Overview
overview
10Static
static
1Anime-Figh...24.exe
windows7_x64
8Anime-Figh...24.exe
windows7_x64
10Anime-Figh...24.exe
windows7_x64
10Anime-Figh...24.exe
windows7_x64
8Anime-Figh...24.exe
windows11_x64
8Anime-Figh...24.exe
windows10_x64
10Anime-Figh...24.exe
windows10_x64
Anime-Figh...24.exe
windows10_x64
10Anime-Figh...24.exe
windows10_x64
10Anime-Figh...24.exe
windows10_x64
10Analysis
-
max time kernel
613s -
max time network
617s -
platform
windows7_x64 -
resource
win7-de -
submitted
02-09-2021 19:12
Static task
static1
Behavioral task
behavioral1
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win7-jp
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win7-fr
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral3
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win7v20210408
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral4
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win7-de
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral5
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win11
windows11_x64
0 signatures
0 seconds
Behavioral task
behavioral6
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win10v20210408
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral7
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win10-jp
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral8
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win10-fr
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral9
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win10-en
windows10_x64
0 signatures
0 seconds
Behavioral task
behavioral10
Sample
Anime-Fighters-Infin_734316524.exe
Resource
win10-de
windows10_x64
0 signatures
0 seconds
General
-
Target
Anime-Fighters-Infin_734316524.exe
-
Size
3.9MB
-
MD5
bd2b73492acf20dec004360b1605032d
-
SHA1
60ddf3c107d94bbeb102a2d7ede945eb5edd2b35
-
SHA256
12b6272825140a15eabec58f97b49aed3ce5db7816a0b3c2674f6ae8746367ca
-
SHA512
dae236259e32a9e4b789f020dbd8082b376e3c2b56fd94523a44cf4b5a557f3661aeefc24b5605218ba0479ee1b9a8cb7b5c1df6c103673a99f13bc4210c90da
Score
8/10
Malware Config
Signatures
-
Blocklisted process makes network request 64 IoCs
flow pid Process 30 2020 MsiExec.exe 32 2020 MsiExec.exe 33 2020 MsiExec.exe 35 2020 MsiExec.exe 37 2020 MsiExec.exe 39 2020 MsiExec.exe 41 2020 MsiExec.exe 42 2020 MsiExec.exe 43 2020 MsiExec.exe 44 2020 MsiExec.exe 45 2020 MsiExec.exe 46 2020 MsiExec.exe 47 2020 MsiExec.exe 48 2020 MsiExec.exe 49 2020 MsiExec.exe 50 2020 MsiExec.exe 51 2020 MsiExec.exe 52 2020 MsiExec.exe 53 2020 MsiExec.exe 54 2020 MsiExec.exe 55 2020 MsiExec.exe 56 2020 MsiExec.exe 57 2020 MsiExec.exe 58 2020 MsiExec.exe 59 2020 MsiExec.exe 60 2020 MsiExec.exe 61 2020 MsiExec.exe 62 2020 MsiExec.exe 63 2020 MsiExec.exe 64 2020 MsiExec.exe 65 2020 MsiExec.exe 66 2020 MsiExec.exe 67 2020 MsiExec.exe 68 2020 MsiExec.exe 69 2020 MsiExec.exe 70 2020 MsiExec.exe 71 2020 MsiExec.exe 72 2020 MsiExec.exe 73 2020 MsiExec.exe 74 2020 MsiExec.exe 75 2020 MsiExec.exe 76 2020 MsiExec.exe 77 2020 MsiExec.exe 78 2020 MsiExec.exe 79 2020 MsiExec.exe 80 2020 MsiExec.exe 81 2020 MsiExec.exe 82 2020 MsiExec.exe 83 2020 MsiExec.exe 84 2020 MsiExec.exe 85 2020 MsiExec.exe 86 2020 MsiExec.exe 87 2020 MsiExec.exe 90 2020 MsiExec.exe 91 2020 MsiExec.exe 92 2020 MsiExec.exe 93 2020 MsiExec.exe 94 2020 MsiExec.exe 95 2020 MsiExec.exe 96 2020 MsiExec.exe 97 2020 MsiExec.exe 98 2020 MsiExec.exe 99 2020 MsiExec.exe 100 2020 MsiExec.exe -
Downloads MZ/PE file
-
Executes dropped EXE 10 IoCs
pid Process 1440 Anime-Fighters-Infin_734316524.tmp 1172 Expedita.exe 1572 gkCNs.exe 1976 wqWOaEHcTC5wXL.exe 2380 AdvancedWindowsManager.exe 2404 AdvancedWindowsManager.exe 2444 AdvancedWindowsManager.exe 3232 AdvancedWindowsManager.exe 3296 AdvancedWindowsManager.exe 3280 AdvancedWindowsManager.exe -
Loads dropped DLL 46 IoCs
pid Process 820 Anime-Fighters-Infin_734316524.exe 1440 Anime-Fighters-Infin_734316524.tmp 1440 Anime-Fighters-Infin_734316524.tmp 1440 Anime-Fighters-Infin_734316524.tmp 1440 Anime-Fighters-Infin_734316524.tmp 1172 Expedita.exe 1172 Expedita.exe 1172 Expedita.exe 1976 wqWOaEHcTC5wXL.exe 1976 wqWOaEHcTC5wXL.exe 1976 wqWOaEHcTC5wXL.exe 2036 MsiExec.exe 2036 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 1976 wqWOaEHcTC5wXL.exe 2020 MsiExec.exe 2020 MsiExec.exe 1016 MsiExec.exe 1016 MsiExec.exe 1016 MsiExec.exe 1016 MsiExec.exe 1016 MsiExec.exe 1016 MsiExec.exe 1016 MsiExec.exe 2020 MsiExec.exe 2344 taskeng.exe 2344 taskeng.exe 2344 taskeng.exe 2396 Process not Found 2416 Process not Found 2344 taskeng.exe 2344 taskeng.exe 3224 Process not Found 3248 Process not Found 2344 taskeng.exe 2344 taskeng.exe 4156 Process not Found 5668 Process not Found -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: wqWOaEHcTC5wXL.exe File opened (read-only) \??\U: wqWOaEHcTC5wXL.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: wqWOaEHcTC5wXL.exe File opened (read-only) \??\R: wqWOaEHcTC5wXL.exe File opened (read-only) \??\T: wqWOaEHcTC5wXL.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: wqWOaEHcTC5wXL.exe File opened (read-only) \??\H: wqWOaEHcTC5wXL.exe File opened (read-only) \??\K: wqWOaEHcTC5wXL.exe File opened (read-only) \??\L: wqWOaEHcTC5wXL.exe File opened (read-only) \??\O: wqWOaEHcTC5wXL.exe File opened (read-only) \??\V: wqWOaEHcTC5wXL.exe File opened (read-only) \??\Y: wqWOaEHcTC5wXL.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: wqWOaEHcTC5wXL.exe File opened (read-only) \??\F: wqWOaEHcTC5wXL.exe File opened (read-only) \??\G: wqWOaEHcTC5wXL.exe File opened (read-only) \??\W: wqWOaEHcTC5wXL.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: wqWOaEHcTC5wXL.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: wqWOaEHcTC5wXL.exe File opened (read-only) \??\I: wqWOaEHcTC5wXL.exe File opened (read-only) \??\N: wqWOaEHcTC5wXL.exe File opened (read-only) \??\Z: wqWOaEHcTC5wXL.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: wqWOaEHcTC5wXL.exe File opened (read-only) \??\Q: wqWOaEHcTC5wXL.exe File opened (read-only) \??\S: wqWOaEHcTC5wXL.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in Program Files directory 22 IoCs
description ioc Process File created C:\Program Files (x86)\Vel\is-CSSVQ.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\magnam\is-S8I62.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\nesciunt\is-NLHP9.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\nesciunt\is-ONAOJ.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\voluptas\is-PEUP3.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.exe msiexec.exe File created C:\Program Files (x86)\Vel\nesciunt\is-7V7QR.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\unins000.dat Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\is-2F8D1.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\is-DN7MR.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\nesciunt\is-VEBGP.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\Uninstall.lnk msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Windows Updater.ini msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\EULA.url msiexec.exe File opened for modification C:\Program Files (x86)\Vel\magnam\Expedita.exe Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\is-1QC0U.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\magnam\is-UFCLM.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\magnam\is-A6L77.tmp Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\Vel\voluptas\is-OH5EB.tmp Anime-Fighters-Infin_734316524.tmp File opened for modification C:\Program Files (x86)\Vel\unins000.dat Anime-Fighters-Infin_734316524.tmp File created C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe msiexec.exe File opened for modification C:\Program Files (x86)\AW Manager\Windows Manager\Privacy.url msiexec.exe -
Drops file in Windows directory 30 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIDB94.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDCCE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEE93.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDF01.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEF11.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIF31D.tmp msiexec.exe File created C:\Windows\Installer\f74d604.msi msiexec.exe File opened for modification C:\Windows\Installer\f74d604.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID79C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBE1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBF2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF00D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF0C9.tmp msiexec.exe File opened for modification C:\Windows\Installer\f74d606.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIDAA9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE03A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE1F1.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\f74d608.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE116.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIED2C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEF9F.tmp msiexec.exe File opened for modification C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDC6F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDD9A.tmp msiexec.exe File created C:\Windows\Installer\f74d606.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF166.tmp msiexec.exe File created C:\Windows\Installer\{C845414C-903C-4218-9DE7-132AB97FDF62}\logo.exe msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 2 IoCs
pid Process 1004 taskkill.exe 764 taskkill.exe -
Modifies data under HKEY_USERS 3 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26 msiexec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductName = "Windows Manager" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C414548CC3098124D97E31A29BF7FD26\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\5785CBDF4ABB5AD409841A692AF14EA9 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\AW Manager\\Windows Manager 1.0.0\\install\\97FDF62\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\PackageName = "Windows Manager - Postback Y.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\PackageCode = "6BBF4B2F4524B25478C17BFBEE2559F7" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C414548CC3098124D97E31A29BF7FD26\ProductIcon = "C:\\Windows\\Installer\\{C845414C-903C-4218-9DE7-132AB97FDF62}\\logo.exe" msiexec.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 wqWOaEHcTC5wXL.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a wqWOaEHcTC5wXL.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a wqWOaEHcTC5wXL.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wqWOaEHcTC5wXL.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 wqWOaEHcTC5wXL.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wqWOaEHcTC5wXL.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 wqWOaEHcTC5wXL.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1440 Anime-Fighters-Infin_734316524.tmp 1440 Anime-Fighters-Infin_734316524.tmp 1172 Expedita.exe 1172 Expedita.exe 1172 Expedita.exe 2036 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 1208 msiexec.exe 1208 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 1208 msiexec.exe Token: SeTakeOwnershipPrivilege 1208 msiexec.exe Token: SeSecurityPrivilege 1208 msiexec.exe Token: SeCreateTokenPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeAssignPrimaryTokenPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeLockMemoryPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeIncreaseQuotaPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeMachineAccountPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeTcbPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSecurityPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeTakeOwnershipPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeLoadDriverPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSystemProfilePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSystemtimePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeProfSingleProcessPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeIncBasePriorityPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreatePagefilePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreatePermanentPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeBackupPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeRestorePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeShutdownPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeDebugPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeAuditPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSystemEnvironmentPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeChangeNotifyPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeRemoteShutdownPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeUndockPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSyncAgentPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeEnableDelegationPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeManageVolumePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeImpersonatePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreateGlobalPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreateTokenPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeAssignPrimaryTokenPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeLockMemoryPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeIncreaseQuotaPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeMachineAccountPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeTcbPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSecurityPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeTakeOwnershipPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeLoadDriverPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSystemProfilePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSystemtimePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeProfSingleProcessPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeIncBasePriorityPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreatePagefilePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreatePermanentPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeBackupPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeRestorePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeShutdownPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeDebugPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeAuditPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSystemEnvironmentPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeChangeNotifyPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeRemoteShutdownPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeUndockPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeSyncAgentPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeEnableDelegationPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeManageVolumePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeImpersonatePrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreateGlobalPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeCreateTokenPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeAssignPrimaryTokenPrivilege 1976 wqWOaEHcTC5wXL.exe Token: SeLockMemoryPrivilege 1976 wqWOaEHcTC5wXL.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1440 Anime-Fighters-Infin_734316524.tmp 1976 wqWOaEHcTC5wXL.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 820 wrote to memory of 1440 820 Anime-Fighters-Infin_734316524.exe 26 PID 1440 wrote to memory of 1172 1440 Anime-Fighters-Infin_734316524.tmp 30 PID 1440 wrote to memory of 1172 1440 Anime-Fighters-Infin_734316524.tmp 30 PID 1440 wrote to memory of 1172 1440 Anime-Fighters-Infin_734316524.tmp 30 PID 1440 wrote to memory of 1172 1440 Anime-Fighters-Infin_734316524.tmp 30 PID 1172 wrote to memory of 1572 1172 Expedita.exe 33 PID 1172 wrote to memory of 1572 1172 Expedita.exe 33 PID 1172 wrote to memory of 1572 1172 Expedita.exe 33 PID 1172 wrote to memory of 1572 1172 Expedita.exe 33 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1172 wrote to memory of 1976 1172 Expedita.exe 34 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1208 wrote to memory of 2036 1208 msiexec.exe 36 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1976 wrote to memory of 1604 1976 wqWOaEHcTC5wXL.exe 37 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 1208 wrote to memory of 2020 1208 msiexec.exe 38 PID 2020 wrote to memory of 1004 2020 MsiExec.exe 39 PID 2020 wrote to memory of 1004 2020 MsiExec.exe 39 PID 2020 wrote to memory of 1004 2020 MsiExec.exe 39 PID 2020 wrote to memory of 1004 2020 MsiExec.exe 39 PID 1572 wrote to memory of 1128 1572 gkCNs.exe 41 PID 1572 wrote to memory of 1128 1572 gkCNs.exe 41 PID 1572 wrote to memory of 1128 1572 gkCNs.exe 41 PID 1572 wrote to memory of 1128 1572 gkCNs.exe 41 PID 1128 wrote to memory of 764 1128 cmd.exe 43 PID 1128 wrote to memory of 764 1128 cmd.exe 43 PID 1128 wrote to memory of 764 1128 cmd.exe 43 PID 1128 wrote to memory of 764 1128 cmd.exe 43 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 1208 wrote to memory of 1016 1208 msiexec.exe 44 PID 2344 wrote to memory of 2380 2344 taskeng.exe 49 PID 2344 wrote to memory of 2380 2344 taskeng.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Users\Admin\AppData\Local\Temp\is-PKLQ7.tmp\Anime-Fighters-Infin_734316524.tmp"C:\Users\Admin\AppData\Local\Temp\is-PKLQ7.tmp\Anime-Fighters-Infin_734316524.tmp" /SL5="$E014E,3656070,140800,C:\Users\Admin\AppData\Local\Temp\Anime-Fighters-Infin_734316524.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Program Files (x86)\Vel\magnam\Expedita.exe"C:\Program Files (x86)\Vel/\magnam\Expedita.exe" 32cb7aca069a0c8bb8d51fccce1d38263⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Users\Admin\AppData\Local\Temp\jv2OLAY8\gkCNs.exeC:\Users\Admin\AppData\Local\Temp\jv2OLAY8\gkCNs.exe /usthree SUB=32cb7aca069a0c8bb8d51fccce1d38264⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c taskkill /im "gkCNs.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\jv2OLAY8\gkCNs.exe" & exit5⤵
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\taskkill.exetaskkill /im "gkCNs.exe" /f6⤵
- Kills process with taskkill
PID:764
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\kXSlPqf1\wqWOaEHcTC5wXL.exeC:\Users\Admin\AppData\Local\Temp\kXSlPqf1\wqWOaEHcTC5wXL.exe /qn CAMPAIGN="642"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\AW Manager\Windows Manager 1.0.0\install\97FDF62\Windows Manager - Postback Y.msi" /qn CAMPAIGN=642 AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\kXSlPqf1\wqWOaEHcTC5wXL.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\kXSlPqf1\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1630350480 /qn CAMPAIGN=""642"" " CAMPAIGN="642"5⤵PID:1604
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C115DC0351BBB2F3D0A3D75754AAD056 C2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2036
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 8543C417F4BA96B1183CA79320DCE1052⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\taskkill.exe"C:\Windows\SysWOW64\taskkill.exe" /im AdvancedWindowsManager* /f3⤵
- Kills process with taskkill
PID:1004
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding DBC15EFC4D3412395EA5CF3E8B488CE7 M Global\MSI00002⤵
- Loads dropped DLL
PID:1016
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {4F9639BC-F9ED-45D8-90D6-35D48B2B4BD4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 115 -t 80802⤵
- Executes dropped EXE
PID:2380
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 114 -t 80802⤵
- Executes dropped EXE
PID:2404
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 113 -t 80802⤵
- Executes dropped EXE
PID:2444
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 112 -t 80802⤵
- Executes dropped EXE
PID:3232
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 111 -t 80802⤵
- Executes dropped EXE
PID:3280
-
-
C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe"C:\Program Files (x86)\AW Manager\Windows Manager\AdvancedWindowsManager.exe" -v 110 -t 80802⤵
- Executes dropped EXE
PID:3296
-