Overview

overview

10

Static

static

7

8d3a321593...18.exe

windows7-x64

10

8d3a321593...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    68s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 19:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8d3a32159364e0bd9b4caca95d17ed1b_JaffaCakes118.exe

  • Size

    1.6MB

  • MD5

    8d3a32159364e0bd9b4caca95d17ed1b

  • SHA1

    60f8b95bc9476c535b22d10eb1a94393f593a197

  • SHA256

    d7f747164758452f7d573ed768fadb9450361671c33453a99229c27a2db360ea

  • SHA512

    c2028626b9aeea9a6bd4c7bddd77db12063dce73d609c19e54e27d79b2232190e2930357d0b2e697b07a2e71b137322d20bf35a3a129635710a67dadff993670

  • SSDEEP

    49152:TXla1FgP4/vI+uNrwwnUyWyuadT2+3GSSrPkLIPS:TXIr/ONRp2+WSSwL7

Score
10/10
ardamaxdefense_evasiondiscoveryevasionkeyloggerpersistencestealerthemida

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Disables RegEdit via registry modification 1 IoCs
    evasion
  • Disables Task Manager via registry modification
    evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 11 IoCs
  • Themida packer 1 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 30 IoCs
    evasion
  • Modifies registry key 1 TTPs 22 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8d3a32159364e0bd9b4caca95d17ed1b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8d3a32159364e0bd9b4caca95d17ed1b_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im egui.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2936
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ekrn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop "Panda anti-virus service"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2812
      • C:\Windows\SysWOW64\net.exe
        net stop "Panda anti-virus service"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2620
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Panda anti-virus service"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3028
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ApVxdWin.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2120
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im AVENGINE.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2796
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im pavsrv51.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1660
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im psimreal.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im PsImSvc.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3060
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im WebProxy.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2844
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2116
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:3008
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mcagent.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mcdash.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2696
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mghtml.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mcmnhdlr.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mcvsshld.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1624
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im McVSEscn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im mcvsftsn.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2588
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:2376
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
      2⤵
        PID:3056
        • C:\Windows\SysWOW64\reg.exe
          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2176
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2612
        • C:\Windows\SysWOW64\reg.exe
          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
          3⤵
          • Modifies registry key
          PID:2108
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3020
        • C:\Windows\SysWOW64\reg.exe
          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
          3⤵
          • Modifies registry key
          PID:2236
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2512
        • C:\Windows\SysWOW64\reg.exe
          reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
          3⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry key
          PID:2384
      • C:\Users\Admin\AppData\Local\Temp\Wiolus Down NecrolandOTS.exe
        "C:\Users\Admin\AppData\Local\Temp\Wiolus Down NecrolandOTS.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:1536
        • C:\Windows\SysWOW64\28463\EVBH.exe
          "C:\Windows\system32\28463\EVBH.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2532
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\EVBH.exe > nul
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3976
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
        2⤵
          PID:2624
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2124
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1492
          • C:\Windows\SysWOW64\reg.exe
            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:996
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
          2⤵
          • System Location Discovery: System Language Discovery
          PID:2040
          • C:\Windows\SysWOW64\reg.exe
            reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            3⤵
            • Disables RegEdit via registry modification
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:696
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
          2⤵
          • System Location Discovery: System Language Discovery
          PID:864
          • C:\Windows\SysWOW64\reg.exe
            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:1608
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
          2⤵
            PID:1864
            • C:\Windows\SysWOW64\reg.exe
              reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
              3⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1692
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im egui.exe
            2⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:440
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill /f /im ekrn.exe
            2⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:612
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c net stop "Panda anti-virus service"
            2⤵
              PID:1868
              • C:\Windows\SysWOW64\net.exe
                net stop "Panda anti-virus service"
                3⤵
                • System Location Discovery: System Language Discovery
                PID:3048
                • C:\Windows\SysWOW64\net1.exe
                  C:\Windows\system32\net1 stop "Panda anti-virus service"
                  4⤵
                    PID:1260
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im ApVxdWin.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2008
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im AVENGINE.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2616
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im pavsrv51.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1736
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im psimreal.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2240
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im PsImSvc.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2316
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im WebProxy.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1016
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2528
                • C:\Windows\SysWOW64\reg.exe
                  reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:2040
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mcagent.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:552
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mcdash.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1740
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mghtml.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2092
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mcmnhdlr.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1020
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mcvsshld.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:968
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im McVSEscn.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1812
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im mcvsftsn.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2284
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
                2⤵
                  PID:2536
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:1528
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
                  2⤵
                    PID:2124
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
                      3⤵
                      • Modifies registry key
                      PID:2456
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:560
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies registry key
                      PID:2280
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:2516
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies registry key
                      PID:1864
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:920
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies registry key
                      PID:1728
                  • C:\Windows\SysWOW64\NOTEPAD.EXE
                    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Magebot.txt
                    2⤵
                    • Loads dropped DLL
                    • System Location Discovery: System Language Discovery
                    • Opens file in notepad (likely ransom note)
                    PID:1712
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1596
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                      3⤵
                      • Modifies registry key
                      PID:3100
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1592
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                      3⤵
                      • Modifies registry key
                      PID:3236
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1484
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                      3⤵
                      • Modifies registry key
                      PID:3244
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:1688
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                      3⤵
                      • Modifies registry key
                      PID:3252
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3076
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                      3⤵
                      • Modifies registry key
                      PID:3164
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "1555683537-789708672-2740244959836448141599811301774341973-466685903635539492"
                  1⤵
                    PID:1608
                  • C:\Windows\system32\conhost.exe
                    \??\C:\Windows\system32\conhost.exe "19444866401338008843-95409192-1398362472-692536064-716192393-272772778-1834516346"
                    1⤵
                      PID:696
                    • C:\Windows\system32\conhost.exe
                      \??\C:\Windows\system32\conhost.exe "-1815066771-21713344-1959243348-319517393749113191349641801783850493-1316538028"
                      1⤵
                        PID:1692

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Users\Admin\AppData\Local\Temp\Magebot.txt
                        Filesize

                        57B

                        MD5

                        ec0474252a07ba8ee011c4d97d3500ae

                        SHA1

                        3a9a9f979fa0ec9517472e833a21ca8c88ab2090

                        SHA256

                        66f1b1dbf3e0fa23498266d22e3b0d800b347d590e4a0f154401c26cdcc5c040

                        SHA512

                        4308d5bda3f7ecadd30a7543965ca185fe8272be0e02f14ffae08996aecf5d9affc7b565730b66f0c234f1d4a6ea6415086fcf51ce0773c03d05905fafcea338

                        Download Submit

                      • C:\Windows\SysWOW64\28463\AKV.exe
                        Filesize

                        395KB

                        MD5

                        b8fa30233794772b8b76b4b1d91c7321

                        SHA1

                        0cf9561be2528944285e536f41d502be24c3aa87

                        SHA256

                        14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

                        SHA512

                        10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

                        Download Submit

                      • C:\Windows\SysWOW64\28463\EVBH.001
                        Filesize

                        464B

                        MD5

                        2d3b014db917bb0d94ebe8c68e8725be

                        SHA1

                        945791823fce1accec88c98d8416545f5c6cd972

                        SHA256

                        2cde7b0fa17fe7238fdec6314d31166dde2e631194850dd9550b68064f8e629c

                        SHA512

                        3e7aac1f3772b1ad1e13770563d4c7c8681adf9844e3a4db87b905ec683265c2f71ffd61d0b61ca8caf509ad5096f566c2434f6b4a8a6cd0a8ee3f633e634a52

                        Download Submit

                      • C:\Windows\SysWOW64\28463\EVBH.006
                        Filesize

                        8KB

                        MD5

                        43f02e9974b1477c1e6388882f233db0

                        SHA1

                        f3e27b231193f8d5b2e1b09d05ae3a62795cf339

                        SHA256

                        3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

                        SHA512

                        e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

                        Download Submit

                      • C:\Windows\SysWOW64\28463\EVBH.007
                        Filesize

                        5KB

                        MD5

                        b5a87d630436f958c6e1d82d15f98f96

                        SHA1

                        d3ff5e92198d4df0f98a918071aca53550bf1cff

                        SHA256

                        a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

                        SHA512

                        fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\@60A7.tmp
                        Filesize

                        4KB

                        MD5

                        c3679c3ff636d1a6b8c65323540da371

                        SHA1

                        d184758721a426467b687bec2a4acc80fe44c6f8

                        SHA256

                        d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

                        SHA512

                        494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\Wiolus Down NecrolandOTS.exe
                        Filesize

                        520KB

                        MD5

                        4170f7254ffb52d1034eb7302d73692c

                        SHA1

                        d1dd75aab093849261722800043c6c38dcdb91ec

                        SHA256

                        c339390631eb529bf4b5a5573d1c8f14d8e49e05046aec77d87368120036c3e2

                        SHA512

                        d4d41f480b4e63656eb733695c753628aeac186b1ffd383fdb14b19aa8d21c3ebbbe15a4db5082f7833da7cf134b1ac54fbb41727545ac03a162109b8d8e83e5

                        Download Submit

                      • \Windows\SysWOW64\28463\EVBH.exe
                        Filesize

                        473KB

                        MD5

                        17535dddecf8cb1efdba1f1952126547

                        SHA1

                        a862a9a3eb6c201751be1038537522a5281ea6cb

                        SHA256

                        1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

                        SHA512

                        b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

                        Download Submit

                      • memory/1656-2-0x0000000000401000-0x0000000000407000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/1656-0-0x0000000000260000-0x0000000000261000-memory.dmp

                        Filesize

                        4KB

                        Download

                      • memory/1656-1-0x00000000002C0000-0x00000000003A5000-memory.dmp

                        Filesize

                        916KB

                        Download

                      • memory/1656-51-0x0000000000401000-0x0000000000407000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/1656-50-0x0000000000400000-0x0000000000513000-memory.dmp

                        Filesize

                        1.1MB

                        Download