modiloader | ad0313e5c846916859f4b2166f89c87290d41b7d04a5352d38fb700d98297cb6

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-01-2025 05:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
Size

554KB
MD5

023a0256b1cbc2ec41c7b6e1193ad65f
SHA1

43dc185bb5fc8e4afaf6b859f9013cc8ab57ca5a
SHA256

ad0313e5c846916859f4b2166f89c87290d41b7d04a5352d38fb700d98297cb6
SHA512

2a397659debc5b2f46fa1dfe221483fcc63429f99c2fb56827209dd2d0ab401da35d219108f7b0686226c887c12e8a51b2f5640742332ad4c8ef97d1da6e5cec
SSDEEP

6144:xOr2DKVquhuUpmpc+bBXW0Gpr2DKVquhuUpmpc+bBXW0Gpr2DKVquhuUpmpc+bBF:xgEK8hc+NGPEK8hc+NGPEK8hc+NGW

Score

10^/10

modiloader defense_evasion discovery persistence trojan upx

Malware Config

Signatures

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
Modiloader family
modiloader

UAC bypass 3 TTPs 1 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

ModiLoader Second Stage 21 IoCs

resource	yara_rule
behavioral2/memory/5080-11-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/6208-16-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/7532-21-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/7532-19-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/6208-14-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5080-22-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5080-35-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-53-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-50-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-54-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-57-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-60-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-63-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-66-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-69-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-72-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-75-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-78-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-81-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-84-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2
behavioral2/memory/5244-87-0x0000000000400000-0x000000000044F000-memory.dmp	modiloader_stage2

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Meu Primeiro TROJAN.exe

Executes dropped EXE 4 IoCs

pid	Process
5080	Meu Primeiro TROJAN.exe
6208	Meu Primeiro TROJAN.exe
7532	Meu Primeiro TROJAN.exe
5244	mstwain32.exe

Loads dropped DLL 4 IoCs

pid	Process
5244	mstwain32.exe
5244	mstwain32.exe
5244	mstwain32.exe
5244	mstwain32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstwain32 = "C:\\Windows\\mstwain32.exe"	mstwain32.exe

Checks whether UAC is enabled 1 TTPs 3 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Meu Primeiro TROJAN.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	mstwain32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c84-6.dat	upx
behavioral2/memory/5080-11-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/6208-16-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/7532-21-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/7532-19-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/6208-14-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5080-22-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-36-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5080-35-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-53-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-50-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-54-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-57-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-60-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-63-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-66-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-69-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-72-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-75-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-78-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-81-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-84-0x0000000000400000-0x000000000044F000-memory.dmp	upx
behavioral2/memory/5244-87-0x0000000000400000-0x000000000044F000-memory.dmp	upx

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mstwain32.exe	Meu Primeiro TROJAN.exe
File opened for modification	C:\Windows\mstwain32.exe	Meu Primeiro TROJAN.exe
File created	C:\Windows\ntdtcstp.dll	mstwain32.exe
File created	C:\Windows\cmsetac.dll	mstwain32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mstwain32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Meu Primeiro TROJAN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 64 IoCs

defense_evasion

pid	Process
560	taskkill.exe
2200	taskkill.exe
5420	taskkill.exe
6232	taskkill.exe
6264	taskkill.exe
7576	taskkill.exe
5492	taskkill.exe
7632	taskkill.exe
6788	taskkill.exe
6708	taskkill.exe
6360	taskkill.exe
3912	taskkill.exe
3320	taskkill.exe
3504	taskkill.exe
6240	taskkill.exe
6256	taskkill.exe
6764	taskkill.exe
2916	taskkill.exe
5408	taskkill.exe
7680	taskkill.exe
6844	taskkill.exe
6796	taskkill.exe
5500	taskkill.exe
5484	taskkill.exe
5452	taskkill.exe
7640	taskkill.exe
7608	taskkill.exe
7592	taskkill.exe
6772	taskkill.exe
6344	taskkill.exe
3840	taskkill.exe
2036	taskkill.exe
5536	taskkill.exe
6280	taskkill.exe
7664	taskkill.exe
6296	taskkill.exe
1556	taskkill.exe
5528	taskkill.exe
5508	taskkill.exe
7656	taskkill.exe
6700	taskkill.exe
6352	taskkill.exe
6336	taskkill.exe
2696	taskkill.exe
2052	taskkill.exe
5428	taskkill.exe
7560	taskkill.exe
6820	taskkill.exe
6748	taskkill.exe
7600	taskkill.exe
6812	taskkill.exe
4792	taskkill.exe
5468	taskkill.exe
5436	taskkill.exe
5392	taskkill.exe
7672	taskkill.exe
7616	taskkill.exe
6804	taskkill.exe
6328	taskkill.exe
6828	taskkill.exe
6732	taskkill.exe
880	taskkill.exe
4888	taskkill.exe
3108	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	rundll32.exe

Modifies registry key 1 TTPs 42 IoCs

Modify Registry

T1112

pid	Process
5240	reg.exe
440	reg.exe
8448	reg.exe
1544	reg.exe
216	reg.exe
5260	reg.exe
5764	reg.exe
5208	reg.exe
5236	reg.exe
8512	reg.exe
4812	reg.exe
5436	reg.exe
6528	reg.exe
1084	reg.exe
5600	reg.exe
5692	reg.exe
5976	reg.exe
8600	reg.exe
8524	reg.exe
2704	reg.exe
3936	reg.exe
5464	reg.exe
1920	reg.exe
3036	reg.exe
5980	reg.exe
4900	reg.exe
8424	reg.exe
4660	reg.exe
4316	reg.exe
988	reg.exe
5248	reg.exe
1436	reg.exe
6620	reg.exe
4900	reg.exe
1480	reg.exe
6908	reg.exe
2260	reg.exe
8684	reg.exe
5784	reg.exe
6908	reg.exe
4676	reg.exe
5268	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	2052	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	4012	taskkill.exe
Token: SeDebugPrivilege	2036	taskkill.exe
Token: SeDebugPrivilege	1376	taskkill.exe
Token: SeDebugPrivilege	3840	taskkill.exe
Token: SeDebugPrivilege	2540	taskkill.exe
Token: SeDebugPrivilege	880	taskkill.exe
Token: SeDebugPrivilege	2452	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	2696	taskkill.exe
Token: SeDebugPrivilege	560	taskkill.exe
Token: SeDebugPrivilege	5080	Meu Primeiro TROJAN.exe
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeBackupPrivilege	7900	vssvc.exe
Token: SeRestorePrivilege	7900	vssvc.exe
Token: SeAuditPrivilege	7900	vssvc.exe
Token: SeDebugPrivilege	4548	taskkill.exe
Token: SeDebugPrivilege	4792	taskkill.exe
Token: SeDebugPrivilege	2200	taskkill.exe
Token: SeDebugPrivilege	5436	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	3320	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	4080	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	3504	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	5428	taskkill.exe
Token: SeDebugPrivilege	5408	taskkill.exe
Token: SeDebugPrivilege	5392	taskkill.exe
Token: SeDebugPrivilege	5384	taskkill.exe
Token: SeDebugPrivilege	5420	taskkill.exe
Token: SeDebugPrivilege	5492	taskkill.exe
Token: SeDebugPrivilege	5536	taskkill.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeDebugPrivilege	5468	taskkill.exe
Token: SeDebugPrivilege	4960	taskkill.exe
Token: SeDebugPrivilege	5516	taskkill.exe
Token: SeDebugPrivilege	5500	taskkill.exe
Token: SeDebugPrivilege	5484	taskkill.exe
Token: SeDebugPrivilege	7640	taskkill.exe
Token: SeDebugPrivilege	6828	taskkill.exe
Token: SeDebugPrivilege	6280	taskkill.exe
Token: SeDebugPrivilege	6724	taskkill.exe
Token: SeDebugPrivilege	6264	taskkill.exe
Token: SeDebugPrivilege	7616	taskkill.exe
Token: SeDebugPrivilege	6788	taskkill.exe
Token: SeDebugPrivilege	6272	taskkill.exe
Token: SeDebugPrivilege	7592	taskkill.exe
Token: SeDebugPrivilege	6748	taskkill.exe
Token: SeDebugPrivilege	6844	taskkill.exe
Token: SeDebugPrivilege	6288	taskkill.exe
Token: SeDebugPrivilege	7648	taskkill.exe
Token: SeDebugPrivilege	6256	taskkill.exe
Token: SeDebugPrivilege	6360	taskkill.exe
Token: SeDebugPrivilege	6812	taskkill.exe
Token: SeDebugPrivilege	6312	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5080	Meu Primeiro TROJAN.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
5244	mstwain32.exe
5244	mstwain32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 2816	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	85
PID 1608 wrote to memory of 2816	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	85
PID 1608 wrote to memory of 2816	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	85
PID 1608 wrote to memory of 2940	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	86
PID 1608 wrote to memory of 2940	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	86
PID 1608 wrote to memory of 2940	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	86
PID 1608 wrote to memory of 3872	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	87
PID 1608 wrote to memory of 3872	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	87
PID 1608 wrote to memory of 3872	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	87
PID 1608 wrote to memory of 1204	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	88
PID 1608 wrote to memory of 1204	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	88
PID 1608 wrote to memory of 1204	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	88
PID 1608 wrote to memory of 560	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	89
PID 1608 wrote to memory of 560	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	89
PID 1608 wrote to memory of 560	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	89
PID 1608 wrote to memory of 880	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	90
PID 1608 wrote to memory of 880	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	90
PID 1608 wrote to memory of 880	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	90
PID 1608 wrote to memory of 1376	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	91
PID 1608 wrote to memory of 1376	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	91
PID 1608 wrote to memory of 1376	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	91
PID 1608 wrote to memory of 2540	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	92
PID 1608 wrote to memory of 2540	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	92
PID 1608 wrote to memory of 2540	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	92
PID 1608 wrote to memory of 2452	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	93
PID 1608 wrote to memory of 2452	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	93
PID 1608 wrote to memory of 2452	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	93
PID 1608 wrote to memory of 3636	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	94
PID 1608 wrote to memory of 3636	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	94
PID 1608 wrote to memory of 3636	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	94
PID 1608 wrote to memory of 4012	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	95
PID 1608 wrote to memory of 4012	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	95
PID 1608 wrote to memory of 4012	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	95
PID 1608 wrote to memory of 2036	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	96
PID 1608 wrote to memory of 2036	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	96
PID 1608 wrote to memory of 2036	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	96
PID 1608 wrote to memory of 2052	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	97
PID 1608 wrote to memory of 2052	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	97
PID 1608 wrote to memory of 2052	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	97
PID 1608 wrote to memory of 3912	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	98
PID 1608 wrote to memory of 3912	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	98
PID 1608 wrote to memory of 3912	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	98
PID 1608 wrote to memory of 1648	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	99
PID 1608 wrote to memory of 1648	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	99
PID 1608 wrote to memory of 1648	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	99
PID 1608 wrote to memory of 2696	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	100
PID 1608 wrote to memory of 2696	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	100
PID 1608 wrote to memory of 2696	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	100
PID 1608 wrote to memory of 3840	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	101
PID 1608 wrote to memory of 3840	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	101
PID 1608 wrote to memory of 3840	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	101
PID 1608 wrote to memory of 3476	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	102
PID 1608 wrote to memory of 3476	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	102
PID 1608 wrote to memory of 3476	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	102
PID 1608 wrote to memory of 3432	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	103
PID 1608 wrote to memory of 3432	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	103
PID 1608 wrote to memory of 3432	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	103
PID 1608 wrote to memory of 652	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	104
PID 1608 wrote to memory of 652	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	104
PID 1608 wrote to memory of 652	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	104
PID 1608 wrote to memory of 2356	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	105
PID 1608 wrote to memory of 2356	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	105
PID 1608 wrote to memory of 2356	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	105
PID 1608 wrote to memory of 372	1608	JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe	106

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	mstwain32.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:3872
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:5032
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1468
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:560
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2540
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3636
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:6620
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:3476
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:6528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:3432
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:652
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:6908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:372
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:1920
- C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5080
- - C:\Windows\mstwain32.exe
    "C:\Windows\mstwain32.exe" \melt "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
    3⤵
    - UAC bypass
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:5244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5116
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:4000
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:7284
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:8376
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4792
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:3192
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:3936
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:6908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2964
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:1480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5384
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5392
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:5400
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:8676
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:8276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5408
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5436
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5476
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5484
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5492
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5500
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  PID:5508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  PID:5528
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:1920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5544
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:5556
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5572
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:8448
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:5580
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:8424
- C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
  2⤵
  - Executes dropped EXE
  PID:6208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  PID:6232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:6240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6248
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:3640
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:2884
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6280
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:6288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:6304
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  PID:6320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  PID:6328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6336
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:6344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  PID:6352
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:6376
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:5464
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:6384
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:5436
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:6392
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:6400
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:6408
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  PID:6700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:6708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6716
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3796
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:8876
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  PID:6732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6748
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  PID:6756
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  PID:6764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  PID:6772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6780
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5248
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  PID:6796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  PID:6804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6812
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:6820
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6828
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:6844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6852
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:6860
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:4316
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:6868
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:5980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:6876
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6884
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5600
- C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe
  "C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe"
  2⤵
  - Executes dropped EXE
  PID:7532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:7540
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  PID:7552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:7560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:7568
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:7856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:5216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  PID:7576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  PID:7584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:7600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:7608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:7624
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:7632
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:7640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:7648
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  PID:7656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:7664
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:7672
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  PID:7680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7688
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:5260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7696
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:5692
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:7704
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:5976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:7712
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:5784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:7720
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Modifies registry class
PID:544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Modifies registry class
PID:5180

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Modifies registry class
PID:5964

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Modifies registry class
PID:6596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Modifies registry class
PID:6060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_023a0256b1cbc2ec41c7b6e1193ad65f.exe"
1⤵
- Modifies registry class
PID:916

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 81b23c8a2e6f13389d51716dd78362c7 fW73BGVDgECQenzbkTXkyQ.0.1.0.0.0
1⤵
PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Meu Primeiro TROJAN.exe

Filesize
110KB

MD5
a4b88da80f58e93ed949f53b689768c2

SHA1
2c3380be790a5de08663f39105f57f7f39efe171

SHA256
a0e7c9603e704769a1200da2901d95d1e0b207b70bff66a3497be5da7981c5db

SHA512
5e068449ea180217e5af90408d4aa70609cbfc64b95b599f93e2f034c41ab2758b7b72f140614ec9a88f62910b2c12d3fdffde1289106d73127c8a153580ef8a

Download Submit
C:\Windows\cmsetac.dll

Filesize
32KB

MD5
9f43aa01bf23ddbc1233e0dd789fb3ff

SHA1
6d6505f41dcd0b7bb068c51578000a6b962854fa

SHA256
27287f50ac30186afe7b6b3bf3a0cc35889d7956cb9073cfab30fdad5378d610

SHA512
796c527da2a03bbb7ec067e2761777ead3b9d7e48095653850668a8aa20e332e5477072f00ee79d6c520cd293f6aa240f134d658dbc7e8d33e24a34a003920b9

Download Submit
C:\Windows\ntdtcstp.dll

Filesize
7KB

MD5
67587e25a971a141628d7f07bd40ffa0

SHA1
76fcd014539a3bb247cc0b761225f68bd6055f6b

SHA256
e6829866322d68d5c5b78e3d48dcec70a41cdc42c6f357a44fd329f74a8b4378

SHA512
6e6de7aa02c48f8b96b06e5f1160fbc5c95312320636e138cc997ef3362a61bc50ec03db1f06292eb964cd71915ddb2ec2eb741432c7da44215a4acbb576a350

Download Submit
memory/5080-22-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5080-11-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5080-35-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-51-0x0000000000A80000-0x0000000000A88000-memory.dmp

Filesize
32KB

Download
memory/5244-57-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-87-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-84-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-81-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-47-0x00000000028E0000-0x00000000028EE000-memory.dmp

Filesize
56KB

Download
memory/5244-53-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-52-0x00000000028E0000-0x00000000028EE000-memory.dmp

Filesize
56KB

Download
memory/5244-78-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-50-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-36-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-60-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-66-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-69-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-72-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5244-75-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6208-16-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6208-14-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/7532-21-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/7532-19-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads