Overview

overview

10

Static

static

3

JaffaCakes...d7.exe

windows7-x64

10

JaffaCakes...d7.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    26-01-2025 05:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe

  • Size

    1.8MB

  • MD5

    32ec7f9022a3c68d4af1a459ed8871d7

  • SHA1

    c6cd302f6a26495fd09b3896953b9597c9d661be

  • SHA256

    ca0b8184abbaeb7ee814b928f4a1210158026675ded5254b384b2f136fa27ab2

  • SHA512

    38cd84fae15b5af7aba12bc7c02d15e6bb080f80b74b6ea2f825c28ead468fb18fbc63bdd830a6c8083b353c36e4d894038b73fdce0ede29b6204ae0d3bd2b99

  • SSDEEP

    49152:Y1CCgqip4B4bJF3ZdgNz+esUwHMFFfhMZLhq81:ppPX3+skJMe81

Score
10/10
ardamaxdefense_evasiondiscoverykeyloggerpersistencestealer

Malware Config

Signatures

  • Ardamax

    A keylogger first seen in 2013.

    keyloggerstealerardamax
  • Ardamax family
    ardamax
  • Ardamax main executable 1 IoCs
  • Disables RegEdit via registry modification 2 IoCs
    defense_evasion
  • Disables Task Manager via registry modification
    defense_evasion
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 30 IoCs
    defense_evasion
  • Modifies registry class 30 IoCs
  • Modifies registry key 1 TTPs 22 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 33 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1680
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im egui.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2896
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im ekrn.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c net stop "Panda anti-virus service"
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2928
      • C:\Windows\SysWOW64\net.exe
        net stop "Panda anti-virus service"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:384
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 stop "Panda anti-virus service"
          4⤵
            PID:2112
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im ApVxdWin.exe
        2⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2824
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im AVENGINE.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2788
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im pavsrv51.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3060
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im psimreal.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im PsImSvc.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2868
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im WebProxy.exe
        2⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
        2⤵
          PID:2684
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:948
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mcagent.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2848
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mcdash.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2660
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mghtml.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2692
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mcmnhdlr.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2784
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mcvsshld.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im McVSEscn.exe
          2⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im mcvsftsn.exe
          2⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:612
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:784
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2244
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
          2⤵
          • System Location Discovery: System Language Discovery
          PID:1100
          • C:\Windows\SysWOW64\reg.exe
            reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
            3⤵
            • System Location Discovery: System Language Discovery
            • Modifies registry key
            PID:2408
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
          2⤵
            PID:1928
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
              3⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2492
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2212
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
              3⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2384
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
            2⤵
            • System Location Discovery: System Language Discovery
            PID:2200
            • C:\Windows\SysWOW64\reg.exe
              reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
              3⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2228
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
            2⤵
              PID:1692
              • C:\Windows\SysWOW64\reg.exe
                reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                3⤵
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:2524
            • C:\Windows\SysWOW64\cmd.exe
              cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
              2⤵
                PID:2580
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:1488
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1204
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                  3⤵
                  • Disables RegEdit via registry modification
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:1928
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2268
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                  3⤵
                  • Disables RegEdit via registry modification
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:1728
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1724
                • C:\Windows\SysWOW64\reg.exe
                  reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Modifies registry key
                  PID:2676
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im egui.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:108
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im ekrn.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:568
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c net stop "Panda anti-virus service"
                2⤵
                • System Location Discovery: System Language Discovery
                PID:1436
                • C:\Windows\SysWOW64\net.exe
                  net stop "Panda anti-virus service"
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:2620
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 stop "Panda anti-virus service"
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:1812
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im ApVxdWin.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1536
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im AVENGINE.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:1924
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im pavsrv51.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:3052
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im psimreal.exe
                2⤵
                • System Location Discovery: System Language Discovery
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2632
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im PsImSvc.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2160
              • C:\Windows\SysWOW64\taskkill.exe
                taskkill /f /im WebProxy.exe
                2⤵
                • Kills process with taskkill
                • Suspicious use of AdjustPrivilegeToken
                PID:2808
              • C:\Windows\SysWOW64\cmd.exe
                cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
                2⤵
                  PID:1604
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:3116
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im mcagent.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2892
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im mcdash.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1988
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im mghtml.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2384
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im mcmnhdlr.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2212
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im mcvsshld.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3028
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im McVSEscn.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2176
                • C:\Windows\SysWOW64\taskkill.exe
                  taskkill /f /im mcvsftsn.exe
                  2⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2200
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1432
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
                    3⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry key
                    PID:3404
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
                  2⤵
                  • System Location Discovery: System Language Discovery
                  PID:1508
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
                    3⤵
                    • Modifies registry key
                    PID:3396
                • C:\Windows\SysWOW64\cmd.exe
                  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
                  2⤵
                    PID:3124
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
                      3⤵
                      • Modifies registry key
                      PID:3632
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3416
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
                      3⤵
                      • System Location Discovery: System Language Discovery
                      • Modifies registry key
                      PID:3596
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3424
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
                      3⤵
                      • Modifies registry key
                      PID:3620
                  • C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe
                    "C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe"
                    2⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    • Drops file in System32 directory
                    • System Location Discovery: System Language Discovery
                    PID:3480
                    • C:\Windows\SysWOW64\28463\XLDC.exe
                      "C:\Windows\system32\28463\XLDC.exe"
                      3⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Adds Run key to start application
                      • Drops file in System32 directory
                      • System Location Discovery: System Language Discovery
                      • Modifies registry class
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of SetWindowsHookEx
                      PID:3900
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\XLDC.exe > nul
                        4⤵
                        • System Location Discovery: System Language Discovery
                        PID:3612
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                    2⤵
                    • System Location Discovery: System Language Discovery
                    PID:3512
                    • C:\Windows\SysWOW64\reg.exe
                      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                      3⤵
                      • Modifies registry key
                      PID:3724
                  • C:\Windows\SysWOW64\cmd.exe
                    cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                    2⤵
                      PID:3528
                      • C:\Windows\SysWOW64\reg.exe
                        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
                        3⤵
                        • System Location Discovery: System Language Discovery
                        • Modifies registry key
                        PID:3696
                    • C:\Windows\SysWOW64\cmd.exe
                      cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                      2⤵
                        PID:3544
                        • C:\Windows\SysWOW64\reg.exe
                          reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                          3⤵
                          • System Location Discovery: System Language Discovery
                          • Modifies registry key
                          PID:3708
                      • C:\Windows\SysWOW64\cmd.exe
                        cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                        2⤵
                          PID:3552
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
                            3⤵
                            • Modifies registry key
                            PID:3716
                        • C:\Windows\SysWOW64\cmd.exe
                          cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:3560
                          • C:\Windows\SysWOW64\reg.exe
                            reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Modifies registry key
                            PID:3680

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Windows\SysWOW64\28463\AKV.exe
                        Filesize

                        457KB

                        MD5

                        46ccfd974518e5849738449034a05a17

                        SHA1

                        d391108816aed7ba8f7beb205ad7171c74eae6b2

                        SHA256

                        571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

                        SHA512

                        773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

                        Download Submit

                      • C:\Windows\SysWOW64\28463\XLDC.001
                        Filesize

                        472B

                        MD5

                        37cd27483837b40908219752334b6c65

                        SHA1

                        fcef130d25a862c9e6cbe28f0edb3a4f793d32ee

                        SHA256

                        fdda79cbf1148bbb29a1af89ca8ace5f63376dcaf857495697cdc039f08f6457

                        SHA512

                        22a7230ae6874a872d54bdefc87bea9952580c14726f453dd3309c32589d89e60ed3d45c217e0b4204c6e4d8794acbb938addf52158fa0a69d5edf7206260345

                        Download Submit

                      • C:\Windows\SysWOW64\28463\XLDC.006
                        Filesize

                        8KB

                        MD5

                        395bbef326fa5ad1216b23f5debf167b

                        SHA1

                        aa4a7334b5a693b3f0d6f47b568e0d13a593d782

                        SHA256

                        7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

                        SHA512

                        dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

                        Download Submit

                      • C:\Windows\SysWOW64\28463\XLDC.007
                        Filesize

                        5KB

                        MD5

                        1b5e72f0ebd49cf146f9ae68d792ffe5

                        SHA1

                        1e90a69c12b9a849fbbac0670296b07331c1cf87

                        SHA256

                        8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

                        SHA512

                        6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

                        Download Submit

                      • C:\Windows\SysWOW64\28463\key.bin
                        Filesize

                        106B

                        MD5

                        639d75ab6799987dff4f0cf79fa70c76

                        SHA1

                        be2678476d07f78bb81e8813c9ee2bfff7cc7efb

                        SHA256

                        fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

                        SHA512

                        4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\@671C.tmp
                        Filesize

                        4KB

                        MD5

                        4b8ed89120fe8ddc31ddba07bc15372b

                        SHA1

                        181e7ac3d444656f50c1cd02a6832708253428e6

                        SHA256

                        2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

                        SHA512

                        49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

                        Download Submit

                      • \Users\Admin\AppData\Local\Temp\TibiaMC.exe
                        Filesize

                        846KB

                        MD5

                        c2cdf07db1c441aba0f0ad157f2454b3

                        SHA1

                        efff7b1dd48093384379354fff87caf263f36868

                        SHA256

                        01fe845de49a4046c94bd487eab2f7d5090ca6fddffb2a4a035d82f324f61342

                        SHA512

                        0a4b13283b5ab26a35726dbbefceb451bbeaf7e837150db23be7faf653a1f9bb7147ae40ac6f12b47e6b9081bd4c40a2421427d6fcfcd5f9382d5f643aba2cce

                        Download Submit

                      • \Windows\SysWOW64\28463\XLDC.exe
                        Filesize

                        649KB

                        MD5

                        2bff0c75a04401dada0adfab933e46a7

                        SHA1

                        364d97f90b137f8e359d998164fb15d474be7bbb

                        SHA256

                        2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

                        SHA512

                        88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

                        Download Submit

                      • memory/3480-24-0x0000000003040000-0x000000000311F000-memory.dmp

                        Filesize

                        892KB

                        Download

                      • memory/3900-28-0x0000000000400000-0x00000000004DF000-memory.dmp

                        Filesize

                        892KB

                        Download

                      • memory/3900-40-0x0000000000400000-0x00000000004DF000-memory.dmp

                        Filesize

                        892KB

                        Download

                      • memory/3900-43-0x0000000000400000-0x00000000004DF000-memory.dmp

                        Filesize

                        892KB

                        Download

                      • memory/3900-46-0x0000000000400000-0x00000000004DF000-memory.dmp

                        Filesize

                        892KB

                        Download