Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
07/12/2023, 19:54
Behavioral task
behavioral1
Sample
23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe
Resource
win7-20231020-en
General
-
Target
23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe
-
Size
223KB
-
MD5
aa7c1437997a0f1c1ae8d07ff907135a
-
SHA1
9a7e53855be3996f35854572cc5d9867e734f260
-
SHA256
23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8
-
SHA512
df285ebbbcf74a70aa5a60ed6f116b5b2d0799db321a4abb69ac19bbedab7ea1727a2ea7c1cd3f0d4626d59f200de0ce1d9a3b3f9616c371c54e8b90ebab765e
-
SSDEEP
3072:xZ7wXfSRZ0ON/EwW66wN94xu4CkAZJM2k5D66L+NfGbVON2Nqi/6gS5UoWXHz72n:7wPSUONLNsuWA7koN+boRi9S6oiz72D
Malware Config
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 1272 created 424 1272 Explorer.EXE 3 -
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\7HGFqEt9oXZL58.sys wlanext.exe File opened for modification C:\Windows\system32\drivers\uN7OvjgygdlB.sys wlanext.exe File opened for modification C:\Windows\system32\drivers\gz56wIoI3aPMe.wsh wlanext.exe File created C:\Windows\System32\drivers\2lNQwwT.sys wlanext.exe File opened for modification C:\Windows\system32\drivers\kwMJdhyipgXy.pfv wlanext.exe File opened for modification C:\Windows\system32\drivers\QQmLYzQWQh7.sys wlanext.exe File opened for modification C:\Windows\system32\drivers\l7CWdYsjJTN.ell wlanext.exe File opened for modification C:\Windows\system32\drivers\dTBjX4EFdHMC.sys wlanext.exe File opened for modification C:\Windows\system32\drivers\2Pcni2jHRtk.rth wlanext.exe -
Deletes itself 1 IoCs
pid Process 1872 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2792 wlanext.exe -
Loads dropped DLL 7 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1192 Dwm.exe 1192 Dwm.exe 1192 Dwm.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 1260 takeown.exe -
resource yara_rule behavioral1/memory/1696-0-0x0000000000AD0000-0x0000000000B3E000-memory.dmp upx behavioral1/memory/1696-45-0x0000000000AD0000-0x0000000000B3E000-memory.dmp upx behavioral1/memory/1696-90-0x0000000000AD0000-0x0000000000B3E000-memory.dmp upx behavioral1/memory/1696-99-0x0000000000AD0000-0x0000000000B3E000-memory.dmp upx -
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 -
resource yara_rule behavioral1/files/0x000d000000015c4d-155.dat vmprotect behavioral1/files/0x001a000000015c4d-257.dat vmprotect behavioral1/files/0x0025000000015c4d-371.dat vmprotect behavioral1/files/0x002c000000015c4d-495.dat vmprotect -
Drops file in System32 directory 23 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B wlanext.exe File opened for modification C:\Windows\system32\jcEpJe4mXn0JS.sys wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 wlanext.exe File opened for modification C:\Windows\system32\x5CwXmeqDn1.xkf wlanext.exe File opened for modification C:\Windows\system32\aeLWkDpLkd.tts wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 wlanext.exe File created C:\Windows\system32\ \Windows\System32\8W2mIyx7Y.sys wlanext.exe File opened for modification C:\Windows\system32\mUst5oMiGy.sys wlanext.exe File opened for modification C:\Windows\system32\sM53zQEsuVB0.sys wlanext.exe File opened for modification C:\Windows\system32\KBdOM8pt97.skn wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 wlanext.exe File opened for modification C:\Windows\system32\B4Pcdd69fOl7Y.sys wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 wlanext.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 wlanext.exe File opened for modification C:\Windows\system32\R1anCNOi7Y4R.kyf wlanext.exe -
Drops file in Program Files directory 33 IoCs
description ioc Process File opened for modification C:\Program Files\MSBuild\manifest.json Explorer.EXE File opened for modification C:\Program Files\bxC1A0tubM1.ynr wlanext.exe File opened for modification C:\Program Files\Windows Journal\manifest.json wlanext.exe File opened for modification C:\Program Files (x86)\KoeoyJ2PlUJ6Ij.ktt wlanext.exe File opened for modification C:\Program Files\b4KUHCajX4.sys wlanext.exe File opened for modification C:\Program Files\MSBuild\lib\6c4357c2.js Explorer.EXE File opened for modification C:\Program Files\7-Zip\3ddd57f0.js Dwm.exe File opened for modification C:\Program Files\biuYq76rbuwDV.fan wlanext.exe File opened for modification C:\Program Files (x86)\WPHKmmiByoIYf.sys wlanext.exe File opened for modification C:\Program Files (x86)\jVTQHRQ86T.sys wlanext.exe File opened for modification C:\Program Files\Windows Journal\4d54aae0.html wlanext.exe File opened for modification C:\Program Files\7-Zip\5ccc03e8.js Dwm.exe File opened for modification C:\Program Files\nKnJXahe5VF.sys wlanext.exe File opened for modification C:\Program Files (x86)\sV7QFKRxF4AFy.hbp wlanext.exe File opened for modification C:\Program Files\Windows Journal\5ccc0040.js wlanext.exe File opened for modification C:\Program Files\pELUD7I6qZ05x.sys wlanext.exe File opened for modification C:\Program Files (x86)\MmxarrlrmgErb.sys wlanext.exe File opened for modification C:\Program Files\Je1pvowZHKrj.sys wlanext.exe File opened for modification C:\Program Files\7-Zip\4d54adec.html Dwm.exe File opened for modification C:\Program Files\7-Zip\lib\6c4359e4.js Dwm.exe File created C:\Program Files\wlanext.exe Explorer.EXE File opened for modification C:\Program Files (x86)\8VsON7G7DefsE.sys wlanext.exe File opened for modification C:\Program Files\7-Zip\manifest.json Dwm.exe File opened for modification C:\Program Files\AOkjfPZH0lB5.him wlanext.exe File opened for modification C:\Program Files\MSBuild\4d54ac66.html Explorer.EXE File opened for modification C:\Program Files\Windows Journal\3ddd5580.js wlanext.exe File opened for modification C:\Program Files\Windows Journal\lib\6c4355a0.js wlanext.exe File opened for modification C:\Program Files\MSBuild\3ddd56b8.js Explorer.EXE File opened for modification C:\Program Files\MSBuild\5ccc0214.js Explorer.EXE File opened for modification C:\Program Files (x86)\aSpquBHO5GQwg.gcp wlanext.exe File opened for modification C:\Program Files (x86)\6QgsIltvMr.lpj wlanext.exe File opened for modification C:\Program Files\wlanext.exe Explorer.EXE File opened for modification C:\Program Files\RZ8Pjv0g0vb.hgz wlanext.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SrWhN5gDHmlrQt.xgt wlanext.exe File opened for modification C:\Windows\VLOtiHuABofO.sys wlanext.exe File opened for modification C:\Windows\FXNSq1XvNrsm.vid wlanext.exe File opened for modification C:\Windows\iq8MK3bpxSsNb.sys wlanext.exe File opened for modification C:\Windows\14z4a3DDThcb.sys wlanext.exe File opened for modification C:\Windows\HWvgFRy7PV2i3.duo wlanext.exe File created C:\Windows\hBSOj0b6O.sys wlanext.exe File opened for modification C:\Windows\JK8JHzvZpqNe.mxz wlanext.exe File opened for modification C:\Windows\lrizTgCvq0jY.sys wlanext.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 1 IoCs
pid Process 1504 timeout.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c\WpadDecisionReason = "1" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings takeown.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs wlanext.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c\WpadDecisionTime = 30fe3a4f4729da01 wlanext.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates wlanext.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" takeown.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople wlanext.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\WpadDecision = "0" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c wlanext.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c\WpadDecision = "0" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad wlanext.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\WpadDecisionTime = 30fe3a4f4729da01 wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections takeown.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 takeown.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs wlanext.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\4a-7a-e8-f4-52-2c wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs wlanext.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 wlanext.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\WpadNetworkName = "Network 3" wlanext.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" takeown.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wlanext.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs wlanext.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix takeown.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople wlanext.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust wlanext.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 wlanext.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0 wlanext.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0\Blob = 0f0000000100000020000000055410e3c30e41bb904fb9acac47f57e3a51a8e27d55881b7fa58aaaa98297ad030000000100000014000000899780e631209c77294d0bd23232f1dea029c9e020000000010000004402000030820240308201a9a003020102020100300d06092a864886f70d01010b05003044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479205632301e170d3233313230373139353533395a170d3234313230363139353533395a3044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747920563230819f300d06092a864886f70d010101050003818d0030818902818100f0d1224c6a437bd64b2cd86364325d37e1bd18afff527eaf442edd0791d94b6ae2e895165fc9319faf08bcf026bf246477e065c3866e5fb7739382e074754d1bba98d5839d8b777180ef7fe7791be413541e488ea4ec4afb535f0cd44be562162ed29430bd78a582b8727b86f6ac24edd7e9bc26b94568490be84d39911292330203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414062143f506130cc3073a09d204d573ebe34970c0300d06092a864886f70d01010b050003818100adee725e3552b4bef52dca43c86aac8536321cbb9798725a607b6d7642d13c51f5075eb624e822041374f50ba2a9d5465a70eb6d373b61025e25bd71fd400b1df6956d6c790b849550fd824776b132820b2dfabeb275fec56ab6d918104a80113c87ed79de85ab09e6e3366bc052c062b52efc7dd5f0effb81269945cb841d93 wlanext.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0\Blob = 190000000100000010000000c8e50f8dd6919476c2aaafb4bf9a148d0f0000000100000020000000055410e3c30e41bb904fb9acac47f57e3a51a8e27d55881b7fa58aaaa98297ad030000000100000014000000899780e631209c77294d0bd23232f1dea029c9e0140000000100000014000000062143f506130cc3073a09d204d573ebe34970c020000000010000004402000030820240308201a9a003020102020100300d06092a864886f70d01010b05003044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479205632301e170d3233313230373139353533395a170d3234313230363139353533395a3044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747920563230819f300d06092a864886f70d010101050003818d0030818902818100f0d1224c6a437bd64b2cd86364325d37e1bd18afff527eaf442edd0791d94b6ae2e895165fc9319faf08bcf026bf246477e065c3866e5fb7739382e074754d1bba98d5839d8b777180ef7fe7791be413541e488ea4ec4afb535f0cd44be562162ed29430bd78a582b8727b86f6ac24edd7e9bc26b94568490be84d39911292330203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414062143f506130cc3073a09d204d573ebe34970c0300d06092a864886f70d01010b050003818100adee725e3552b4bef52dca43c86aac8536321cbb9798725a607b6d7642d13c51f5075eb624e822041374f50ba2a9d5465a70eb6d373b61025e25bd71fd400b1df6956d6c790b849550fd824776b132820b2dfabeb275fec56ab6d918104a80113c87ed79de85ab09e6e3366bc052c062b52efc7dd5f0effb81269945cb841d93 wlanext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 wlanext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 wlanext.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0\Blob = 140000000100000014000000062143f506130cc3073a09d204d573ebe34970c0030000000100000014000000899780e631209c77294d0bd23232f1dea029c9e00f0000000100000020000000055410e3c30e41bb904fb9acac47f57e3a51a8e27d55881b7fa58aaaa98297ad20000000010000004402000030820240308201a9a003020102020100300d06092a864886f70d01010b05003044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479205632301e170d3233313230373139353533395a170d3234313230363139353533395a3044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747920563230819f300d06092a864886f70d010101050003818d0030818902818100f0d1224c6a437bd64b2cd86364325d37e1bd18afff527eaf442edd0791d94b6ae2e895165fc9319faf08bcf026bf246477e065c3866e5fb7739382e074754d1bba98d5839d8b777180ef7fe7791be413541e488ea4ec4afb535f0cd44be562162ed29430bd78a582b8727b86f6ac24edd7e9bc26b94568490be84d39911292330203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414062143f506130cc3073a09d204d573ebe34970c0300d06092a864886f70d01010b050003818100adee725e3552b4bef52dca43c86aac8536321cbb9798725a607b6d7642d13c51f5075eb624e822041374f50ba2a9d5465a70eb6d373b61025e25bd71fd400b1df6956d6c790b849550fd824776b132820b2dfabeb275fec56ab6d918104a80113c87ed79de85ab09e6e3366bc052c062b52efc7dd5f0effb81269945cb841d93 wlanext.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wlanext.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde wlanext.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e wlanext.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 2792 wlanext.exe 1260 takeown.exe 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 2792 wlanext.exe 1272 Explorer.EXE 1272 Explorer.EXE 2792 wlanext.exe 2792 wlanext.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1272 Explorer.EXE -
Suspicious behavior: LoadsDriver 59 IoCs
pid Process 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found 468 Process not Found -
Suspicious use of AdjustPrivilegeToken 20 IoCs
description pid Process Token: SeDebugPrivilege 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Token: SeTcbPrivilege 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Token: SeDebugPrivilege 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Token: SeDebugPrivilege 1272 Explorer.EXE Token: SeDebugPrivilege 1272 Explorer.EXE Token: SeDebugPrivilege 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeIncBasePriorityPrivilege 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeBackupPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 2792 wlanext.exe Token: SeDebugPrivilege 1272 Explorer.EXE Token: SeBackupPrivilege 1272 Explorer.EXE Token: SeDebugPrivilege 1192 Dwm.exe Token: SeBackupPrivilege 1192 Dwm.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1272 Explorer.EXE 1272 Explorer.EXE -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1272 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1696 wrote to memory of 1272 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 22 PID 1696 wrote to memory of 1272 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 22 PID 1696 wrote to memory of 1272 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 22 PID 1696 wrote to memory of 1272 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 22 PID 1696 wrote to memory of 1272 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 22 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1272 wrote to memory of 2792 1272 Explorer.EXE 29 PID 1696 wrote to memory of 424 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 3 PID 1696 wrote to memory of 424 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 3 PID 1696 wrote to memory of 424 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 3 PID 1696 wrote to memory of 424 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 3 PID 1696 wrote to memory of 424 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 3 PID 1696 wrote to memory of 1872 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 31 PID 1696 wrote to memory of 1872 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 31 PID 1696 wrote to memory of 1872 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 31 PID 1696 wrote to memory of 1872 1696 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe 31 PID 1872 wrote to memory of 1504 1872 cmd.exe 34 PID 1872 wrote to memory of 1504 1872 cmd.exe 34 PID 1872 wrote to memory of 1504 1872 cmd.exe 34 PID 1872 wrote to memory of 1504 1872 cmd.exe 34 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1260 2792 wlanext.exe 35 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22 PID 2792 wrote to memory of 1272 2792 wlanext.exe 22
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:424
-
C:\Program Files\wlanext.exe"C:\Program Files\wlanext.exe"2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\takeown.exe"C:\Windows\system32\takeown.exe"3⤵
- Modifies file permissions
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1260
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:1192
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"2⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"3⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\timeout.exetimeout /t 14⤵
- Delays execution with timeout.exe
PID:1504
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
415KB
MD5adb3baf4d3508556420028504199dbc6
SHA1af7a88d106147ba4752ae2a55dee32be38948890
SHA256d7bfc4a7546c1df6129b0737120c30a9bdadf7494eb0ad37d1c43dd8d959cf27
SHA512d108336f5da456db746318ca2fb9c0beaab39915e327dd55a2db8755edd7dc5fe6ac33558ca42b0daa7d1751c1b307fc64a0a7e136971cb56ea28055f871d10c
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD555dbae1c3d897a6d464ba84c0e7a0038
SHA195075e401916f887a74c083262e91367aa0369e5
SHA2567310b6348f11ea87169f248460622e3579653ad37d78101bd92ffa2a6cbd4913
SHA512c8478b4b70320625eebfeed7dc0188304b236df4c4332a54fba3a9950734db3ea79cb005b92bb333ccd49dac8abf21ffb5b7534a0652339bd896d5711e48ffca
-
Filesize
447KB
MD5d15f5f23df8036bd5089ce8d151b0e0d
SHA14066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9
-
Filesize
447KB
MD539af9a328c2339b614faf5142a1395c4
SHA1914aea213ee2c4a7dfea93192b7e53cc7aa91a9e
SHA2567196fd2702a35acfaf54ef356459bfbe3c82a3dde6215e6c90fb8635199757f5
SHA5122dcd566a9d0b49fa9eb44ac05efd6750ada216b99f6c626ddae3a7ad2f53c55d0aae2e43ea07b144fbe2536b637fa03f5fb3c2562e70cdfefeedc1421c207e33
-
Filesize
415KB
MD564bc1983743c584a9ad09dacf12792e5
SHA10f14098f523d21f11129c4df09451413ddff6d61
SHA256057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA5129ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313
-
Filesize
97KB
MD543fab56ae5f639ad59d7209693f4c4c2
SHA17d23615f778b15791646c31688e63e7d5ebf02ff
SHA256c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA51293709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313