ardamax | ca0b8184abbaeb7ee814b928f4a1210158026675ded5254b384b2f136fa27ab2

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-01-2025 05:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
Size

1.8MB
MD5

32ec7f9022a3c68d4af1a459ed8871d7
SHA1

c6cd302f6a26495fd09b3896953b9597c9d661be
SHA256

ca0b8184abbaeb7ee814b928f4a1210158026675ded5254b384b2f136fa27ab2
SHA512

38cd84fae15b5af7aba12bc7c02d15e6bb080f80b74b6ea2f825c28ead468fb18fbc63bdd830a6c8083b353c36e4d894038b73fdce0ede29b6204ae0d3bd2b99
SSDEEP

49152:Y1CCgqip4B4bJF3ZdgNz+esUwHMFFfhMZLhq81:ppPX3+skJMe81

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023ca6-24.dat	family_ardamax

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	TibiaMC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	XLDC.exe

Executes dropped EXE 2 IoCs

pid	Process
3588	TibiaMC.exe
2716	XLDC.exe

Loads dropped DLL 5 IoCs

pid	Process
3588	TibiaMC.exe
2716	XLDC.exe
2716	XLDC.exe
2716	XLDC.exe
3204	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XLDC Agent = "C:\\Windows\\SysWOW64\\28463\\XLDC.exe"	XLDC.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\XLDC.007	TibiaMC.exe
File created	C:\Windows\SysWOW64\28463\XLDC.exe	TibiaMC.exe
File created	C:\Windows\SysWOW64\28463\key.bin	TibiaMC.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	TibiaMC.exe
File opened for modification	C:\Windows\SysWOW64\28463	XLDC.exe
File created	C:\Windows\SysWOW64\28463\XLDC.001	TibiaMC.exe
File created	C:\Windows\SysWOW64\28463\XLDC.006	TibiaMC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3204	2716	WerFault.exe	222

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	XLDC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TibiaMC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 30 IoCs

defense_evasion

pid	Process
2072	taskkill.exe
4984	taskkill.exe
3224	taskkill.exe
2788	taskkill.exe
112	taskkill.exe
3712	taskkill.exe
2060	taskkill.exe
3532	taskkill.exe
1700	taskkill.exe
4596	taskkill.exe
1004	taskkill.exe
3624	taskkill.exe
5012	taskkill.exe
2096	taskkill.exe
2968	taskkill.exe
4044	taskkill.exe
3560	taskkill.exe
1212	taskkill.exe
800	taskkill.exe
2232	taskkill.exe
3852	taskkill.exe
3080	taskkill.exe
856	taskkill.exe
3280	taskkill.exe
4680	taskkill.exe
4016	taskkill.exe
3208	taskkill.exe
2708	taskkill.exe
2112	taskkill.exe
3100	taskkill.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\Version\ = "1.0"	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\VersionIndependentProgID	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\VersionIndependentProgID\ = "WbemScripting.SWbemNamedValueSet"	XLDC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\Programmable	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\FLAGS\	XLDC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\ = "Vibovfogwi class"	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\InProcServer32\ = "%SystemRoot%\\SysWow64\\wbem\\wbemdisp.dll"	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\ = "krnlprov 1.0 Type Library"	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\Version\	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\0	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\0\win64	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\FLAGS	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\FLAGS\ = "0"	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\TypeLib	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\TypeLib\ = "{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}"	XLDC.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\ProgID\ = "WbemScripting.SWbemNamedValueSet.1"	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\Programmable\	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\InProcServer32	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\ProgID\	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\0\	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\InProcServer32\	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\Version	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\VersionIndependentProgID\	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\0\win64\	XLDC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\ProgID	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7BCC9AF7-412C-9F61-4F8B-7F2CE2D79220}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\wbem\\krnlprov.dll"	XLDC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C8F8916-D474-4D0C-7291-C211DF8476A6}\TypeLib\	XLDC.exe

Modifies registry key 1 TTPs 22 IoCs

Modify Registry

T1112

pid	Process
3400	reg.exe
3860	reg.exe
3136	reg.exe
5092	reg.exe
3252	reg.exe
5768	reg.exe
5828	reg.exe
732	reg.exe
5244	reg.exe
4068	reg.exe
2860	reg.exe
5788	reg.exe
1676	reg.exe
3428	reg.exe
4976	reg.exe
5760	reg.exe
3404	reg.exe
4236	reg.exe
2120	reg.exe
2512	reg.exe
3652	reg.exe
3100	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	1004	taskkill.exe
Token: SeDebugPrivilege	112	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	3624	taskkill.exe
Token: SeDebugPrivilege	2232	taskkill.exe
Token: SeDebugPrivilege	4984	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	800	taskkill.exe
Token: SeDebugPrivilege	4680	taskkill.exe
Token: SeDebugPrivilege	3080	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	3532	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	3208	taskkill.exe
Token: SeDebugPrivilege	856	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	5012	taskkill.exe
Token: SeDebugPrivilege	2060	taskkill.exe
Token: SeDebugPrivilege	3280	taskkill.exe
Token: SeDebugPrivilege	3224	taskkill.exe
Token: SeDebugPrivilege	3560	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2968	taskkill.exe
Token: SeDebugPrivilege	4016	taskkill.exe
Token: SeDebugPrivilege	1700	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	4596	taskkill.exe
Token: 33	2716	XLDC.exe
Token: SeIncBasePriorityPrivilege	2716	XLDC.exe
Token: SeIncBasePriorityPrivilege	2716	XLDC.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
2716	XLDC.exe
2716	XLDC.exe
2716	XLDC.exe
2716	XLDC.exe
2716	XLDC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 1004	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	83
PID 4588 wrote to memory of 1004	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	83
PID 4588 wrote to memory of 1004	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	83
PID 4588 wrote to memory of 2072	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	84
PID 4588 wrote to memory of 2072	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	84
PID 4588 wrote to memory of 2072	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	84
PID 4588 wrote to memory of 2336	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	85
PID 4588 wrote to memory of 2336	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	85
PID 4588 wrote to memory of 2336	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	85
PID 4588 wrote to memory of 3100	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	86
PID 4588 wrote to memory of 3100	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	86
PID 4588 wrote to memory of 3100	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	86
PID 4588 wrote to memory of 800	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	88
PID 4588 wrote to memory of 800	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	88
PID 4588 wrote to memory of 800	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	88
PID 4588 wrote to memory of 1212	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	89
PID 4588 wrote to memory of 1212	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	89
PID 4588 wrote to memory of 1212	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	89
PID 4588 wrote to memory of 2112	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	90
PID 4588 wrote to memory of 2112	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	90
PID 4588 wrote to memory of 2112	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	90
PID 4588 wrote to memory of 4984	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	91
PID 4588 wrote to memory of 4984	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	91
PID 4588 wrote to memory of 4984	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	91
PID 4588 wrote to memory of 4680	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	93
PID 4588 wrote to memory of 4680	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	93
PID 4588 wrote to memory of 4680	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	93
PID 4588 wrote to memory of 4536	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	94
PID 4588 wrote to memory of 4536	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	94
PID 4588 wrote to memory of 4536	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	94
PID 4588 wrote to memory of 2232	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	95
PID 4588 wrote to memory of 2232	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	95
PID 4588 wrote to memory of 2232	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	95
PID 4588 wrote to memory of 2096	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	96
PID 4588 wrote to memory of 2096	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	96
PID 4588 wrote to memory of 2096	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	96
PID 4588 wrote to memory of 3624	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	97
PID 4588 wrote to memory of 3624	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	97
PID 4588 wrote to memory of 3624	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	97
PID 4588 wrote to memory of 3852	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	98
PID 4588 wrote to memory of 3852	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	98
PID 4588 wrote to memory of 3852	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	98
PID 4588 wrote to memory of 3532	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	99
PID 4588 wrote to memory of 3532	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	99
PID 4588 wrote to memory of 3532	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	99
PID 4588 wrote to memory of 3080	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	100
PID 4588 wrote to memory of 3080	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	100
PID 4588 wrote to memory of 3080	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	100
PID 4588 wrote to memory of 112	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	101
PID 4588 wrote to memory of 112	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	101
PID 4588 wrote to memory of 112	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	101
PID 4588 wrote to memory of 116	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	102
PID 4588 wrote to memory of 116	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	102
PID 4588 wrote to memory of 116	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	102
PID 4588 wrote to memory of 232	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	103
PID 4588 wrote to memory of 232	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	103
PID 4588 wrote to memory of 232	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	103
PID 4588 wrote to memory of 2348	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	104
PID 4588 wrote to memory of 2348	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	104
PID 4588 wrote to memory of 2348	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	104
PID 4588 wrote to memory of 3496	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	105
PID 4588 wrote to memory of 3496	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	105
PID 4588 wrote to memory of 3496	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	105
PID 4588 wrote to memory of 2136	4588	JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe	106

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5776
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1212
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4536
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3080
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:116
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:232
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5760
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4976
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3136
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:1512
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:904
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4132
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3428
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3208
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5052
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:1016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3252
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2060
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4596
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3280
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:1360
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:316
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:2972
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:3860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:3504
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4236
- C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe
  "C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3588
- - C:\Windows\SysWOW64\28463\XLDC.exe
    "C:\Windows\system32\28463\XLDC.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2716
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 1072
      4⤵
      Loads dropped DLL
      Program crash
      PID:3204
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\XLDC.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1768
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe"
1⤵
- Modifies registry class
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32ec7f9022a3c68d4af1a459ed8871d7.exe"
1⤵
- Modifies registry class
PID:2308

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2716 -ip 2716
1⤵
PID:4728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@975E.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\TibiaMC.exe

Filesize
846KB

MD5
c2cdf07db1c441aba0f0ad157f2454b3

SHA1
efff7b1dd48093384379354fff87caf263f36868

SHA256
01fe845de49a4046c94bd487eab2f7d5090ca6fddffb2a4a035d82f324f61342

SHA512
0a4b13283b5ab26a35726dbbefceb451bbeaf7e837150db23be7faf653a1f9bb7147ae40ac6f12b47e6b9081bd4c40a2421427d6fcfcd5f9382d5f643aba2cce

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\XLDC.001

Filesize
472B

MD5
37cd27483837b40908219752334b6c65

SHA1
fcef130d25a862c9e6cbe28f0edb3a4f793d32ee

SHA256
fdda79cbf1148bbb29a1af89ca8ace5f63376dcaf857495697cdc039f08f6457

SHA512
22a7230ae6874a872d54bdefc87bea9952580c14726f453dd3309c32589d89e60ed3d45c217e0b4204c6e4d8794acbb938addf52158fa0a69d5edf7206260345

Download Submit
C:\Windows\SysWOW64\28463\XLDC.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\XLDC.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\XLDC.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/2716-31-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2716-42-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2716-45-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2716-49-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads