 cb0dd62e96fc15a1cefe599fc59fac32465319f7b66b3f83020b1e59125890d4
SHA512 8d6e6895ecb09fff00b86ad7113cc312e992d275ae092d3e3a3aa5da36c77e414e96878a63277cfc2e03412db05c89a87a6263136c64bac2b4c1b66ac34b7fff

memory/4108-51-0x0000000000620000-0x000000000066B000-memory.dmp

memory/4108-52-0x0000000001500000-0x0000000001558000-memory.dmp

memory/4108-57-0x0000000001500000-0x0000000001558000-memory.dmp

\??\c:\log\haha.txt

MD5 cec8e976c9152a5bfcabfea4834f2f44
SHA1 2edc7b303f7c19718f608632334fac3d2f6325fc
SHA256 6b02268f3f14d7963167fa7c61a57ca0f584837a773cdfda42ff9da904b9218a
SHA512 69bd756273ba554aa832c0f11923ff5935aa0d070abf142f89f7b5446df25d7cce51900c6929a95f85a882591275235acc34c42455ae4208dd9755bcbed0d88e

C:\log\haha.txt

MD5 6a05d5c1b7a7fa21263f1431f402d90a
SHA1 0b65f67e7926667f0a128c19da6d8223addf49b4
SHA256 537817e02c2c784da4bbed912d085eedaf560cd13d003f31337cf2d88da2ed6d
SHA512 8607f375fcb4c2a4b3069e5259c2a20ecd69555ba0663bdcf4831852120a799a08b9def622a2c844e62e65c4770214477f69c6ab09ba79700c87034f63bdfd47

memory/1052-68-0x0000000000F90000-0x0000000000FE8000-memory.dmp

\??\c:\log\haha.txt

MD5 7d92c3a71d23b9085aa008a1a20138bb
SHA1 d4e5ccd17039403df03c73f93c8a8ca70d7c69be
SHA256 01af4cfb0c244f0cbda1b4abdbc517d36a3da35dd7dda41bc3cd765163daacd4
SHA512 f8877245ec57820e0ac58f80018b06d001ceab5614381b3a08b78a7e069b1ac991ac89be16b1b903ac0d46135aeb866bbd7f7f626cd5e52173708ffd44cc03a6

memory/1052-63-0x0000000000640000-0x0000000000641000-memory.dmp

\??\c:\log\haha.txt

MD5 983f3166c29099d02ec9ec99d597ab11
SHA1 6ab7abfece1893614b17d2335572617a0ce8bf52
SHA256 f9c9edea44946beab38289f2cb680d3f295a520a43df9bcfe27168244b1c4ab5
SHA512 63f08eb5e720035b3266bc5f82df434636f7ee686b653d43b4b84b1b2822764535e811fa4e49bf997c7b767b52f176942ce97f2469bc57170d0b74b3bb8fcae1

memory/4108-73-0x0000000001500000-0x0000000001558000-memory.dmp

\??\c:\log\haha.txt

MD5 814e67ba68e89969d4a8722d44601981
SHA1 921a07413babfb01426b42c40e104ace61a8dcf3
SHA256 4d780633bb2eed165db8cb1074634f2354da202f1006e575810a12894fd26d7c
SHA512 3a072078551f55dc0b23c0751686a7e2aedaf9cbeeffcf4c0b10f3a3c5478b3eec0d0c1fcdaec99a005e6eeecf5431e8903a67d1a5107f76df6389b0f9440d75

memory/3648-85-0x00000000022D0000-0x0000000002328000-memory.dmp

\??\c:\log\haha.txt

MD5 a0f136b67c71ca312bd5e92d0da141b4
SHA1 11d21036aa790cfeb7d6f318e25352b5899f4b23
SHA256 d94850679b283df25960e29605f43d75b303723275910b728c24cab94ab30b64
SHA512 0f71c36af37db890d142389cc28b416a2b2f382f5883039b1d4bedfae12dd58e86431abd78848c3f73b7481963e15803146789c20a5ec9b9b6e0f06f34ec61ab

memory/1052-86-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-96-0x0000000000640000-0x0000000000641000-memory.dmp

memory/1052-97-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-98-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-101-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-108-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-109-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-114-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/1052-119-0x0000000000F90000-0x0000000000FE8000-memory.dmp

\??\c:\log\haha.txt

MD5 73b6ae6197e0d44208a2d60637ee5d05
SHA1 c476d7e9c716c53093512bd860c7ff6b69a0fee3
SHA256 0443929b53fb4683de4b49e64082b5683eb31ea37cf62de67418cc2da0e31d9d
SHA512 4477f90b3811e3063cb95114ffe3ad4b55197216e8a4369c86b3d40812807f4b81aaa21abd713c3f4452fce66098fc232ae1cab947d69b32cb9a19c7077b1797

memory/3416-156-0x00000000003B0000-0x00000000003B1000-memory.dmp

memory/3416-161-0x0000000000D30000-0x0000000000D88000-memory.dmp

memory/3416-168-0x0000000000D30000-0x0000000000D88000-memory.dmp

memory/3416-167-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

memory/3416-169-0x0000000000D30000-0x0000000000D88000-memory.dmp

\??\c:\log\haha.txt

MD5 030fb70c441e7b5b920935b501726715
SHA1 fb830f85daa9f1e19c40f1446d69dc298ca4bb87
SHA256 5a095ce4561460118bb77377ff287ff458925c409c291286b152096fc196de87
SHA512 e0c8b31f81d5160a1716578edebb5f7f3a345f36b27c92d04369263cd486c27b0affb42ec008fe5a0706e6713e52f0f90c4c9df2059ad49117fdaa6a15a1cdd3

memory/1052-177-0x0000000000F90000-0x0000000000FE8000-memory.dmp

memory/3416-322-0x0000000000D30000-0x0000000000D88000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-20 15:15

Reported

2024-03-20 15:18

Platform

win11-20240221-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003900420030003900330033003000420034004600410042003000300030000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2128 wrote to memory of 1708 N/A C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2280 wrote to memory of 2180 N/A C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe C:\Windows\SysWOW64\svchost.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2180 wrote to memory of 132 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe

"C:\Users\Admin\AppData\Local\Temp\Injected_LoadExe_Malware.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe"

C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe

"C:\ProgramData\Intel\Intel(R) Management Engine Components\iusb3mon.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2180

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.million-customers.net udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 ns.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 pop3.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp
US 8.8.8.8:53 www.million-customers.net udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe

MD5 9166c1276b296bc78fa816cd8448cd32
SHA1 b5e48ccae94269ca95904fc58440113e9a4cae00
SHA256 1d2bf20f9ea7665281e5f9ffe50a8127e4618cb76c6a47a27e7aca196327c395
SHA512 35d8a6475d9579d9134f0fad4c1c5db9db6b0ffd06ba451193f3f89b0d23983067e12758b620aad90b3042a14a004c0fbdcbb99dfe7c669d2101434e709d0e26

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.dll

MD5 53c8cecfec9def827dd79eba8894c073
SHA1 4fb4895d41e62d69fe7f4f27a2f1355dcc06cc3a
SHA256 6104ae31a6fde52b4e8c4a1a32de0719e0dc9d8aee5e258ef578e5371d6ef388
SHA512 2049546fa25e3ca51d2c220f246fe5622b93badfc1d5d4c38262a3003109f3ca983298fc15dd6bc785567d69cb5a75f79967582f5cdc6e65d27edd6b55cef7a2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\iusb3mon.exe.mui

MD5 9b697afa24fa4e8e32c97bfe3f791344
SHA1 7b8563102dbb1de9cf96cfb51dcdf0b5116e26aa
SHA256 1cf6eb9eb9816318b894fe342124edcfabf8544fdf7d46e5ca2c13ca4c49603e
SHA512 d0f024c7db17e645b4785fd0800706a6c2f62449b1aaf062a65da197fe110ac16938b26472c2fbfdd306435234c63d695b63932b3c06fa54ba38a633b9ddd082

memory/1708-19-0x0000000000C20000-0x0000000000C6B000-memory.dmp

memory/1708-24-0x00000000023A0000-0x00000000023F8000-memory.dmp

\??\c:\log\haha.txt

MD5 4a6f661fb536266e74b5f19c0ec8a670
SHA1 914d2eecf296e50fcbec35a44ca6a02ba8d748f3
SHA256 eea55c60cb8e9e4e73d0f30aa4c5269c77778c988f51a3711809f862ee8adcda
SHA512 dddc2f6fb08fa473fe0c9a6e0c695178ff7aa8a90f2622fa0e6ea3d3e13eaf1cd8ee60aecc45cfd7f1312403bec3402f68b633a9585617d7b69c7fdf124210b0

memory/1708-27-0x0000000000BD0000-0x0000000000C09000-memory.dmp

C:\log\haha.txt

MD5 2252430978385da76aa25f6a8dc1c5b9
SHA1 834103ea84b02a5def72c10d48bb11d9246994e9
SHA256 5de23a22ecdd0fc8775c2b04f7648a11a78a7912c5dab6b19fe9b336bae92ccf
SHA512 012b2833e8542ac47c1fe997b487ea8012312a4706d9d45556416225d72f2c53a4afdd95bfb88c54aa9f77b6b29a9b3d91ea68393acd4b633a4192de6be310c2

memory/2180-63-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2180-68-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

\??\c:\log\haha.txt

MD5 614e4f64e9211e160a4cbcaa2a559e1e
SHA1 73c5868606c572e5dafc358c721d54c4b99840e4
SHA256 2e7509f2c30b38d463d4b1f26e191e71025ff1a07ba6faadfdceb3dcd5443b3e
SHA512 3e2f0e287f58b8c3087956f06840e9cb764a8c4d19e27885d4429b788a40eab8e09de3ed603390627b90e853a791a6415f637ff6e7835f640c564f8cf85e2629

memory/2180-80-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2280-79-0x00000000017F0000-0x0000000001848000-memory.dmp

memory/2280-57-0x0000000000C70000-0x0000000000CBB000-memory.dmp

memory/1708-46-0x00000000023A0000-0x00000000023F8000-memory.dmp

memory/2280-56-0x00000000017F0000-0x0000000001848000-memory.dmp

\??\c:\log\haha.txt

MD5 80857c5feb763592ae39703b25175fe5
SHA1 f02797750931e4ac374dc16ca701b82799e31563
SHA256 d3711cc8bfdbd0f3b2774765a5436ceeeec2adeadeff32a943c1ba7f958334ca
SHA512 ffb9a8cb0bec6bc7cbb70e7390b8ef2c07ff7ae9f191da33d460f063c314c6218e75ead8b4da851762c214c64939d952d94dc182d54385de3dd4606148629a97

memory/2180-84-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-94-0x0000000000840000-0x0000000000841000-memory.dmp

memory/2180-95-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-96-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-99-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-104-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-107-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-109-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-112-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/2180-117-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/132-175-0x0000000002EB0000-0x0000000002F08000-memory.dmp

\??\c:\log\haha.txt

MD5 1f612158771f44a03af09bde9a837af6
SHA1 e18d623ff9e75847e0cc63f3e203ec0aba58bc9e
SHA256 43cbe756b1af809a0502d322a01c5b5f04a13cd0f06783f4f8082002e7b8deec
SHA512 f98cdda2f3d45040ef548d632729d0a78cc5d0ee69bb09a44b6b486ea4564409f4190503c61f11e2aab68e6c784d65ab4a7ca96ddbc50c6f89e9787fcd883a9f

memory/132-170-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

memory/132-180-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/132-181-0x0000000002EB0000-0x0000000002F08000-memory.dmp

memory/132-182-0x0000000002EB0000-0x0000000002F08000-memory.dmp

\??\c:\log\haha.txt

MD5 151409124bedfae949e399ea0a0b9432
SHA1 980dec2ecc515c7a6c9d0b93b34d8b9b7a24e952
SHA256 22ee1a865f5d40c93179db5da916d99fad38656235a7f429011939156a7fba78
SHA512 c8e4a938786e2fb5e943a295c8d094f8cd26ac60bb3b130891adbd487dca3428d57a2a53f8c1afe0d15b13c0a205791721d23287fd30e7eb34800634c120d3ad

memory/2180-191-0x0000000000FA0000-0x0000000000FF8000-memory.dmp

memory/132-347-0x0000000002EB0000-0x0000000002F08000-memory.dmp