modiloader | ad0313e5c846916859f4b2166f89c87290d41b7d04a5352d38fb700d98297cb6

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
Size

554KB
MD5

023a0256b1cbc2ec41c7b6e1193ad65f
SHA1

43dc185bb5fc8e4afaf6b859f9013cc8ab57ca5a
SHA256

ad0313e5c846916859f4b2166f89c87290d41b7d04a5352d38fb700d98297cb6
SHA512

2a397659debc5b2f46fa1dfe221483fcc63429f99c2fb56827209dd2d0ab401da35d219108f7b0686226c887c12e8a51b2f5640742332ad4c8ef97d1da6e5cec
SSDEEP

6144:xOr2DKVquhuUpmpc+bBXW0Gpr2DKVquhuUpmpc+bBXW0Gpr2DKVquhuUpmpc+bBF:xgEK8hc+NGPEK8hc+NGPEK8hc+NGW

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 21 IoCs

resource	yara_rule
behavioral1/memory/1736-14-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/3928-27-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/3928-26-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/3624-43-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1736-45-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1736-46-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/1736-59-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-71-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-74-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-76-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-80-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-84-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-89-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-93-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-97-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-101-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-105-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-109-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-113-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-117-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral1/memory/6444-121-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Executes dropped EXE 4 IoCs

pid	Process
1736	Meu Primeiro TROJAN.exe
3928	Meu Primeiro TROJAN.exe
3624	Meu Primeiro TROJAN.exe
6444	mstwain32.exe

Loads dropped DLL 7 IoCs

pid	Process
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
1736	Meu Primeiro TROJAN.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Meu Primeiro TROJAN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

UPX packed file 25 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0010000000013439-4.dat	upx
behavioral1/memory/1736-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/3928-27-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/3928-26-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/628-40-0x00000000026A0000-0x00000000026EF000-memory.dmp	upx
behavioral1/memory/3624-39-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/3624-43-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1736-45-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1736-46-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-62-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/1736-59-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-71-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-74-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-76-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-80-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-84-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-89-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-93-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-97-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-101-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-105-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-109-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-113-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-117-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral1/memory/6444-121-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	Meu Primeiro TROJAN.exe
File opened for modification	C:\Windows\mstwain32.exe	Meu Primeiro TROJAN.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
5668	taskkill.exe
2568	taskkill.exe
3612	taskkill.exe
3772	taskkill.exe
268	taskkill.exe
2596	taskkill.exe
2720	taskkill.exe
484	taskkill.exe
5764	taskkill.exe
2944	taskkill.exe
2212	taskkill.exe
3836	taskkill.exe
4360	taskkill.exe
5744	taskkill.exe
5900	taskkill.exe
5536	taskkill.exe
2888	taskkill.exe
2604	taskkill.exe
3060	taskkill.exe
5688	taskkill.exe
2160	taskkill.exe
2700	taskkill.exe
2564	taskkill.exe
3592	taskkill.exe
5472	taskkill.exe
2280	taskkill.exe
1912	taskkill.exe
2228	taskkill.exe
3536	taskkill.exe
3584	taskkill.exe
5912	taskkill.exe
5608	taskkill.exe
5572	taskkill.exe
3544	taskkill.exe
3572	taskkill.exe
3740	taskkill.exe
4036	taskkill.exe
3872	taskkill.exe
4052	taskkill.exe
3436	taskkill.exe
5928	taskkill.exe
5936	taskkill.exe
2812	taskkill.exe
2828	taskkill.exe
3804	taskkill.exe
4020	taskkill.exe
5460	taskkill.exe
3820	taskkill.exe
4044	taskkill.exe
4004	taskkill.exe
3980	taskkill.exe
2672	taskkill.exe
2656	taskkill.exe
3012	taskkill.exe
3784	taskkill.exe
6048	taskkill.exe
4088	taskkill.exe
5716	taskkill.exe
5844	taskkill.exe
5944	taskkill.exe
3508	taskkill.exe
3396	taskkill.exe
3916	taskkill.exe
5612	taskkill.exe

Modifies registry key 1 TTPs 42 IoCs

Modify Registry

T1112

pid	Process
2276	reg.exe
5248	reg.exe
5428	reg.exe
4144	reg.exe
2148	reg.exe
2148	reg.exe
5420	reg.exe
5420	reg.exe
6496	reg.exe
1360	reg.exe
1968	reg.exe
5468	reg.exe
6016	reg.exe
5588	reg.exe
3300	reg.exe
2244	reg.exe
1964	reg.exe
5236	reg.exe
5412	reg.exe
2508	reg.exe
3452	reg.exe
5456	reg.exe
5528	reg.exe
4884	reg.exe
6212	reg.exe
6252	reg.exe
1268	reg.exe
2376	reg.exe
2836	reg.exe
5396	reg.exe
6244	reg.exe
4952	reg.exe
5568	reg.exe
6176	reg.exe
1948	reg.exe
1360	reg.exe
5364	reg.exe
5440	reg.exe
4104	reg.exe
5404	reg.exe
5372	reg.exe
6048	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	1736	Meu Primeiro TROJAN.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	584	taskkill.exe
Token: SeDebugPrivilege	2720	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	2944	taskkill.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeDebugPrivilege	2672	taskkill.exe
Token: SeDebugPrivilege	2564	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	2128	taskkill.exe
Token: SeDebugPrivilege	2596	taskkill.exe
Token: SeDebugPrivilege	1912	taskkill.exe
Token: SeDebugPrivilege	484	taskkill.exe
Token: SeDebugPrivilege	2164	taskkill.exe
Token: SeDebugPrivilege	2004	taskkill.exe
Token: SeDebugPrivilege	2368	taskkill.exe
Token: SeBackupPrivilege	1508	vssvc.exe
Token: SeRestorePrivilege	1508	vssvc.exe
Token: SeAuditPrivilege	1508	vssvc.exe
Token: SeDebugPrivilege	2568	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	3060	taskkill.exe
Token: SeDebugPrivilege	3012	taskkill.exe
Token: SeDebugPrivilege	3572	taskkill.exe
Token: SeDebugPrivilege	3592	taskkill.exe
Token: SeDebugPrivilege	3612	taskkill.exe
Token: SeDebugPrivilege	3536	taskkill.exe
Token: SeDebugPrivilege	3628	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	4036	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	4052	taskkill.exe
Token: SeDebugPrivilege	4088	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	3784	taskkill.exe
Token: SeDebugPrivilege	3740	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	3396	taskkill.exe
Token: SeDebugPrivilege	3764	taskkill.exe
Token: SeDebugPrivilege	3236	taskkill.exe
Token: SeDebugPrivilege	4060	taskkill.exe
Token: SeDebugPrivilege	4028	taskkill.exe
Token: SeDebugPrivilege	3980	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeDebugPrivilege	4020	taskkill.exe
Token: SeDebugPrivilege	268	taskkill.exe
Token: SeDebugPrivilege	3508	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	3836	taskkill.exe
Token: SeDebugPrivilege	3772	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe
1736	Meu Primeiro TROJAN.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe
6444	mstwain32.exe
6444	mstwain32.exe
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe
2104	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	31
PID 628 wrote to memory of 1720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	31
PID 628 wrote to memory of 1720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	31
PID 628 wrote to memory of 1720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	31
PID 628 wrote to memory of 584	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	32
PID 628 wrote to memory of 584	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	32
PID 628 wrote to memory of 584	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	32
PID 628 wrote to memory of 584	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	32
PID 628 wrote to memory of 1832	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	33
PID 628 wrote to memory of 1832	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	33
PID 628 wrote to memory of 1832	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	33
PID 628 wrote to memory of 1832	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	33
PID 628 wrote to memory of 2700	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	35
PID 628 wrote to memory of 2700	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	35
PID 628 wrote to memory of 2700	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	35
PID 628 wrote to memory of 2700	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	35
PID 628 wrote to memory of 2160	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	36
PID 628 wrote to memory of 2160	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	36
PID 628 wrote to memory of 2160	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	36
PID 628 wrote to memory of 2160	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	36
PID 628 wrote to memory of 2764	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	39
PID 628 wrote to memory of 2764	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	39
PID 628 wrote to memory of 2764	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	39
PID 628 wrote to memory of 2764	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	39
PID 628 wrote to memory of 2944	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	42
PID 628 wrote to memory of 2944	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	42
PID 628 wrote to memory of 2944	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	42
PID 628 wrote to memory of 2944	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	42
PID 628 wrote to memory of 2828	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	43
PID 628 wrote to memory of 2828	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	43
PID 628 wrote to memory of 2828	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	43
PID 628 wrote to memory of 2828	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	43
PID 628 wrote to memory of 2812	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	44
PID 628 wrote to memory of 2812	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	44
PID 628 wrote to memory of 2812	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	44
PID 628 wrote to memory of 2812	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	44
PID 628 wrote to memory of 2816	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	45
PID 628 wrote to memory of 2816	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	45
PID 628 wrote to memory of 2816	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	45
PID 628 wrote to memory of 2816	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	45
PID 628 wrote to memory of 2564	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	46
PID 628 wrote to memory of 2564	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	46
PID 628 wrote to memory of 2564	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	46
PID 628 wrote to memory of 2564	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	46
PID 628 wrote to memory of 2280	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	47
PID 628 wrote to memory of 2280	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	47
PID 628 wrote to memory of 2280	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	47
PID 628 wrote to memory of 2280	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	47
PID 628 wrote to memory of 2672	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	48
PID 628 wrote to memory of 2672	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	48
PID 628 wrote to memory of 2672	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	48
PID 628 wrote to memory of 2672	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	48
PID 628 wrote to memory of 2888	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	52
PID 628 wrote to memory of 2888	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	52
PID 628 wrote to memory of 2888	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	52
PID 628 wrote to memory of 2888	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	52
PID 628 wrote to memory of 2596	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	54
PID 628 wrote to memory of 2596	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	54
PID 628 wrote to memory of 2596	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	54
PID 628 wrote to memory of 2596	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	54
PID 628 wrote to memory of 2720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	55
PID 628 wrote to memory of 2720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	55
PID 628 wrote to memory of 2720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	55
PID 628 wrote to memory of 2720	628	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	55

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:2816
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:1360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:1968
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2836
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2140
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:1948
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2384
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:1268
- C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1736
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:6444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2244
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2164
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1508
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:2508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:1764
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:836
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:1968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:1884
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:2272
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:1948
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:1360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3396
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3536
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:3564
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:5512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3636
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3644
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:4104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:3852
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:5364
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:3868
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:5456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:3876
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:5404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:3884
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:5428
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:3892
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5248
- C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3980
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:4012
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:5388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:5532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4020
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4076
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3608
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5412
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:5440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:3904
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:5396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:4072
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:5468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3208
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5320
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5588
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  PID:5620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:5680
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:5776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:5792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  PID:5716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  PID:5744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  PID:5844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:5852
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  PID:5884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:5928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  PID:5944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:5552
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:4884
- C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3208
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  PID:5460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:3872
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3868
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3300
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  PID:3916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  PID:5472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  PID:4900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  PID:5608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  PID:5612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  PID:5536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:4276
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  PID:5668
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  PID:6048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:4360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:5572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4012
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:6252
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:4144
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:3300
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:6212
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:6176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:6036
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:6244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6388
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:6496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1508

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12643878631017962603105541765042752657463753324-15034351471082700948-1123309041"
1⤵
PID:3452

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-399460271143350608934210752-1784154364-59633458616923270698434942581996919322"
1⤵
PID:5388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-139070041-1206070518-1153856469-1677831908-1160775563-594211407-1297044602-1373036412"
1⤵
PID:5588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1121856116100138064-482088110-323189848993411008-145349745015715807671617973601"
1⤵
PID:5776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2059924640-499576354-2019116492288604779-122453848214590626-4738698661539364462"
1⤵
PID:5396

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-703459920370633595127544039460250351-21157939981323323842-814459567-568576501"
1⤵
PID:3852

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1701037896138729446-1785379581-121623003-1500675035-2021482726-16679800591201438861"
1⤵
PID:6016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12109495520684266391948443699-414524210397966974-611619010747043886-834228216"
1⤵
PID:5420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\teste-22-06-09.jpg

Filesize
63KB

MD5
ead7f824f2872978aef0b1449301a9cd

SHA1
07d20939548527109bdd6a33b089d521053f6fe6

SHA256
bac808d1cf19fb27e55cf9849891750abc7a8b37829ba9ca588d1ebf8654a64c

SHA512
7436cb5aa2cb61ae65fdb90b625f493b64863647036aa960b0bc9cc1030e269b7f10a8ba181ebf8c24f4504c983983ab9c717f7e0ca86f7b83365232c666aa35

Download Submit
C:\Windows\cmsetac.dll

Filesize
32KB

MD5
9f43aa01bf23ddbc1233e0dd789fb3ff

SHA1
6d6505f41dcd0b7bb068c51578000a6b962854fa

SHA256
27287f50ac30186afe7b6b3bf3a0cc35889d7956cb9073cfab30fdad5378d610

SHA512
796c527da2a03bbb7ec067e2761777ead3b9d7e48095653850668a8aa20e332e5477072f00ee79d6c520cd293f6aa240f134d658dbc7e8d33e24a34a003920b9

Download Submit
\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe

Filesize
110KB

MD5
a4b88da80f58e93ed949f53b689768c2

SHA1
2c3380be790a5de08663f39105f57f7f39efe171

SHA256
a0e7c9603e704769a1200da2901d95d1e0b207b70bff66a3497be5da7981c5db

SHA512
5e068449ea180217e5af90408d4aa70609cbfc64b95b599f93e2f034c41ab2758b7b72f140614ec9a88f62910b2c12d3fdffde1289106d73127c8a153580ef8a

Download Submit
memory/628-37-0x00000000026A0000-0x00000000026EF000-memory.dmp

Filesize
316KB

Download
memory/628-13-0x00000000026A0000-0x00000000026EF000-memory.dmp

Filesize
316KB

Download
memory/628-6-0x00000000026A0000-0x00000000026EF000-memory.dmp

Filesize
316KB

Download
memory/628-15-0x0000000003500000-0x0000000003502000-memory.dmp

Filesize
8KB

Download
memory/628-38-0x00000000026A0000-0x00000000026EF000-memory.dmp

Filesize
316KB

Download
memory/628-40-0x00000000026A0000-0x00000000026EF000-memory.dmp

Filesize
316KB

Download
memory/1736-46-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1736-45-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1736-53-0x0000000003C10000-0x0000000003C20000-memory.dmp

Filesize
64KB

Download
memory/1736-60-0x0000000003C10000-0x0000000003C5F000-memory.dmp

Filesize
316KB

Download
memory/1736-59-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1736-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2104-16-0x00000000001F0000-0x00000000001F2000-memory.dmp

Filesize
8KB

Download
memory/2104-70-0x0000000006D10000-0x0000000006D1E000-memory.dmp

Filesize
56KB

Download
memory/2104-69-0x0000000006D10000-0x0000000006D1E000-memory.dmp

Filesize
56KB

Download
memory/3624-39-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3624-43-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3928-26-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3928-27-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-66-0x0000000001EB0000-0x0000000001EBE000-memory.dmp

Filesize
56KB

Download
memory/6444-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-72-0x0000000000270000-0x0000000000278000-memory.dmp

Filesize
32KB

Download
memory/6444-73-0x0000000001EB0000-0x0000000001EBE000-memory.dmp

Filesize
56KB

Download
memory/6444-71-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-74-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-76-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-80-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-89-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-93-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-97-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-101-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-105-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-109-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-113-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-117-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6444-121-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads