ardamax | 5c8e54a9bd23efffb06d37ca7864339d1c6406063bbd6b4e65939347d987d9f0

Analysis

max time kernel
97s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 13:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
Size

1.2MB
MD5

fea41fed8bb977e1934ab64351189601
SHA1

c1da96deb2fed5acc14051dec31c552922b08a16
SHA256

5c8e54a9bd23efffb06d37ca7864339d1c6406063bbd6b4e65939347d987d9f0
SHA512

61160d902711075a018195bd467f9ee64dbe37b583cd2a587b7f114f9ee196b02cdacf6988c743cae9aa9263d54becbfbb19bd3118041cbfec80c99fdf93b981
SSDEEP

24576:Ej9p+CRObLIr9PUAPZIrRzVNVgUaXxazeq8zL+MYpVvqkjmxIVW0it4:uOWmrRzVNVgpBeMaMEv3x

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida vmprotect

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023444-44.dat	family_ardamax

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\WINDOWS\system32\drivers\etc\hosts	speed.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
2760	Install.exe
4872	speed.exe
5780	EQYA.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Software\Wine	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe

Loads dropped DLL 7 IoCs

pid	Process
2760	Install.exe
5780	EQYA.exe
5780	EQYA.exe
5780	EQYA.exe
4872	speed.exe
4872	speed.exe
4872	speed.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/1580-0-0x0000000000400000-0x00000000004AB000-memory.dmp	themida
behavioral2/memory/1580-35-0x0000000000400000-0x00000000004AB000-memory.dmp	themida

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral2/files/0x000800000002343b-24.dat	vmprotect
behavioral2/memory/4872-33-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect
behavioral2/memory/4872-31-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect
behavioral2/memory/4872-82-0x0000000000400000-0x000000000042E000-memory.dmp	vmprotect

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\EQYA Agent = "C:\\Windows\\SysWOW64\\28463\\EQYA.exe"	EQYA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5764	GameBarPresenceWriter.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	EQYA.exe
File created	C:\Windows\SysWOW64\28463\EQYA.001	Install.exe
File created	C:\Windows\SysWOW64\28463\EQYA.006	Install.exe
File created	C:\Windows\SysWOW64\28463\EQYA.007	Install.exe
File created	C:\Windows\SysWOW64\28463\EQYA.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	speed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EQYA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
4604	taskkill.exe
4136	taskkill.exe
1568	taskkill.exe
2892	taskkill.exe
976	taskkill.exe
1820	taskkill.exe
4124	taskkill.exe
456	taskkill.exe
2604	taskkill.exe
2908	taskkill.exe
4008	taskkill.exe
4596	taskkill.exe
1192	taskkill.exe
1608	taskkill.exe
4116	taskkill.exe
1072	taskkill.exe
3032	taskkill.exe
1084	taskkill.exe
3096	taskkill.exe
4568	taskkill.exe
4100	taskkill.exe
1212	taskkill.exe
4600	taskkill.exe
556	taskkill.exe
4776	taskkill.exe
4592	taskkill.exe
8	taskkill.exe
4864	taskkill.exe
516	taskkill.exe
3644	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2718105630-359604950-2820636825-1000\{8374EF24-3647-4376-BE76-C4A3E5DFF8F7}	svchost.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
5052	reg.exe
4240	reg.exe
4440	reg.exe
4072	reg.exe
6028	reg.exe
6136	reg.exe
872	reg.exe
2452	reg.exe
5680	reg.exe
5664	reg.exe
4880	reg.exe
5648	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	4100	taskkill.exe
Token: SeDebugPrivilege	4136	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	516	taskkill.exe
Token: SeDebugPrivilege	3644	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	4568	taskkill.exe
Token: SeDebugPrivilege	4864	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2908	taskkill.exe
Token: SeDebugPrivilege	1192	taskkill.exe
Token: SeDebugPrivilege	2892	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	4776	taskkill.exe
Token: SeDebugPrivilege	1072	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	1820	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	556	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	8	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	4124	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: 33	5780	EQYA.exe
Token: SeIncBasePriorityPrivilege	5780	EQYA.exe
Token: SeDebugPrivilege	976	taskkill.exe
Token: SeDebugPrivilege	456	taskkill.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
4872	speed.exe
4872	speed.exe
4872	speed.exe
5780	EQYA.exe
5780	EQYA.exe
5780	EQYA.exe
5780	EQYA.exe
5780	EQYA.exe
3288	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4136	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	82
PID 1580 wrote to memory of 4136	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	82
PID 1580 wrote to memory of 4136	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	82
PID 1580 wrote to memory of 4864	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	83
PID 1580 wrote to memory of 4864	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	83
PID 1580 wrote to memory of 4864	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	83
PID 1580 wrote to memory of 1624	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	84
PID 1580 wrote to memory of 1624	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	84
PID 1580 wrote to memory of 1624	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	84
PID 1580 wrote to memory of 1084	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	85
PID 1580 wrote to memory of 1084	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	85
PID 1580 wrote to memory of 1084	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	85
PID 1580 wrote to memory of 1212	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	86
PID 1580 wrote to memory of 1212	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	86
PID 1580 wrote to memory of 1212	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	86
PID 1580 wrote to memory of 4100	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	87
PID 1580 wrote to memory of 4100	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	87
PID 1580 wrote to memory of 4100	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	87
PID 1580 wrote to memory of 1192	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	88
PID 1580 wrote to memory of 1192	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	88
PID 1580 wrote to memory of 1192	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	88
PID 1580 wrote to memory of 2892	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	89
PID 1580 wrote to memory of 2892	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	89
PID 1580 wrote to memory of 2892	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	89
PID 1580 wrote to memory of 1568	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	91
PID 1580 wrote to memory of 1568	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	91
PID 1580 wrote to memory of 1568	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	91
PID 1580 wrote to memory of 4240	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	92
PID 1580 wrote to memory of 4240	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	92
PID 1580 wrote to memory of 4240	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	92
PID 1580 wrote to memory of 3644	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	94
PID 1580 wrote to memory of 3644	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	94
PID 1580 wrote to memory of 3644	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	94
PID 1580 wrote to memory of 516	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	95
PID 1580 wrote to memory of 516	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	95
PID 1580 wrote to memory of 516	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	95
PID 1580 wrote to memory of 4596	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	96
PID 1580 wrote to memory of 4596	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	96
PID 1580 wrote to memory of 4596	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	96
PID 1580 wrote to memory of 4008	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	97
PID 1580 wrote to memory of 4008	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	97
PID 1580 wrote to memory of 4008	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	97
PID 1580 wrote to memory of 4568	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	99
PID 1580 wrote to memory of 4568	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	99
PID 1580 wrote to memory of 4568	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	99
PID 1580 wrote to memory of 4116	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	100
PID 1580 wrote to memory of 4116	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	100
PID 1580 wrote to memory of 4116	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	100
PID 1580 wrote to memory of 2908	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	101
PID 1580 wrote to memory of 2908	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	101
PID 1580 wrote to memory of 2908	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	101
PID 1580 wrote to memory of 1876	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	102
PID 1580 wrote to memory of 1876	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	102
PID 1580 wrote to memory of 1876	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	102
PID 1580 wrote to memory of 4000	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	103
PID 1580 wrote to memory of 4000	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	103
PID 1580 wrote to memory of 4000	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	103
PID 1580 wrote to memory of 2264	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	105
PID 1580 wrote to memory of 2264	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	105
PID 1580 wrote to memory of 2264	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	105
PID 1580 wrote to memory of 1860	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	106
PID 1580 wrote to memory of 1860	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	106
PID 1580 wrote to memory of 1860	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	106
PID 1580 wrote to memory of 3824	1580	fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe	107

C:\Users\Admin\AppData\Local\Temp\fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Identifies Wine through registry keys
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4864
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4240
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1876
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4000
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3824
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5664
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2760
- - C:\Windows\SysWOW64\28463\EQYA.exe
    "C:\Windows\system32\28463\EQYA.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1556
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5664
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:8
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2072
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:456
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2060
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2056
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4072
- C:\Users\Admin\AppData\Local\Temp\speed.exe
  "C:\Users\Admin\AppData\Local\Temp\speed.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:2824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\fea41fed8bb977e1934ab64351189601_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:336

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:5764

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3288

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@6A91.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
478KB

MD5
a99947c273f98e555e39836f3577f59e

SHA1
3ef998600835c3ebefc7b24dff9ec7f24e19a407

SHA256
28da14cea71f419fa9f2110d46f08da1df00b76bfaffaaaa5857bc7373831dcc

SHA512
8d21be01cb913cc3627eb7cbee6011cf146b40945d8ef5afae1878aa62ebbfac37f4e0a703cde13368f983f01fcc7109f9aa86546fd344e882fabd7a7bbb8dae

Download Submit
C:\Users\Admin\AppData\Local\Temp\speed.exe

Filesize
92KB

MD5
984817a1a887e3b4abae7cce7c2e4641

SHA1
512ef98793ad6bae6b1c9ebf3b2011ed33713b31

SHA256
e2547b707c3f2fec79b073ebf3a4f1a52b573282c7a6be63e9d735480ce5ee70

SHA512
41378cf1975620ece0cbfc746b3fcffdff58e1cde8623e17c1e10f37794ce3e10eaa164c1e46da497280958a4a4cdd2738e29fc8c1cb2355a75ffe5ae7a99d00

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\EQYA.001

Filesize
506B

MD5
4be124e2f06e43d07bf39f1033320d3d

SHA1
116c5b6a9d1f2e4e472572a86fdf2b29848045ea

SHA256
78a5794091da44542b1baddf969db0cd36515e7f7f8ad8a54e1c2fdf259a717a

SHA512
059ce782b64693c09930b05ef7c4162f93108ad8585a5ee94d46a3e13e4844831a56a3442b047c7163d3a9fa88831e34fa21c79252a0ffe6f1eed3d5c864d9ae

Download Submit
C:\Windows\SysWOW64\28463\EQYA.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\EQYA.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
C:\Windows\SysWOW64\28463\EQYA.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
memory/1580-35-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1580-36-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/1580-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1580-1-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/4872-31-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4872-33-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4872-82-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads