ardamax | e93f113896997f86b3274d504758dcd2b937820a6192f2b1afc5add2de675a58

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-10-2024 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe
Size

4.1MB
MD5

4314436b36c912bf40b3394f70dbd426
SHA1

14ae149c7a149a2590054fe4b68bd3430dd7a9af
SHA256

e93f113896997f86b3274d504758dcd2b937820a6192f2b1afc5add2de675a58
SHA512

97583d871270c496b0d819dd8618ccddcbcc9e68f61abfc993b8b6b32e3ca5abcd79881ebb96f605b89bb355e951b02d602d035b1a3816bd2fc35ed4cd85fc2f
SSDEEP

98304:GG245NjRe6J6y8Wat7JrRexSPdNk0QJcSD8pHfwdRkhGyFCnBKXE:lR5N/Qt7dkxskrD8JYzqBFkt

Score

10^/10

ardamax discovery evasion keylogger persistence stealer themida upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000194da-70.dat	family_ardamax

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 4 IoCs

pid	Process
344	Install.exe
352	NG_Cracker_8.5_Com_Potion_C.exe
1904	autorun.exe
1532	FAET.exe

Loads dropped DLL 14 IoCs

pid	Process
1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe
344	Install.exe
344	Install.exe
344	Install.exe
344	Install.exe
1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe
352	NG_Cracker_8.5_Com_Potion_C.exe
352	NG_Cracker_8.5_Com_Potion_C.exe
344	Install.exe
1532	FAET.exe
1532	FAET.exe
1532	FAET.exe
352	NG_Cracker_8.5_Com_Potion_C.exe
1532	FAET.exe

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/1236-5-0x0000000000400000-0x000000000064E000-memory.dmp	themida
behavioral1/memory/1236-7-0x0000000000400000-0x000000000064E000-memory.dmp	themida
behavioral1/memory/1236-29-0x0000000000400000-0x000000000064E000-memory.dmp	themida

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FAET Agent = "C:\\Windows\\SysWOW64\\28463\\FAET.exe"	FAET.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	FAET.exe
File created	C:\Windows\SysWOW64\28463\FAET.001	Install.exe
File created	C:\Windows\SysWOW64\28463\FAET.006	Install.exe
File created	C:\Windows\SysWOW64\28463\FAET.007	Install.exe
File created	C:\Windows\SysWOW64\28463\FAET.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016c81-47.dat	upx
behavioral1/memory/352-52-0x00000000037D0000-0x0000000003AC3000-memory.dmp	upx
behavioral1/memory/1904-64-0x0000000000400000-0x00000000006F3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autorun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FAET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NG_Cracker_8.5_Com_Potion_C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
2148	taskkill.exe
1764	taskkill.exe
2692	taskkill.exe
1904	taskkill.exe
1848	taskkill.exe
2728	taskkill.exe
2720	taskkill.exe
796	taskkill.exe
1988	taskkill.exe
2984	taskkill.exe
1612	taskkill.exe
1516	taskkill.exe
1680	taskkill.exe
792	taskkill.exe
2840	taskkill.exe
2780	taskkill.exe
1792	taskkill.exe
1484	taskkill.exe
772	taskkill.exe
376	taskkill.exe
1668	taskkill.exe
3020	taskkill.exe
2364	taskkill.exe
2776	taskkill.exe
988	taskkill.exe
1592	taskkill.exe
2412	taskkill.exe
1660	taskkill.exe
3028	taskkill.exe
1604	taskkill.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\InprocServer32\	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\0\win32	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\62"	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\FLAGS\	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\VersionIndependentProgID	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\ProgID\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\ = "GrooveTransportServicesAlpha"	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\Version	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\HELPDIR	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\Version\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\Version\ = "1.0"	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\ = "Cezahbaqe Ijafogo object"	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\FLAGS	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\TypeLib	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\VersionIndependentProgID\	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\0	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\0\win32\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\FLAGS\ = "4"	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\HELPDIR\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\TypeLib\	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\InprocServer32	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\InprocServer32\ = "%SystemRoot%\\SysWow64\\ime\\shared\\imjkapi.dll"	FAET.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\ProgID	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\ProgID\ = "IMEAPI.CImeCommandAvailabilityViewJK.1"	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\1.0\0\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}\	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\TypeLib\ = "{0AC8A206-1F90-0F6E-3BF8-DA86AFEBAFD3}"	FAET.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7D8B9AA2-2739-405F-8CAF-1F0259A5A7BE}\VersionIndependentProgID\ = "IMEAPI.CImeCommandAvailabilityViewJK"	FAET.exe

Modifies registry key 1 TTPs 22 IoCs

Modify Registry

T1112

pid	Process
1708	reg.exe
1320	reg.exe
1720	reg.exe
2588	reg.exe
2296	reg.exe
2012	reg.exe
2944	reg.exe
2860	reg.exe
2388	reg.exe
876	reg.exe
2288	reg.exe
2456	reg.exe
2500	reg.exe
1280	reg.exe
848	reg.exe
484	reg.exe
1320	reg.exe
356	reg.exe
2736	reg.exe
2772	reg.exe
2332	reg.exe
1900	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	792	taskkill.exe
Token: SeDebugPrivilege	1988	taskkill.exe
Token: SeDebugPrivilege	796	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	376	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	1516	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2148	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	1680	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	2364	taskkill.exe
Token: SeDebugPrivilege	1612	taskkill.exe
Token: SeDebugPrivilege	3028	taskkill.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	1592	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	772	taskkill.exe
Token: SeDebugPrivilege	1604	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	1484	taskkill.exe
Token: SeDebugPrivilege	1668	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: 33	1532	FAET.exe
Token: SeIncBasePriorityPrivilege	1532	FAET.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe
1532	FAET.exe
1532	FAET.exe
1532	FAET.exe
1532	FAET.exe
1532	FAET.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1236 wrote to memory of 1988	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	30
PID 1236 wrote to memory of 1988	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	30
PID 1236 wrote to memory of 1988	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	30
PID 1236 wrote to memory of 1988	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	30
PID 1236 wrote to memory of 792	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	31
PID 1236 wrote to memory of 792	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	31
PID 1236 wrote to memory of 792	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	31
PID 1236 wrote to memory of 792	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	31
PID 1236 wrote to memory of 2160	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	34
PID 1236 wrote to memory of 2160	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	34
PID 1236 wrote to memory of 2160	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	34
PID 1236 wrote to memory of 2160	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	34
PID 1236 wrote to memory of 2148	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	35
PID 1236 wrote to memory of 2148	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	35
PID 1236 wrote to memory of 2148	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	35
PID 1236 wrote to memory of 2148	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	35
PID 1236 wrote to memory of 796	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	36
PID 1236 wrote to memory of 796	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	36
PID 1236 wrote to memory of 796	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	36
PID 1236 wrote to memory of 796	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	36
PID 1236 wrote to memory of 1660	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	37
PID 1236 wrote to memory of 1660	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	37
PID 1236 wrote to memory of 1660	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	37
PID 1236 wrote to memory of 1660	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	37
PID 1236 wrote to memory of 376	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	38
PID 1236 wrote to memory of 376	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	38
PID 1236 wrote to memory of 376	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	38
PID 1236 wrote to memory of 376	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	38
PID 1236 wrote to memory of 2412	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	39
PID 1236 wrote to memory of 2412	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	39
PID 1236 wrote to memory of 2412	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	39
PID 1236 wrote to memory of 2412	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	39
PID 1236 wrote to memory of 1904	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	40
PID 1236 wrote to memory of 1904	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	40
PID 1236 wrote to memory of 1904	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	40
PID 1236 wrote to memory of 1904	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	40
PID 1236 wrote to memory of 2680	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	42
PID 1236 wrote to memory of 2680	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	42
PID 1236 wrote to memory of 2680	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	42
PID 1236 wrote to memory of 2680	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	42
PID 1236 wrote to memory of 2720	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	45
PID 1236 wrote to memory of 2720	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	45
PID 1236 wrote to memory of 2720	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	45
PID 1236 wrote to memory of 2720	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	45
PID 1236 wrote to memory of 2728	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	46
PID 1236 wrote to memory of 2728	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	46
PID 1236 wrote to memory of 2728	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	46
PID 1236 wrote to memory of 2728	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	46
PID 1236 wrote to memory of 2776	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	47
PID 1236 wrote to memory of 2776	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	47
PID 1236 wrote to memory of 2776	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	47
PID 1236 wrote to memory of 2776	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	47
PID 1236 wrote to memory of 2780	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	48
PID 1236 wrote to memory of 2780	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	48
PID 1236 wrote to memory of 2780	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	48
PID 1236 wrote to memory of 2780	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	48
PID 1236 wrote to memory of 2692	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	55
PID 1236 wrote to memory of 2692	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	55
PID 1236 wrote to memory of 2692	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	55
PID 1236 wrote to memory of 2692	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	55
PID 1236 wrote to memory of 2840	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	57
PID 1236 wrote to memory of 2840	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	57
PID 1236 wrote to memory of 2840	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	57
PID 1236 wrote to memory of 2840	1236	4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe	57

C:\Users\Admin\AppData\Local\Temp\4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4314436b36c912bf40b3394f70dbd426_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:1948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2412
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1320
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2796
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2736
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:344
- - C:\Windows\SysWOW64\28463\FAET.exe
    "C:\Windows\system32\28463\FAET.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1908
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:356
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:2268
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1128
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:824
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2656
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2288
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:1388
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:2012
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2332
- C:\Users\Admin\AppData\Local\Temp\NG_Cracker_8.5_Com_Potion_C.exe
  "C:\Users\Admin\AppData\Local\Temp\NG_Cracker_8.5_Com_Potion_C.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:352
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:2708
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "998385887-1636483683-420969276-478190865124045207-250186759142216891281188734"
1⤵
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\8840.ani

Filesize
8KB

MD5
eca474017c328d94de4052ae3a6aeda3

SHA1
3c8717af268f9d476b6bb3e46107bb5142a6e236

SHA256
edfc107db2518ac37591769fa733395ec3ba49c5905f9c226bfe3724d12e9571

SHA512
66a57607befa5394193d1ab46c69dd468f90ae5d96ecc8697f095217ef4e41c3c2b391339b4d21acc46db050ee0a19e37eea314fc31709611469c0ed662127f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoRunSrc\AutoRunSrc.bin

Filesize
576B

MD5
c8770421aa91257fd8ec4967540bc6b9

SHA1
ffd5c05ca2cc4e116b52f460bea58bf1f7b0ca38

SHA256
564830326d84273859f352aa85c03486bcbcd5f8ab1876558b1a0a83a3ac90cf

SHA512
41b2e8cc5fdcf4296c3ae900ebaeaca849810a127c8efe1b4dc9942e8aa2435cfb053fee46b0c49280e3b606935cdc1bbe62732204329e9929db4b8615e7bdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AutoRunSrc\MainPage

Filesize
155KB

MD5
f2be8e0d705772d9c01a8afbacde6b3f

SHA1
910db1b7e94a0e4ca4b446d2bad54dc58060bdee

SHA256
b6b3d0adb92f0b6b85df6094d82de3b987b7febeddc92079a83c9d47a6c57a69

SHA512
3e86f534da75d00b30330ef16a8d8b3cc8db16a36c12daa9753181defde632765e4e2c3a167fd16c4f7b9b3bad4d8ab2b7f5a10cad356a1e5280c9da1bacc0b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.ico

Filesize
26KB

MD5
9bd357aafce65d39bc1aa347545fe8f9

SHA1
0a0e6ed7ba4f1e6f5f5bfd13079ff079264d144c

SHA256
cb6d3878f0e53db82c48d77851aa795d0d4d3ce246b045a067095a83198e4deb

SHA512
285220c98b2452fa35dc6dfa49475bd84cea5ddd0860038c326a367112af2a2c8ea10e16f73fed929d7b457768b67fea0a8046570e009344d8ddcfd506d1a3b8

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\FAET.001

Filesize
454B

MD5
892e321a8b47a26286b5bb854a3ec8b7

SHA1
a4050e01d28397befaadc6f3b0154d71806766e9

SHA256
ca9be884a8014c68914252293ab36611979108d6123aee81688cf14efad51fb0

SHA512
6b85224e80bbb728a1fbaaeea86e804f759dd827a7a51d0e33c9cbe84f97b8d68b71e8646c3a7653b7af65b87020147069e5cab7b98069e67911b7a18d1196c7

Download Submit
C:\Windows\SysWOW64\28463\FAET.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\FAET.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@C5DE.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
787KB

MD5
bbe506371d6e0461ef4c174e1411ec01

SHA1
5251ed793139cca21c36f775045a0e77ece3578a

SHA256
df5a2e029d095420811a651274c5bdbc2d0b43ec37402a2fe53f8b239da88e39

SHA512
7a1a7085e19260e74ddd33c3edfb7e53f9440a7a203068e4231eaceddc096a42c16c02279c00eb2fb7823030a9cfb84075976860a853afe690db722fbff2767e

Download Submit
\Users\Admin\AppData\Local\Temp\NG_Cracker_8.5_Com_Potion_C.exe

Filesize
2.2MB

MD5
25965767ed6742be7c2834b80843e2ef

SHA1
78df59f9e3fd61a0e35582653c60136e23609ab5

SHA256
4a5b17140471ededfa36dd4c25b04f0490f4b67ae8fdfe79e45d4fd4c3865690

SHA512
fb3b392e039dcfcd7a019c388f7b13305bc7842a16d7566e75923a728d612733d0ecfe7a3b3b2b6900bd073df2b765ccfbb352ba4e359febf96e8fae85e40f7d

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\autorun.exe

Filesize
999KB

MD5
02afb88365b4f0d0fe6ebb9ce8c79dce

SHA1
08498cb7bf78d595d32c427659f5e442610392dc

SHA256
10652b2054a788e1d916fc45f44ad5ff563fbc9b5cb8d50d438d137d506097ce

SHA512
831fc72e513a8047be9d9da26ce551a90f12d19fa044c0d975715536f4c21b23b35ce6546f3faf714a76c2e7cf7cdcc0d90d22068b0d11b0bb11a4db6a98a3fd

Download Submit
\Windows\SysWOW64\28463\FAET.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
memory/344-73-0x0000000003310000-0x00000000033EF000-memory.dmp

Filesize
892KB

Download
memory/352-61-0x00000000037D0000-0x0000000003AC3000-memory.dmp

Filesize
2.9MB

Download
memory/352-54-0x00000000037D0000-0x0000000003AC3000-memory.dmp

Filesize
2.9MB

Download
memory/352-62-0x00000000037D0000-0x0000000003AC3000-memory.dmp

Filesize
2.9MB

Download
memory/352-52-0x00000000037D0000-0x0000000003AC3000-memory.dmp

Filesize
2.9MB

Download
memory/1236-1-0x0000000000650000-0x000000000072A000-memory.dmp

Filesize
872KB

Download
memory/1236-29-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1236-7-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1236-5-0x0000000000400000-0x000000000064E000-memory.dmp

Filesize
2.3MB

Download
memory/1236-2-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/1236-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1532-82-0x0000000000A70000-0x0000000000B4F000-memory.dmp

Filesize
892KB

Download
memory/1532-92-0x0000000000A70000-0x0000000000B4F000-memory.dmp

Filesize
892KB

Download
memory/1532-91-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1532-95-0x0000000000A70000-0x0000000000B4F000-memory.dmp

Filesize
892KB

Download
memory/1532-101-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1904-64-0x0000000000400000-0x00000000006F3000-memory.dmp

Filesize
2.9MB

Download