ardamax | 8d3f45c8b1e97d0c86d2ed90b720f188c15a937bb4c0a04a6747e0729848dc6e

Analysis

max time kernel
143s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/03/2025, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
Size

1.1MB
MD5

7884bfb95320b8e48d136f0aa8e4c699
SHA1

d52757e762518f23602a2577feb4a698c0d8204d
SHA256

8d3f45c8b1e97d0c86d2ed90b720f188c15a937bb4c0a04a6747e0729848dc6e
SHA512

f9a03ac16e614847c8c5fd153310bf718f3e2238cff349c00175ea0f6ffd54dc5aef700080a1258d59c067790fb0c9a99358f8edef64fa298f029197b770ed8f
SSDEEP

24576:xqVeTpv90PZ76+pTQXZz3DQi8GJv6qRCsTh6rr9vX+RUThHf8DML:UVOpv47TODxHRCA8IGh/8YL

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019489-24.dat	family_ardamax

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Executes dropped EXE 2 IoCs

pid	Process
2968	teste.exe
3008	PNEX.exe

Loads dropped DLL 8 IoCs

pid	Process
1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
2968	teste.exe
2968	teste.exe
3008	PNEX.exe
3008	PNEX.exe
3040	DllHost.exe
3040	DllHost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PNEX Agent = "C:\\Windows\\SysWOW64\\28463\\PNEX.exe"	PNEX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\PNEX.001	teste.exe
File created	C:\Windows\SysWOW64\28463\PNEX.006	teste.exe
File created	C:\Windows\SysWOW64\28463\PNEX.007	teste.exe
File created	C:\Windows\SysWOW64\28463\PNEX.exe	teste.exe
File created	C:\Windows\SysWOW64\28463\key.bin	teste.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	teste.exe
File opened for modification	C:\Windows\SysWOW64\28463	PNEX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 30 IoCs

defense_evasion

pid	Process
1040	taskkill.exe
2940	taskkill.exe
2780	taskkill.exe
944	taskkill.exe
1608	taskkill.exe
2860	taskkill.exe
2284	taskkill.exe
1640	taskkill.exe
1524	taskkill.exe
1684	taskkill.exe
1600	taskkill.exe
276	taskkill.exe
3036	taskkill.exe
2532	taskkill.exe
1472	taskkill.exe
2840	taskkill.exe
2576	taskkill.exe
2248	taskkill.exe
2384	taskkill.exe
2256	taskkill.exe
2508	taskkill.exe
2292	taskkill.exe
2304	taskkill.exe
2548	taskkill.exe
2740	taskkill.exe
2888	taskkill.exe
1656	taskkill.exe
2264	taskkill.exe
2028	taskkill.exe
1508	taskkill.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\ = "Apigig"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\InprocServer32	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\ProgID\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\Programmable	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\HELPDIR\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\ProgID	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\117"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\HELPDIR	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\TypeLib	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\InprocServer32\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\FLAGS	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\FLAGS\ = "0"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\Programmable\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\0	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\FLAGS\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\VersionIndependentProgID\ = "MOFL.Factoid"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\MICROS~1\\SMARTT~1\\MOFL.DLL"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\0\win32	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\0\win32\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\VersionIndependentProgID	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\ = "Groove Audio Services Alpha Type Library"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}\1.0\0\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\TypeLib\ = "{26D6A1B1-3245-99BE-3AF6-C82E0669FFFC}"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\VersionIndependentProgID\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\ProgID\ = "MOFL.Factoid.2"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B5CC0189-0FEA-4C0C-6FA9-A737927B83DA}\TypeLib\	PNEX.exe

Modifies registry key 1 TTPs 22 IoCs

Modify Registry

T1112

pid	Process
1980	reg.exe
520	reg.exe
1020	reg.exe
2608	reg.exe
1940	reg.exe
560	reg.exe
2904	reg.exe
2432	reg.exe
2156	reg.exe
1016	reg.exe
236	reg.exe
1924	reg.exe
2800	reg.exe
264	reg.exe
2920	reg.exe
2256	reg.exe
2784	reg.exe
2912	reg.exe
1628	reg.exe
2868	reg.exe
1116	reg.exe
3000	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	2384	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	2860	taskkill.exe
Token: SeDebugPrivilege	2740	taskkill.exe
Token: SeDebugPrivilege	1040	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2840	taskkill.exe
Token: SeDebugPrivilege	3036	taskkill.exe
Token: SeDebugPrivilege	2508	taskkill.exe
Token: SeDebugPrivilege	2548	taskkill.exe
Token: SeDebugPrivilege	2284	taskkill.exe
Token: SeDebugPrivilege	1508	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	2304	taskkill.exe
Token: SeDebugPrivilege	2248	taskkill.exe
Token: SeDebugPrivilege	1600	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	1524	taskkill.exe
Token: SeDebugPrivilege	1608	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	2532	taskkill.exe
Token: SeDebugPrivilege	1640	taskkill.exe
Token: SeDebugPrivilege	2292	taskkill.exe
Token: SeDebugPrivilege	2264	taskkill.exe
Token: SeDebugPrivilege	1656	taskkill.exe
Token: 33	3008	PNEX.exe
Token: SeIncBasePriorityPrivilege	3008	PNEX.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3040	DllHost.exe
3040	DllHost.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
3008	PNEX.exe
3008	PNEX.exe
3008	PNEX.exe
3008	PNEX.exe
3008	PNEX.exe
3040	DllHost.exe
3040	DllHost.exe
3040	DllHost.exe
3040	DllHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 2384	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	29
PID 1048 wrote to memory of 2384	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	29
PID 1048 wrote to memory of 2384	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	29
PID 1048 wrote to memory of 2384	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	29
PID 1048 wrote to memory of 2028	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	30
PID 1048 wrote to memory of 2028	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	30
PID 1048 wrote to memory of 2028	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	30
PID 1048 wrote to memory of 2028	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	30
PID 1048 wrote to memory of 2052	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	32
PID 1048 wrote to memory of 2052	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	32
PID 1048 wrote to memory of 2052	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	32
PID 1048 wrote to memory of 2052	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	32
PID 1048 wrote to memory of 2256	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	33
PID 1048 wrote to memory of 2256	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	33
PID 1048 wrote to memory of 2256	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	33
PID 1048 wrote to memory of 2256	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	33
PID 1048 wrote to memory of 1040	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	36
PID 1048 wrote to memory of 1040	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	36
PID 1048 wrote to memory of 1040	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	36
PID 1048 wrote to memory of 1040	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	36
PID 1048 wrote to memory of 2940	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	37
PID 1048 wrote to memory of 2940	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	37
PID 1048 wrote to memory of 2940	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	37
PID 1048 wrote to memory of 2940	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	37
PID 1048 wrote to memory of 2548	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	38
PID 1048 wrote to memory of 2548	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	38
PID 1048 wrote to memory of 2548	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	38
PID 1048 wrote to memory of 2548	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	38
PID 1048 wrote to memory of 276	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	39
PID 1048 wrote to memory of 276	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	39
PID 1048 wrote to memory of 276	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	39
PID 1048 wrote to memory of 276	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	39
PID 1048 wrote to memory of 1684	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	41
PID 1048 wrote to memory of 1684	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	41
PID 1048 wrote to memory of 1684	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	41
PID 1048 wrote to memory of 1684	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	41
PID 1048 wrote to memory of 2468	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	43
PID 1048 wrote to memory of 2468	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	43
PID 1048 wrote to memory of 2468	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	43
PID 1048 wrote to memory of 2468	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	43
PID 1048 wrote to memory of 2508	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	44
PID 1048 wrote to memory of 2508	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	44
PID 1048 wrote to memory of 2508	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	44
PID 1048 wrote to memory of 2508	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	44
PID 1048 wrote to memory of 2780	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	47
PID 1048 wrote to memory of 2780	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	47
PID 1048 wrote to memory of 2780	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	47
PID 1048 wrote to memory of 2780	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	47
PID 1048 wrote to memory of 2860	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	48
PID 1048 wrote to memory of 2860	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	48
PID 1048 wrote to memory of 2860	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	48
PID 1048 wrote to memory of 2860	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	48
PID 1048 wrote to memory of 2888	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	50
PID 1048 wrote to memory of 2888	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	50
PID 1048 wrote to memory of 2888	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	50
PID 1048 wrote to memory of 2888	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	50
PID 1048 wrote to memory of 3036	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	51
PID 1048 wrote to memory of 3036	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	51
PID 1048 wrote to memory of 3036	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	51
PID 1048 wrote to memory of 3036	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	51
PID 1048 wrote to memory of 2740	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	54
PID 1048 wrote to memory of 2740	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	54
PID 1048 wrote to memory of 2740	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	54
PID 1048 wrote to memory of 2740	1048	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	54

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2384
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2028
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:1356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1040
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3036
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2740
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2640
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2460
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2828
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3060
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1960
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1052
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2292
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:784
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:936
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2304
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1524
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1508
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2248
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1608
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:3012
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1680
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1460
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1628
- C:\Users\Admin\AppData\Local\Temp\teste.exe
  "C:\Users\Admin\AppData\Local\Temp\teste.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2968
- - C:\Windows\SysWOW64\28463\PNEX.exe
    "C:\Windows\system32\28463\PNEX.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2452
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:1952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2156
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2256

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1500583615126916611847069367-1738437823-682943277-198202084092190600410820627"
1⤵
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1396921763327737161-4895013821402410200-2144187771-836271843741988882793384258"
1⤵
PID:2868

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-9534328001969099412551606143810015092-656048418-15984178111201112839-571034516"
1⤵
PID:1116

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-258250575-901728066-1206936585455603864-1742615824627129846-6302052-216791050"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "14741408302064332045-2134341122-2027345966-212802769-342923227452998086-114683115"
1⤵
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fail6.jpg

Filesize
31KB

MD5
c195d8fcbc175a81b927f2353fa7a802

SHA1
7149e597d30985a7a890d88d693d1b7fa9f926af

SHA256
e5b93cfff27bd48d2960c6e26d94a11c01a4da43c1bb0dd6297b949b2d9a3778

SHA512
6e176c0ce30f414ebb48fb29c6225cd4350c708da39888cf10f13f6db0d29d1b7668cf16266a7d0519ecb2255a85aaa4e75a1269550131e66282c82b69db321e

Download Submit
C:\Users\Admin\AppData\Local\Temp\motorcycle_fail-12827.png

Filesize
249KB

MD5
9097729a85577571d4c632f0e65ab43b

SHA1
95a44835af0c196591b1877c157880ded89d4bbc

SHA256
0e9703326c986350c9f7db28dbc9afdab495896f0aa8996b511dc99dc6efc458

SHA512
5d43c55ca1b63319c4709c490b8c2d82411b4406cd41fb2c9ba42e7672be7940fee1dd9c356cb7789e5e49df90ac462111809981f96ed592ad725eadcf663a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.exe

Filesize
830KB

MD5
fe9bc0d4a980cbce809708e0a3b2418e

SHA1
bddcdd2ac694c2d380d98429e4be42dd9809c33a

SHA256
79d604a018a4a9d20e014df2f9d43f34027e639e3c0b70f85420e813ff9af00a

SHA512
51588241282448cb1f7415c8bdf8da751d0c21509d612d2fd5470252fc17702d69003e0a02ab0170393166732f6ce7346da8da6a3fb9ba87676160c697d31464

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\SysWOW64\28463\PNEX.001

Filesize
458B

MD5
5035c9d296ff25bd8f2c7cb34a80de59

SHA1
dfda34675bc86696d2750c89f660f957a0f474c7

SHA256
b4d4894165ada209f5b735fb939db3e41add47520d82943f826ab02e5abf27ac

SHA512
b4dc542e70c588df38e58a62589e4dbd538675b46179be44c4d026b1095c8c7465985024f15f7514283da89e4636842b17f966413a4e00bf7fa8e47744026e7a

Download Submit
C:\Windows\SysWOW64\28463\PNEX.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\SysWOW64\28463\PNEX.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@CB89.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
\Windows\SysWOW64\28463\PNEX.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
memory/1048-3-0x0000000000720000-0x0000000000722000-memory.dmp

Filesize
8KB

Download
memory/2968-34-0x0000000000520000-0x0000000000522000-memory.dmp

Filesize
8KB

Download
memory/2968-31-0x0000000002540000-0x0000000002620000-memory.dmp

Filesize
896KB

Download
memory/3008-32-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3008-48-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3008-52-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/3040-4-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads