Malware Analysis Report

2024-07-11 07:36

Sample ID 240410-pa79msac3s
Target 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f
SHA256 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f

Threat Level: Known bad

The file 7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f was found to be: Known bad.

Malicious Activity Summary

plugx trojan

Detects PlugX payload

PlugX

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-04-10 12:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 12:08

Reported

2024-04-10 12:11

Platform

win7-20240215-en

Max time kernel

150s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 44003700310033003200330030003300330039003000440046003000310033000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SoftManager.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SoftManager.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2016 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 2848 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2848 wrote to memory of 1616 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe

"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"

C:\Users\Admin\AppData\Local\Temp\SoftManager.exe

"C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"

C:\ProgramData\360SoftManager\softmgr\SoftManager.exe

"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 2976

C:\ProgramData\360SoftManager\softmgr\SoftManager.exe

"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2848

Network

Country Destination Domain Proto
US 8.8.8.8:53 steam.dajuw.com udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp

Files

\Users\Admin\AppData\Local\Temp\SoftManager.exe

MD5 cffab901ec1573799473a7b4d110cf08
SHA1 4dae9fc43de6bb4b3b47fcac5348a104c4792988
SHA256 5ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97
SHA512 8ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60

C:\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 ce07ef4ef68a65715bb2c2beabdd289e
SHA1 bc9565fc5b790cb6e6c7097248a3f4063db33ce6
SHA256 ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567
SHA512 d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227

C:\Users\Admin\AppData\Local\Temp\SoftManager.dat

MD5 e46f18ec2a13ef883c1b6a50ec157971
SHA1 816e48a51827797bf3ab2204b962ab1edcb018d6
SHA256 31ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9
SHA512 6c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d

memory/2976-25-0x0000000001FB0000-0x00000000020B0000-memory.dmp

memory/2976-26-0x0000000000230000-0x0000000000265000-memory.dmp

memory/2976-39-0x0000000000230000-0x0000000000265000-memory.dmp

memory/2648-48-0x00000000008E0000-0x0000000000915000-memory.dmp

memory/2372-55-0x00000000001A0000-0x00000000001D5000-memory.dmp

memory/2372-56-0x00000000001A0000-0x00000000001D5000-memory.dmp

memory/2848-57-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2848-61-0x00000000000A0000-0x00000000000C4000-memory.dmp

memory/2848-63-0x00000000000D0000-0x00000000000D2000-memory.dmp

memory/2848-65-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2848-66-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-68-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2372-67-0x00000000001A0000-0x00000000001D5000-memory.dmp

memory/2848-79-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2848-80-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-81-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-82-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-84-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-85-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-86-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2848-89-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/2648-90-0x00000000008E0000-0x0000000000915000-memory.dmp

memory/1616-99-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1616-100-0x00000000002F0000-0x0000000000325000-memory.dmp

memory/1616-102-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1616-103-0x00000000002F0000-0x0000000000325000-memory.dmp

memory/1616-104-0x00000000002F0000-0x0000000000325000-memory.dmp

memory/1616-105-0x00000000002F0000-0x0000000000325000-memory.dmp

memory/2848-107-0x0000000000280000-0x00000000002B5000-memory.dmp

memory/1616-108-0x00000000002F0000-0x0000000000325000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 12:08

Reported

2024-04-10 12:11

Platform

win10v2004-20240226-en

Max time kernel

159s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 42004400460031003200390043003700310034004400300041003000330041000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SoftManager.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\SoftManager.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2060 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 2060 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe C:\Users\Admin\AppData\Local\Temp\SoftManager.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 1044 wrote to memory of 2312 N/A C:\ProgramData\360SoftManager\softmgr\SoftManager.exe C:\Windows\SysWOW64\svchost.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2312 wrote to memory of 4572 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe

"C:\Users\Admin\AppData\Local\Temp\7d0ff5125ace6fc49103c71fdab7f430c20741ce36b54e0379c71a6841962e0f.exe"

C:\Users\Admin\AppData\Local\Temp\SoftManager.exe

"C:\Users\Admin\AppData\Local\Temp\SoftManager.exe"

C:\ProgramData\360SoftManager\softmgr\SoftManager.exe

"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 100 4488

C:\ProgramData\360SoftManager\softmgr\SoftManager.exe

"C:\ProgramData\360SoftManager\softmgr\SoftManager.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:8

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2312

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 rc.dajuw.com udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp
US 8.8.8.8:53 steam.dajuw.com udp

Files

C:\Users\Admin\AppData\Local\Temp\SoftManager.exe

MD5 cffab901ec1573799473a7b4d110cf08
SHA1 4dae9fc43de6bb4b3b47fcac5348a104c4792988
SHA256 5ea1bb2021e94cd70d21bc51d586a1edc0cc1e584986cfc4460a2a98a828db97
SHA512 8ab0334dbad12047e743c51cd44aec3287e4c938b904b01b9586e73c10d3aa1f36347f00045c89a2ca2399d140b804be789c502251b9d5b9dc7610ab9dc9cd60

C:\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 ce07ef4ef68a65715bb2c2beabdd289e
SHA1 bc9565fc5b790cb6e6c7097248a3f4063db33ce6
SHA256 ddd19d60f37f04e33fb74f6ef2e45f24be1bab8423aba608987804eed9316567
SHA512 d24023ac21524e5e9d7d885c65038533ef055a9ada45a0a6f5b8218a88328dec27ea83fbff0423daf331b038da4fae2df3b450e3bfe41882b29e57fbea689227

memory/4488-21-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\SoftManager.dat

MD5 e46f18ec2a13ef883c1b6a50ec157971
SHA1 816e48a51827797bf3ab2204b962ab1edcb018d6
SHA256 31ba90be019b15895da9b3a0943e88115fc08769d7857fc2fedc6eb7b13fd9c9
SHA512 6c9da9296390c050af8255f1dead0bc18835bc5dbe2fd0e2baa6d00ed5c58b5109f06b4edd76e826b1976ce513cb0c097243ce5812f17b6be518469b10e35b0d

memory/4488-22-0x0000000002C10000-0x0000000002C45000-memory.dmp

memory/4488-23-0x0000000002C10000-0x0000000002C45000-memory.dmp

memory/4512-46-0x00000000010E0000-0x0000000001110000-memory.dmp

memory/4512-45-0x0000000001110000-0x0000000001145000-memory.dmp

memory/1044-52-0x0000000000F60000-0x0000000000F95000-memory.dmp

memory/1044-53-0x0000000000F60000-0x0000000000F95000-memory.dmp

memory/2312-54-0x0000000001240000-0x0000000001241000-memory.dmp

memory/2312-55-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/1044-56-0x0000000000F60000-0x0000000000F95000-memory.dmp

memory/2312-57-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-59-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-69-0x0000000001240000-0x0000000001241000-memory.dmp

memory/2312-70-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-71-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-72-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-74-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/4488-75-0x0000000002C10000-0x0000000002C45000-memory.dmp

memory/2312-76-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/4512-78-0x0000000001110000-0x0000000001145000-memory.dmp

memory/2312-80-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-81-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/2312-83-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/4572-85-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/4572-84-0x0000000002A40000-0x0000000002A75000-memory.dmp

memory/4572-86-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

memory/4572-88-0x0000000002A40000-0x0000000002A75000-memory.dmp

memory/4572-89-0x0000000002A40000-0x0000000002A75000-memory.dmp

memory/4572-87-0x0000000002A40000-0x0000000002A75000-memory.dmp

memory/4572-90-0x0000000002A40000-0x0000000002A75000-memory.dmp

memory/2312-92-0x00000000018F0000-0x0000000001925000-memory.dmp

memory/4572-93-0x0000000002A40000-0x0000000002A75000-memory.dmp