Malware Analysis Report

2025-08-11 01:36

Sample ID 231207-ym1j1afc23
Target 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8
SHA256 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8
Tags
upx discovery vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8

Threat Level: Known bad

The file 23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8 was found to be: Known bad.

Malicious Activity Summary

upx discovery vmprotect

Suspicious use of NtCreateUserProcessOtherParentProcess

Drops file in Drivers directory

Executes dropped EXE

Modifies file permissions

VMProtect packed file

Unexpected DNS network traffic destination

Checks computer location settings

UPX packed file

Loads dropped DLL

Deletes itself

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Delays execution with timeout.exe

Modifies data under HKEY_USERS

Suspicious use of UnmapMainImage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-07 19:55

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-07 19:54

Reported

2023-12-07 19:57

Platform

win7-20231020-en

Max time kernel

150s

Max time network

149s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1272 created 424 N/A C:\Windows\Explorer.EXE C:\Windows\system32\winlogon.exe

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\7HGFqEt9oXZL58.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\uN7OvjgygdlB.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\gz56wIoI3aPMe.wsh C:\Program Files\wlanext.exe N/A
File created C:\Windows\System32\drivers\2lNQwwT.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\kwMJdhyipgXy.pfv C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\QQmLYzQWQh7.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\l7CWdYsjJTN.ell C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\dTBjX4EFdHMC.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\drivers\2Pcni2jHRtk.rth C:\Program Files\wlanext.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\wlanext.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\Dwm.exe N/A
N/A N/A C:\Windows\system32\Dwm.exe N/A
N/A N/A C:\Windows\system32\Dwm.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 114.114.114.114 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\jcEpJe4mXn0JS.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\x5CwXmeqDn1.xkf C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\aeLWkDpLkd.tts C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files\wlanext.exe N/A
File created C:\Windows\system32\ \Windows\System32\8W2mIyx7Y.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\mUst5oMiGy.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\sM53zQEsuVB0.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\KBdOM8pt97.skn C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\B4Pcdd69fOl7Y.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\system32\R1anCNOi7Y4R.kyf C:\Program Files\wlanext.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MSBuild\manifest.json C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\bxC1A0tubM1.ynr C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\Windows Journal\manifest.json C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files (x86)\KoeoyJ2PlUJ6Ij.ktt C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\b4KUHCajX4.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\MSBuild\lib\6c4357c2.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\7-Zip\3ddd57f0.js C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\biuYq76rbuwDV.fan C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files (x86)\WPHKmmiByoIYf.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files (x86)\jVTQHRQ86T.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\Windows Journal\4d54aae0.html C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\7-Zip\5ccc03e8.js C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\nKnJXahe5VF.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files (x86)\sV7QFKRxF4AFy.hbp C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\Windows Journal\5ccc0040.js C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\pELUD7I6qZ05x.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files (x86)\MmxarrlrmgErb.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\Je1pvowZHKrj.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\7-Zip\4d54adec.html C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\7-Zip\lib\6c4359e4.js C:\Windows\system32\Dwm.exe N/A
File created C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\8VsON7G7DefsE.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\7-Zip\manifest.json C:\Windows\system32\Dwm.exe N/A
File opened for modification C:\Program Files\AOkjfPZH0lB5.him C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\MSBuild\4d54ac66.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\Windows Journal\3ddd5580.js C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\Windows Journal\lib\6c4355a0.js C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\MSBuild\3ddd56b8.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\MSBuild\5ccc0214.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\aSpquBHO5GQwg.gcp C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files (x86)\6QgsIltvMr.lpj C:\Program Files\wlanext.exe N/A
File opened for modification C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\RZ8Pjv0g0vb.hgz C:\Program Files\wlanext.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SrWhN5gDHmlrQt.xgt C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\VLOtiHuABofO.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\FXNSq1XvNrsm.vid C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\iq8MK3bpxSsNb.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\14z4a3DDThcb.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\HWvgFRy7PV2i3.duo C:\Program Files\wlanext.exe N/A
File created C:\Windows\hBSOj0b6O.sys C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\JK8JHzvZpqNe.mxz C:\Program Files\wlanext.exe N/A
File opened for modification C:\Windows\lrizTgCvq0jY.sys C:\Program Files\wlanext.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c\WpadDecisionReason = "1" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\system32\takeown.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c\WpadDecisionTime = 30fe3a4f4729da01 C:\Program Files\wlanext.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Program Files\wlanext.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\takeown.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\wlanext.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\WpadDecision = "0" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c C:\Program Files\wlanext.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\4a-7a-e8-f4-52-2c\WpadDecision = "0" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\WpadDecisionTime = 30fe3a4f4729da01 C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\takeown.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\takeown.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Program Files\wlanext.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\4a-7a-e8-f4-52-2c C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files\wlanext.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{809C8AD4-D7BF-4111-84DA-CEA3496764F6}\WpadNetworkName = "Network 3" C:\Program Files\wlanext.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\takeown.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\wlanext.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\takeown.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\wlanext.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0 C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0\Blob = 0f0000000100000020000000055410e3c30e41bb904fb9acac47f57e3a51a8e27d55881b7fa58aaaa98297ad030000000100000014000000899780e631209c77294d0bd23232f1dea029c9e020000000010000004402000030820240308201a9a003020102020100300d06092a864886f70d01010b05003044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479205632301e170d3233313230373139353533395a170d3234313230363139353533395a3044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747920563230819f300d06092a864886f70d010101050003818d0030818902818100f0d1224c6a437bd64b2cd86364325d37e1bd18afff527eaf442edd0791d94b6ae2e895165fc9319faf08bcf026bf246477e065c3866e5fb7739382e074754d1bba98d5839d8b777180ef7fe7791be413541e488ea4ec4afb535f0cd44be562162ed29430bd78a582b8727b86f6ac24edd7e9bc26b94568490be84d39911292330203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414062143f506130cc3073a09d204d573ebe34970c0300d06092a864886f70d01010b050003818100adee725e3552b4bef52dca43c86aac8536321cbb9798725a607b6d7642d13c51f5075eb624e822041374f50ba2a9d5465a70eb6d373b61025e25bd71fd400b1df6956d6c790b849550fd824776b132820b2dfabeb275fec56ab6d918104a80113c87ed79de85ab09e6e3366bc052c062b52efc7dd5f0effb81269945cb841d93 C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0\Blob = 190000000100000010000000c8e50f8dd6919476c2aaafb4bf9a148d0f0000000100000020000000055410e3c30e41bb904fb9acac47f57e3a51a8e27d55881b7fa58aaaa98297ad030000000100000014000000899780e631209c77294d0bd23232f1dea029c9e0140000000100000014000000062143f506130cc3073a09d204d573ebe34970c020000000010000004402000030820240308201a9a003020102020100300d06092a864886f70d01010b05003044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479205632301e170d3233313230373139353533395a170d3234313230363139353533395a3044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747920563230819f300d06092a864886f70d010101050003818d0030818902818100f0d1224c6a437bd64b2cd86364325d37e1bd18afff527eaf442edd0791d94b6ae2e895165fc9319faf08bcf026bf246477e065c3866e5fb7739382e074754d1bba98d5839d8b777180ef7fe7791be413541e488ea4ec4afb535f0cd44be562162ed29430bd78a582b8727b86f6ac24edd7e9bc26b94568490be84d39911292330203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414062143f506130cc3073a09d204d573ebe34970c0300d06092a864886f70d01010b050003818100adee725e3552b4bef52dca43c86aac8536321cbb9798725a607b6d7642d13c51f5075eb624e822041374f50ba2a9d5465a70eb6d373b61025e25bd71fd400b1df6956d6c790b849550fd824776b132820b2dfabeb275fec56ab6d918104a80113c87ed79de85ab09e6e3366bc052c062b52efc7dd5f0effb81269945cb841d93 C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Program Files\wlanext.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\899780E631209C77294D0BD23232F1DEA029C9E0\Blob = 140000000100000014000000062143f506130cc3073a09d204d573ebe34970c0030000000100000014000000899780e631209c77294d0bd23232f1dea029c9e00f0000000100000020000000055410e3c30e41bb904fb9acac47f57e3a51a8e27d55881b7fa58aaaa98297ad20000000010000004402000030820240308201a9a003020102020100300d06092a864886f70d01010b05003044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f72697479205632301e170d3233313230373139353533395a170d3234313230363139353533395a3044310b300906035504061302434e3135303306035504030c2c4d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f7269747920563230819f300d06092a864886f70d010101050003818d0030818902818100f0d1224c6a437bd64b2cd86364325d37e1bd18afff527eaf442edd0791d94b6ae2e895165fc9319faf08bcf026bf246477e065c3866e5fb7739382e074754d1bba98d5839d8b777180ef7fe7791be413541e488ea4ec4afb535f0cd44be562162ed29430bd78a582b8727b86f6ac24edd7e9bc26b94568490be84d39911292330203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414062143f506130cc3073a09d204d573ebe34970c0300d06092a864886f70d01010b050003818100adee725e3552b4bef52dca43c86aac8536321cbb9798725a607b6d7642d13c51f5075eb624e822041374f50ba2a9d5465a70eb6d373b61025e25bd71fd400b1df6956d6c790b849550fd824776b132820b2dfabeb275fec56ab6d918104a80113c87ed79de85ab09e6e3366bc052c062b52efc7dd5f0effb81269945cb841d93 C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Program Files\wlanext.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Program Files\wlanext.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Program Files\wlanext.exe N/A
N/A N/A C:\Program Files\wlanext.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\wlanext.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\Dwm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\Dwm.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1696 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1696 wrote to memory of 1272 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1272 wrote to memory of 2792 N/A C:\Windows\Explorer.EXE C:\Program Files\wlanext.exe
PID 1696 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1696 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1696 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1696 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1696 wrote to memory of 424 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1696 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 1696 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 1872 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1872 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1872 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 1872 wrote to memory of 1504 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1260 N/A C:\Program Files\wlanext.exe C:\Windows\system32\takeown.exe
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE
PID 2792 wrote to memory of 1272 N/A C:\Program Files\wlanext.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe

"C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"

C:\Program Files\wlanext.exe

"C:\Program Files\wlanext.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\system32\takeown.exe

"C:\Windows\system32\takeown.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 f9b03f5bc3f119f2.vbnm34567.xyz udp
US 114.114.114.114:53 down.nugong.asia udp
CN 218.29.50.234:443 down.nugong.asia tcp
CN 218.29.50.234:80 down.nugong.asia tcp
US 8.8.8.8:53 apps.game.qq.com udp
CN 101.227.134.27:443 apps.game.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
NL 47.246.48.205:80 ocsp.digicert.cn tcp
CN 218.29.50.234:443 down.nugong.asia tcp
US 8.8.8.8:53 sp1.baidu.com udp
US 104.193.88.123:443 sp1.baidu.com tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
CN 111.48.138.18:80 ocsp.trust-provider.cn tcp
N/A 234.2.2.2:27428 udp
N/A 233.123.112.211:23207 udp
CN 218.29.50.234:80 down.nugong.asia tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 122.189.171.55:80 down.nugong.asia tcp
US 8.8.8.8:53 sp0.baidu.com udp
US 104.193.88.77:80 sp0.baidu.com tcp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 www.microsoft.com udp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
CN 223.5.5.5:443 dns.alidns.com tcp
CN 223.5.5.5:80 dns.alidns.com tcp
N/A 234.2.2.2:27428 udp
N/A 234.2.2.2:27428 udp

Files

memory/1696-0-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

memory/1272-18-0x00000000029A0000-0x00000000029A3000-memory.dmp

memory/1272-21-0x0000000006BD0000-0x0000000006CC7000-memory.dmp

memory/1272-19-0x00000000029A0000-0x00000000029A3000-memory.dmp

memory/1272-22-0x0000000006BD0000-0x0000000006CC7000-memory.dmp

memory/2792-26-0x0000000000060000-0x0000000000123000-memory.dmp

memory/2792-42-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

memory/2792-41-0x000007FEBF7D0000-0x000007FEBF7E0000-memory.dmp

memory/2792-40-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

memory/2792-38-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

C:\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

memory/2792-34-0x0000000000160000-0x0000000000163000-memory.dmp

memory/2792-28-0x0000000000130000-0x0000000000131000-memory.dmp

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

memory/424-46-0x0000000000800000-0x0000000000828000-memory.dmp

memory/1696-45-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/1696-90-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

memory/2792-96-0x0000000037B90000-0x0000000037BA0000-memory.dmp

memory/2792-98-0x0000000000800000-0x0000000000828000-memory.dmp

memory/1696-99-0x0000000000AD0000-0x0000000000B3E000-memory.dmp

memory/1272-100-0x0000000006BD0000-0x0000000006CC7000-memory.dmp

memory/2792-101-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/2792-102-0x0000000001CA0000-0x0000000001D6B000-memory.dmp

memory/2792-103-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/424-104-0x0000000000800000-0x0000000000828000-memory.dmp

memory/2792-106-0x0000000001F10000-0x0000000001F1F000-memory.dmp

memory/2792-105-0x0000000002CB0000-0x0000000002D67000-memory.dmp

memory/2792-108-0x0000000002240000-0x000000000226E000-memory.dmp

memory/2792-107-0x0000000002240000-0x000000000226E000-memory.dmp

memory/2792-110-0x0000000004010000-0x0000000004132000-memory.dmp

memory/2792-114-0x0000000005960000-0x0000000005B2A000-memory.dmp

memory/1260-112-0x00000000000F0000-0x000000000028C000-memory.dmp

memory/2792-111-0x0000000001E70000-0x0000000001E71000-memory.dmp

memory/1272-121-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1260-132-0x00000000002B0000-0x00000000002B3000-memory.dmp

memory/1260-135-0x0000000001EE0000-0x0000000002086000-memory.dmp

memory/1272-148-0x0000000001EE0000-0x0000000002086000-memory.dmp

C:\Windows\VLOtiHuABofO.sys

MD5 d15f5f23df8036bd5089ce8d151b0e0d
SHA1 4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256 f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512 feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

memory/2792-178-0x0000000004010000-0x0000000004132000-memory.dmp

memory/2792-180-0x0000000005960000-0x0000000005B2A000-memory.dmp

memory/1272-193-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1260-208-0x0000000001EE0000-0x0000000002086000-memory.dmp

C:\Windows\iq8MK3bpxSsNb.sys

MD5 39af9a328c2339b614faf5142a1395c4
SHA1 914aea213ee2c4a7dfea93192b7e53cc7aa91a9e
SHA256 7196fd2702a35acfaf54ef356459bfbe3c82a3dde6215e6c90fb8635199757f5
SHA512 2dcd566a9d0b49fa9eb44ac05efd6750ada216b99f6c626ddae3a7ad2f53c55d0aae2e43ea07b144fbe2536b637fa03f5fb3c2562e70cdfefeedc1421c207e33

memory/1272-272-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-287-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-309-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-336-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-354-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-363-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-345-0x00000000029B0000-0x00000000029B1000-memory.dmp

C:\Windows\lrizTgCvq0jY.sys

MD5 64bc1983743c584a9ad09dacf12792e5
SHA1 0f14098f523d21f11129c4df09451413ddff6d61
SHA256 057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA512 9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

memory/1272-382-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-391-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-381-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-372-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-401-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-400-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-427-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-436-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-443-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-426-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-454-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-471-0x00000000029B0000-0x00000000029B1000-memory.dmp

C:\Windows\14z4a3DDThcb.sys

MD5 adb3baf4d3508556420028504199dbc6
SHA1 af7a88d106147ba4752ae2a55dee32be38948890
SHA256 d7bfc4a7546c1df6129b0737120c30a9bdadf7494eb0ad37d1c43dd8d959cf27
SHA512 d108336f5da456db746318ca2fb9c0beaab39915e327dd55a2db8755edd7dc5fe6ac33558ca42b0daa7d1751c1b307fc64a0a7e136971cb56ea28055f871d10c

memory/1272-536-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-553-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-562-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-571-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1272-583-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2792-584-0x00000000029B0000-0x00000000029B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCB3D.tmp

MD5 d59a6b36c5a94916241a3ead50222b6f
SHA1 e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256 a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA512 17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

C:\Users\Admin\AppData\Local\Temp\TarCB50.tmp

MD5 b13f51572f55a2d31ed9f266d581e9ea
SHA1 7eef3111b878e159e520f34410ad87adecf0ca92
SHA256 725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512 f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

C:\Users\Admin\AppData\Local\Temp\TarCCBA.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 55dbae1c3d897a6d464ba84c0e7a0038
SHA1 95075e401916f887a74c083262e91367aa0369e5
SHA256 7310b6348f11ea87169f248460622e3579653ad37d78101bd92ffa2a6cbd4913
SHA512 c8478b4b70320625eebfeed7dc0188304b236df4c4332a54fba3a9950734db3ea79cb005b92bb333ccd49dac8abf21ffb5b7534a0652339bd896d5711e48ffca

C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

memory/1272-690-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2792-739-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/1272-743-0x0000000002CA0000-0x0000000002CA3000-memory.dmp

memory/1272-744-0x0000000008C60000-0x0000000008D82000-memory.dmp

memory/1192-746-0x0000000002410000-0x0000000002532000-memory.dmp

memory/1272-748-0x0000000008D90000-0x0000000008D94000-memory.dmp

memory/1192-749-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

memory/1272-747-0x0000000003960000-0x0000000003961000-memory.dmp

C:\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

C:\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

\Program Files\wlanext.exe

MD5 43fab56ae5f639ad59d7209693f4c4c2
SHA1 7d23615f778b15791646c31688e63e7d5ebf02ff
SHA256 c64155944da774a80d443a0e6dcc40a3405d9c69ca3ebc95ca46bfd65c7a4908
SHA512 93709b5d2bb3c1b3950db578600a2c5bee3770c6f7008f45a30c1c857e4513330f7b98b4023cf1140f70050b70ab623c37227b9685fae92ffe9c00ee137e2313

memory/2792-762-0x0000000001E80000-0x0000000001E81000-memory.dmp

memory/1272-763-0x0000000008C60000-0x0000000008D82000-memory.dmp

memory/1192-764-0x0000000002410000-0x0000000002532000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-07 19:54

Reported

2023-12-07 19:57

Platform

win10v2004-20231127-en

Max time kernel

150s

Max time network

148s

Command Line

winlogon.exe

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3120 created 588 N/A C:\Windows\Explorer.EXE C:\Windows\system32\winlogon.exe

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\jNkMsMmWFa.roj C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\DhcEKD3Bx4suz.ayv C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\GZIiD2KSn39C.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\b8dFKa4aeKS.oma C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\q0uuwiskCN3bT.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\KZTmakl77u.wqj C:\Windows\Help\msdtc.exe N/A
File created C:\Windows\System32\drivers\gRU4Q6.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\fN2neMeqouctL.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\drivers\hNjZPaE75bg.sys C:\Windows\Help\msdtc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Help\msdtc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 114.114.114.114 N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\qq4uFOF6AkjrL.zhd C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046 C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D440AC65793A7BBE167BE882B99F465E C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3 C:\Windows\Help\msdtc.exe N/A
File created C:\Windows\system32\ \Windows\System32\8jGvJ6zAh.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\DIsdUc1PR4hL.cme C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\dzEtJavzpXRS.qvm C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\Sa6BsLuuwH.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\qXEZopU41QOTF.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\2agxZ7GRGQ29S.dsy C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\2VJNaWeKhyjvK.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\X6Dda1jkurz.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3FE2BD01AB6BC312BF0DADE7F797388F_896832C6BC857CFAEA9E59E166B13E2C C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AD5F118F7897046E8CA970AE6A6AB70B_ADB601E2C381343DA1163E5F08582475 C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_CE21678B3713ACF5F5ED4AAA700C6173 C:\Windows\Help\msdtc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\gXRWrA9tqJGGA.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\AjG2rn8c0IEIZ.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\wtMZXXFvSUBpP.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\46lzzfYOr2zDD.bhi C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\5eER9PusMHUU.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\Windows Mail\5611d1b4.js C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\WindowsApps\lib\646a1fc2.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\gghE1hNSpx.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\0TOK3Mwg16gQd.ipr C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\gIYRDja1ly.kua C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\HWxxGv6fqtItv.npv C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\pSqtCMzN5vTRN.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\WindowsApps\396136b8.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\4W13lhgdAbvgs2.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\WindowsApps\manifest.json C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\FVifWtrVz8gdNT.tjx C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files (x86)\ipc8UnSOnrYGB.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\WindowsApps\47b98466.html C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files\PJ2oWg5mHptD5.ugk C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\Windows Mail\47b98416.html C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\6NHqVlNkZmxXW.mjq C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\Windows Mail\manifest.json C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\Windows Mail\39613678.js C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\Windows Mail\lib\646a1f52.js C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Program Files\WindowsApps\5611d214.js C:\Windows\Explorer.EXE N/A
File opened for modification C:\Program Files (x86)\ETPm5scuTES.qtx C:\Windows\Help\msdtc.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE N/A
File opened for modification C:\Windows\FAh9EvVHYcLJh2.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\9bI9sOdnNHvnsj.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\LvmXUxN1VRyAyc.otu C:\Windows\Help\msdtc.exe N/A
File created C:\Windows\SnmGbO.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\Wvpk8ZFeDLv.sys C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\NZEz3ysPI14KJ.ovr C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\rWMGh7n9vl.dlu C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\bEbVx3OX4T.hwf C:\Windows\Help\msdtc.exe N/A
File opened for modification C:\Windows\5UQL4XD0biI0G1.sys C:\Windows\Help\msdtc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 C:\Windows\Help\msdtc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\Help\msdtc.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\Help\msdtc.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\Help\msdtc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\Help\msdtc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Help\msdtc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Help\msdtc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\Help\msdtc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\system32\msinfo32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\Help\msdtc.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Help\msdtc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Help\msdtc.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Help\msdtc.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\system32\msinfo32.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\system32\msinfo32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1067295379-1486014338-1703171060-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\system32\msinfo32.exe N/A
N/A N/A C:\Windows\system32\msinfo32.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A
N/A N/A C:\Windows\Help\msdtc.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Help\msdtc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeBackupPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\dwm.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 1848 wrote to memory of 3120 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\Explorer.EXE
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 3120 wrote to memory of 2084 N/A C:\Windows\Explorer.EXE C:\Windows\Help\msdtc.exe
PID 1848 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1848 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1848 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1848 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1848 wrote to memory of 588 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\system32\winlogon.exe
PID 1848 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe C:\Windows\SysWOW64\cmd.exe
PID 3748 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3748 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 3748 wrote to memory of 4920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 4236 N/A C:\Windows\Help\msdtc.exe C:\Windows\system32\msinfo32.exe
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE
PID 2084 wrote to memory of 3120 N/A C:\Windows\Help\msdtc.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe

"C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"

C:\Windows\Help\msdtc.exe

"C:\Windows\Help\msdtc.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\23f32f21c19d22034be2c95d2b4f560612b1002a8978529f2093c03c897911d8.exe"

C:\Windows\SysWOW64\timeout.exe

timeout /t 1

C:\Windows\system32\msinfo32.exe

"C:\Windows\system32\msinfo32.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 206.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 f9b03f5bc3f119f2.vbnm34567.xyz udp
US 114.114.114.114:53 down.nugong.asia udp
CN 118.212.235.231:443 down.nugong.asia tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 114.114.114.114.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 231.235.212.118.in-addr.arpa udp
US 8.8.8.8:53 226.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
CN 118.212.235.231:80 down.nugong.asia tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 apps.game.qq.com udp
CN 101.227.134.27:443 apps.game.qq.com tcp
US 8.8.8.8:53 ocsp.digicert.cn udp
NL 47.246.48.205:80 ocsp.digicert.cn tcp
CN 118.212.235.231:443 down.nugong.asia tcp
US 8.8.8.8:53 sp1.baidu.com udp
US 8.8.8.8:53 27.134.227.101.in-addr.arpa udp
US 8.8.8.8:53 205.48.246.47.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 104.193.88.77:443 sp1.baidu.com tcp
US 8.8.8.8:53 ocsp.trust-provider.cn udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 77.88.193.104.in-addr.arpa udp
CN 112.50.95.96:80 ocsp.trust-provider.cn tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 96.95.50.112.in-addr.arpa udp
N/A 234.2.2.2:27428 udp
N/A 233.123.112.211:23207 udp
US 8.8.8.8:53 2.2.2.234.in-addr.arpa udp
US 8.8.8.8:53 211.112.123.233.in-addr.arpa udp
US 8.8.8.8:53 154.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
CN 118.212.235.231:80 down.nugong.asia tcp
US 8.8.8.8:53 down.nugong.asia udp
CN 118.212.235.231:80 down.nugong.asia tcp
US 8.8.8.8:53 sp0.baidu.com udp
US 8.8.8.8:53 137.242.43.23.in-addr.arpa udp
US 104.193.88.123:80 sp0.baidu.com tcp
US 8.8.8.8:53 41.43.201.23.in-addr.arpa udp
US 8.8.8.8:53 dns.alidns.com udp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 123.88.193.104.in-addr.arpa udp
US 8.8.8.8:53 5.5.5.223.in-addr.arpa udp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 207.243.84.184.in-addr.arpa udp
CN 223.5.5.5:443 dns.alidns.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
NL 20.31.169.57:443 tcp
NL 20.31.169.57:443 tcp
NL 20.31.169.57:443 tcp
US 8.8.8.8:53 115.242.43.23.in-addr.arpa udp
US 8.8.8.8:53 57.43.201.23.in-addr.arpa udp
SE 23.201.43.43:80 tcp
N/A 234.2.2.2:27428 udp
US 52.111.229.19:443 tcp
US 52.111.227.13:443 tcp
N/A 234.2.2.2:27428 udp
SE 23.201.43.43:80 tcp
US 8.8.8.8:53 195.201.50.20.in-addr.arpa udp
SE 23.201.43.41:80 tcp
SE 23.201.43.41:80 tcp
SE 23.201.43.41:80 tcp
SE 23.201.43.41:80 tcp
SE 23.201.43.41:80 tcp
SE 23.201.43.41:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
SE 23.201.43.41:80 tcp
US 8.8.8.8:53 udp
SE 23.201.43.41:80 tcp
SE 23.201.43.41:80 tcp
US 8.8.8.8:53 udp
SE 23.201.43.57:80 tcp
US 8.8.8.8:53 udp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp
SE 23.201.43.57:80 tcp

Files

memory/1848-0-0x0000000000C60000-0x0000000000CCE000-memory.dmp

memory/3120-1-0x0000000002EA0000-0x0000000002EA3000-memory.dmp

memory/3120-2-0x0000000002EA0000-0x0000000002EA3000-memory.dmp

memory/3120-7-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/3120-8-0x0000000008580000-0x0000000008677000-memory.dmp

C:\Windows\Help\msdtc.exe

MD5 2ef846ac66e181be820b513dbc15b5d2
SHA1 8b4786eb9d864fc78bd99432ae0c78f887049461
SHA256 edfe71025c352d0dabec7b9506c5945bb0ec11f8db540db8cb1116c2ea1648a8
SHA512 2587acd723f515eb8fa1dd7016647079fd7af2a1c32f92ff344766803d524d9820bebaf21daa3b3d3556d2db8ab956a8a1682eaa46abb9b04a4c8e1e21321bdc

memory/2084-10-0x0000020E47A20000-0x0000020E47A23000-memory.dmp

memory/2084-11-0x0000020E47CB0000-0x0000020E47D7B000-memory.dmp

memory/2084-14-0x0000020E47D80000-0x0000020E47D81000-memory.dmp

memory/2084-13-0x0000020E47CB0000-0x0000020E47D7B000-memory.dmp

memory/2084-15-0x00007FFA8ADE0000-0x00007FFA8ADF0000-memory.dmp

memory/588-17-0x000001DAEC150000-0x000001DAEC153000-memory.dmp

memory/588-19-0x000001DAEC160000-0x000001DAEC188000-memory.dmp

memory/588-20-0x000001DAEC1A0000-0x000001DAEC1A1000-memory.dmp

memory/2084-51-0x00007FFA8ADE0000-0x00007FFA8ADF0000-memory.dmp

memory/1848-52-0x0000000000C60000-0x0000000000CCE000-memory.dmp

memory/2084-53-0x0000020E49CC0000-0x0000020E49CC2000-memory.dmp

memory/1848-54-0x0000000000C60000-0x0000000000CCE000-memory.dmp

memory/2084-55-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmp

memory/2084-56-0x0000020E49EE0000-0x0000020E49EE1000-memory.dmp

memory/2084-58-0x0000020E49EE0000-0x0000020E49EE1000-memory.dmp

memory/2084-57-0x0000020E49EF0000-0x0000020E49EF1000-memory.dmp

memory/3120-59-0x0000000002EC0000-0x0000000002EC1000-memory.dmp

memory/3120-60-0x0000000008580000-0x0000000008677000-memory.dmp

memory/2084-61-0x0000020E47CB0000-0x0000020E47D7B000-memory.dmp

memory/2084-62-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmp

memory/2084-63-0x0000020E47D80000-0x0000020E47D81000-memory.dmp

memory/2084-64-0x0000020E49EE0000-0x0000020E49EEF000-memory.dmp

memory/2084-65-0x0000020E49F30000-0x0000020E49FE7000-memory.dmp

memory/588-66-0x000001DAEC160000-0x000001DAEC188000-memory.dmp

memory/588-67-0x000001DAEC1A0000-0x000001DAEC1A1000-memory.dmp

memory/2084-70-0x0000020E4A5A0000-0x0000020E4A5CE000-memory.dmp

memory/3120-72-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/2084-68-0x0000020E4B520000-0x0000020E4B642000-memory.dmp

memory/2084-76-0x0000020E49ED0000-0x0000020E49ED2000-memory.dmp

memory/2084-73-0x0000020E4A5D0000-0x0000020E4A5D1000-memory.dmp

memory/2084-80-0x0000020E4B950000-0x0000020E4BB1A000-memory.dmp

memory/4236-82-0x0000018482410000-0x00000184825B6000-memory.dmp

memory/2084-87-0x0000020E49EF0000-0x0000020E49EF1000-memory.dmp

memory/2084-86-0x0000020E49EE0000-0x0000020E49EE1000-memory.dmp

memory/2084-92-0x0000020E49ED0000-0x0000020E49ED2000-memory.dmp

memory/2084-94-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmp

C:\Windows\Wvpk8ZFeDLv.sys

MD5 d15f5f23df8036bd5089ce8d151b0e0d
SHA1 4066ff4d92ae189d92fcdfb8c11a82cc9db56bb2
SHA256 f2c40dde6f40beaa3c283b66791ff27e6f06d66c8dd6eff5262f51e02ee26520
SHA512 feaec8a00346b0a74c530859785e1b280da5833bf3113083bf4664ebee85b14ceca648499f36d266d329d602349f9ad0fc21a10e605377b3a2c24b456f3a9bd9

memory/2084-135-0x0000020E49F30000-0x0000020E49FE7000-memory.dmp

memory/2084-145-0x0000020E4B520000-0x0000020E4B642000-memory.dmp

memory/2084-141-0x0000020E49ED0000-0x0000020E49ED1000-memory.dmp

C:\Windows\FAh9EvVHYcLJh2.sys

MD5 7ba2e5f80701b7c3c0d4a929f324de71
SHA1 c91323cba3c0aaf968845ef750826f3fdadb4fde
SHA256 d927f8e5073e0cc02ff0f29224390d2148268d6bec3a13c0052cb674c8d73ba9
SHA512 9d0028f9857400bf9b4a3ac2d431ea79400072b82ae27ab434356ee0f61e55f31fee72301796d3d3e532b94d123c801c1c023a2d0eb0b7e14f679441e6ae951a

memory/2084-149-0x0000020E49ED0000-0x0000020E49ED2000-memory.dmp

C:\Windows\9bI9sOdnNHvnsj.sys

MD5 64bc1983743c584a9ad09dacf12792e5
SHA1 0f14098f523d21f11129c4df09451413ddff6d61
SHA256 057ec356f1577fe86b706e5aeb74e3bdd6fe04d22586fecf69b866f8f72db7f5
SHA512 9ab4ddb64bd97dd1a7ee15613a258edf1d2eba880a0896a91487c47a32c9bd1118cde18211053a5b081216d123d5f901b454a525cbba01d8067c31babd8c8c3c

memory/3120-212-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-224-0x0000000002E70000-0x0000000002E71000-memory.dmp

C:\Windows\5UQL4XD0biI0G1.sys

MD5 86dcce1f65f56babe1312b8d63018391
SHA1 735bb7f6884a6b26f548dbb567351ea21497d28a
SHA256 0b1117aec00b614ad6c684147bf76530a096d86db537a280dec6b044de1c701b
SHA512 38e3a53f158c8ff409dd8aba0eba6105dd04bbcd54bd63e1234d71d6656fc84e70643dd915e0293f42c322710ab2f0c01470ec72bded290407a6f907df3f0ea3

memory/3120-311-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-298-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/2084-323-0x0000020E4B430000-0x0000020E4B43A000-memory.dmp

memory/3120-324-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-325-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-326-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-327-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-328-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/3120-329-0x0000000002E70000-0x0000000002E71000-memory.dmp

memory/2084-330-0x0000020E4A5E0000-0x0000020E4A5E1000-memory.dmp

memory/2084-331-0x0000020E4B430000-0x0000020E4B43A000-memory.dmp

memory/2084-332-0x0000020E49CC0000-0x0000020E49CC1000-memory.dmp

memory/3120-335-0x0000000002D20000-0x0000000002D23000-memory.dmp

memory/3120-338-0x0000000002D50000-0x0000000002D51000-memory.dmp

memory/316-339-0x0000020922120000-0x0000020922242000-memory.dmp

memory/316-343-0x0000020922270000-0x0000020922274000-memory.dmp

memory/3120-341-0x0000000002D60000-0x0000000002D61000-memory.dmp

C:\Windows\Help\msdtc.exe

MD5 2ef846ac66e181be820b513dbc15b5d2
SHA1 8b4786eb9d864fc78bd99432ae0c78f887049461
SHA256 edfe71025c352d0dabec7b9506c5945bb0ec11f8db540db8cb1116c2ea1648a8
SHA512 2587acd723f515eb8fa1dd7016647079fd7af2a1c32f92ff344766803d524d9820bebaf21daa3b3d3556d2db8ab956a8a1682eaa46abb9b04a4c8e1e21321bdc

memory/316-340-0x0000020922260000-0x0000020922261000-memory.dmp

memory/3120-344-0x0000000008E80000-0x0000000008FA2000-memory.dmp

memory/3120-345-0x0000000008FB0000-0x0000000008FB4000-memory.dmp

memory/316-346-0x0000020922120000-0x0000020922242000-memory.dmp

memory/2084-347-0x0000020E49CC0000-0x0000020E49CC1000-memory.dmp

memory/3120-350-0x0000000008E80000-0x0000000008FA2000-memory.dmp