ardamax | 155589ead63418556f73500f533625ba485e713c850141503e13bb986daa558f

Analysis

max time kernel
142s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe
Size

1.8MB
MD5

7771138bc9285f86a94bdce1d8971b0d
SHA1

6565ccc177f068c578866608061c607dd4de0184
SHA256

155589ead63418556f73500f533625ba485e713c850141503e13bb986daa558f
SHA512

727e9e279851dca7bdd4910e0096b0f24558a38dd2863c7293acef1a5bb9779ac66fe817b08a564b9a93a1b612f1a7aba8d45876a3f200d5e77408755b6fff97
SSDEEP

49152:iDlgqip4B4bJF3ZdgNz+xDlgqip4B4bJF3ZdgNz+t:XpPX3+ppPX3+0

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000e000000023bae-32.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 4 IoCs

pid	Process
2880	Install.exe
5640	Install.exe
2228	ERGE.exe
5224	ERGE.exe

Loads dropped DLL 8 IoCs

pid	Process
2880	Install.exe
5640	Install.exe
2228	ERGE.exe
2228	ERGE.exe
2228	ERGE.exe
5224	ERGE.exe
5224	ERGE.exe
5224	ERGE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ERGE Agent = "C:\\Windows\\SysWOW64\\28463\\ERGE.exe"	ERGE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\ERGE.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\ERGE.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\ERGE.007	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\ERGE.001	Install.exe
File created	C:\Windows\SysWOW64\28463\ERGE.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\ERGE.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\ERGE.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	ERGE.exe
File created	C:\Windows\SysWOW64\28463\ERGE.007	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ERGE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 60 IoCs

evasion

pid	Process
4476	taskkill.exe
5816	taskkill.exe
4116	taskkill.exe
4896	taskkill.exe
5800	taskkill.exe
5768	taskkill.exe
5744	taskkill.exe
5728	taskkill.exe
964	taskkill.exe
2032	taskkill.exe
5088	taskkill.exe
1392	taskkill.exe
5668	taskkill.exe
4452	taskkill.exe
1320	taskkill.exe
3124	taskkill.exe
4764	taskkill.exe
5072	taskkill.exe
4084	taskkill.exe
5712	taskkill.exe
5040	taskkill.exe
4644	taskkill.exe
1912	taskkill.exe
3740	taskkill.exe
2204	taskkill.exe
5760	taskkill.exe
872	taskkill.exe
2832	taskkill.exe
3648	taskkill.exe
436	taskkill.exe
5828	taskkill.exe
5780	taskkill.exe
5676	taskkill.exe
3692	taskkill.exe
640	taskkill.exe
4620	taskkill.exe
2092	taskkill.exe
4684	taskkill.exe
5720	taskkill.exe
1156	taskkill.exe
2648	taskkill.exe
1832	taskkill.exe
4184	taskkill.exe
1816	taskkill.exe
5788	taskkill.exe
1340	taskkill.exe
4516	taskkill.exe
4388	taskkill.exe
4780	taskkill.exe
2844	taskkill.exe
2664	taskkill.exe
3564	taskkill.exe
1788	taskkill.exe
4232	taskkill.exe
1472	taskkill.exe
432	taskkill.exe
3464	taskkill.exe
5736	taskkill.exe
4056	taskkill.exe
5696	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\ = "SysFxUi 1.0 Type Library"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\VersionIndependentProgID\ = "Control.TaskSymbol"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\0\win32\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\FLAGS\	ERGE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\ToolboxBitmap32\ = "mmcndmgr.dll, 101"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Version\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\ToolboxBitmap32	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\HELPDIR	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\HELPDIR\ = "%SystemRoot%\\System32"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\0\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\SysFxUI.dll"	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\Version	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\VersionIndependentProgID\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Version	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Implemented Categories	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Implemented Categories\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\InprocServer32	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Programmable	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\TypeLib	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\MiscStatus\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\ProgID	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\ProgID\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\ProgID\ = "Control.TaskSymbol.1"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\ToolboxBitmap32\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\Version\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\0\win32	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\0	ERGE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\Control	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\MiscStatus\ = "0"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\TypeLib\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\TypeLib	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\TypeLib\ = "{D748D817-6719-DF66-5F32-BC17059287E9}"	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\VersionIndependentProgID	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Programmable\	ERGE.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\0\win32	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\0\win32\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\FLAGS	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\Version\ = "1.0"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\0	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\TypeLib\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\Version\ = "1.0"	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\TypeLib\ = "{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\Control\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\0\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0\HELPDIR\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\InprocServer32\ = "%SystemRoot%\\SysWow64\\mmcndmgr.dll"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{67555938-CB68-41DD-98B0-127C313018C8}\InprocServer32\	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D8D20BD2-F258-DA0A-7F9A-EB4EDE46879A}\1.0\FLAGS\ = "0"	ERGE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12706B95-04D7-42F1-08B2-C038EE76FC28}\InprocServer32\	ERGE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D748D817-6719-DF66-5F32-BC17059287E9}\1.0	ERGE.exe

Modifies registry key 1 TTPs 24 IoCs

Modify Registry

T1112

pid	Process
8048	reg.exe
8124	reg.exe
8076	reg.exe
3448	reg.exe
1820	reg.exe
7060	reg.exe
7084	reg.exe
7076	reg.exe
2552	reg.exe
3716	reg.exe
2472	reg.exe
4780	reg.exe
8136	reg.exe
8148	reg.exe
4180	reg.exe
7952	reg.exe
8088	reg.exe
2848	reg.exe
2152	reg.exe
6860	reg.exe
7140	reg.exe
7152	reg.exe
7996	reg.exe
2836	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	4780	taskkill.exe
Token: SeDebugPrivilege	2032	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	1788	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	1816	taskkill.exe
Token: SeDebugPrivilege	4116	taskkill.exe
Token: SeDebugPrivilege	2092	taskkill.exe
Token: SeDebugPrivilege	4896	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2648	taskkill.exe
Token: SeDebugPrivilege	2664	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	4184	taskkill.exe
Token: SeDebugPrivilege	2204	taskkill.exe
Token: SeDebugPrivilege	872	taskkill.exe
Token: SeDebugPrivilege	432	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	1320	taskkill.exe
Token: SeDebugPrivilege	964	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	3464	taskkill.exe
Token: SeDebugPrivilege	4644	taskkill.exe
Token: SeDebugPrivilege	4452	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	3648	taskkill.exe
Token: SeDebugPrivilege	4084	taskkill.exe
Token: SeDebugPrivilege	4232	taskkill.exe
Token: SeDebugPrivilege	436	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	3692	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	5040	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	5728	taskkill.exe
Token: SeDebugPrivilege	5736	taskkill.exe
Token: SeDebugPrivilege	5744	taskkill.exe
Token: SeDebugPrivilege	5696	taskkill.exe
Token: SeDebugPrivilege	5780	taskkill.exe
Token: SeDebugPrivilege	5768	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	5712	taskkill.exe
Token: SeDebugPrivilege	5828	taskkill.exe
Token: SeDebugPrivilege	5720	taskkill.exe
Token: SeDebugPrivilege	5800	taskkill.exe
Token: SeDebugPrivilege	5816	taskkill.exe
Token: SeDebugPrivilege	5760	taskkill.exe
Token: SeDebugPrivilege	5668	taskkill.exe
Token: SeDebugPrivilege	5676	taskkill.exe
Token: 33	2228	ERGE.exe
Token: SeIncBasePriorityPrivilege	2228	ERGE.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe
2228	ERGE.exe
2228	ERGE.exe
2228	ERGE.exe
2228	ERGE.exe
2228	ERGE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 4780	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	84
PID 864 wrote to memory of 4780	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	84
PID 864 wrote to memory of 4780	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	84
PID 864 wrote to memory of 2032	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	85
PID 864 wrote to memory of 2032	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	85
PID 864 wrote to memory of 2032	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	85
PID 864 wrote to memory of 2200	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	86
PID 864 wrote to memory of 2200	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	86
PID 864 wrote to memory of 2200	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	86
PID 864 wrote to memory of 1788	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	87
PID 864 wrote to memory of 1788	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	87
PID 864 wrote to memory of 1788	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	87
PID 864 wrote to memory of 1816	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	89
PID 864 wrote to memory of 1816	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	89
PID 864 wrote to memory of 1816	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	89
PID 864 wrote to memory of 4896	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	90
PID 864 wrote to memory of 4896	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	90
PID 864 wrote to memory of 4896	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	90
PID 864 wrote to memory of 2648	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	91
PID 864 wrote to memory of 2648	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	91
PID 864 wrote to memory of 2648	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	91
PID 864 wrote to memory of 4056	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	92
PID 864 wrote to memory of 4056	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	92
PID 864 wrote to memory of 4056	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	92
PID 864 wrote to memory of 2832	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	93
PID 864 wrote to memory of 2832	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	93
PID 864 wrote to memory of 2832	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	93
PID 864 wrote to memory of 2336	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	94
PID 864 wrote to memory of 2336	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	94
PID 864 wrote to memory of 2336	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	94
PID 864 wrote to memory of 4116	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	95
PID 864 wrote to memory of 4116	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	95
PID 864 wrote to memory of 4116	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	95
PID 864 wrote to memory of 3564	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	97
PID 864 wrote to memory of 3564	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	97
PID 864 wrote to memory of 3564	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	97
PID 864 wrote to memory of 2092	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	98
PID 864 wrote to memory of 2092	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	98
PID 864 wrote to memory of 2092	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	98
PID 864 wrote to memory of 3124	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	99
PID 864 wrote to memory of 3124	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	99
PID 864 wrote to memory of 3124	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	99
PID 864 wrote to memory of 2664	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	100
PID 864 wrote to memory of 2664	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	100
PID 864 wrote to memory of 2664	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	100
PID 864 wrote to memory of 4620	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	101
PID 864 wrote to memory of 4620	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	101
PID 864 wrote to memory of 4620	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	101
PID 864 wrote to memory of 640	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	102
PID 864 wrote to memory of 640	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	102
PID 864 wrote to memory of 640	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	102
PID 864 wrote to memory of 3604	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	103
PID 864 wrote to memory of 3604	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	103
PID 864 wrote to memory of 3604	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	103
PID 864 wrote to memory of 1804	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	105
PID 864 wrote to memory of 1804	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	105
PID 864 wrote to memory of 1804	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	105
PID 864 wrote to memory of 1072	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	106
PID 864 wrote to memory of 1072	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	106
PID 864 wrote to memory of 1072	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	106
PID 864 wrote to memory of 748	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	107
PID 864 wrote to memory of 748	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	107
PID 864 wrote to memory of 748	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	107
PID 864 wrote to memory of 728	864	7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe	108

C:\Users\Admin\AppData\Local\Temp\7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:2200
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4896
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:3604
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:7152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:6860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:748
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:7076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:728
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7140
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2880
- - C:\Windows\SysWOW64\28463\ERGE.exe
    "C:\Windows\system32\28463\ERGE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:5224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:8104
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:3096
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:8048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:432
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:8076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3748
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:8136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2104
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:7996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:8180
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3692
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4644
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:2472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3480
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:1168
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4444
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3988
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:4980
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:8088
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:5640
- - C:\Windows\SysWOW64\28463\ERGE.exe
    "C:\Windows\system32\28463\ERGE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5688
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:212
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5736
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5744
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:5752
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5836
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5844
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:5856
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:2552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5868
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:1748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:5288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\7771138bc9285f86a94bdce1d8971b0d_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:6344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:7952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@924D.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
864KB

MD5
8018b6b440c1c4676ef26c882b2d4545

SHA1
f1baa7bdb9695ad8984d9e995aa495f68ab4bf74

SHA256
be3398c78172707c4703519e5aba3697ad8268d69de080940576a020729e298d

SHA512
d3773163a294dbde820b43b35196b9816bfddfd50dd3c0af76ebcb98b507bbee7b64383c4300e7eed047ade4a97097f183fa2229914e98d8c4eaa8ab4a1e4bc7

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\ERGE.001

Filesize
522B

MD5
32330aa0a2c5d84861e48c12782486a1

SHA1
a6ae3b661b7e27b344fd1c5227132791db39af09

SHA256
8221f0558f1a4094576c6e8ce4b0e3c9d796ccf30b2a78b0c7f7c40c2df5fdda

SHA512
9d742a3257035c6198ab982348a138d3c470b9c19e6be9d93eacc060b7a2c4702a96ab829bd9221c8b4b22e2a69cb8b01c3c521e4499b29c185e7f47331c10d2

Download Submit
C:\Windows\SysWOW64\28463\ERGE.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\ERGE.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\ERGE.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/2228-40-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2228-61-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2228-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5224-60-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads