ardamax | 8d3f45c8b1e97d0c86d2ed90b720f188c15a937bb4c0a04a6747e0729848dc6e

Analysis

max time kernel
142s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
Size

1.1MB
MD5

7884bfb95320b8e48d136f0aa8e4c699
SHA1

d52757e762518f23602a2577feb4a698c0d8204d
SHA256

8d3f45c8b1e97d0c86d2ed90b720f188c15a937bb4c0a04a6747e0729848dc6e
SHA512

f9a03ac16e614847c8c5fd153310bf718f3e2238cff349c00175ea0f6ffd54dc5aef700080a1258d59c067790fb0c9a99358f8edef64fa298f029197b770ed8f
SSDEEP

24576:xqVeTpv90PZ76+pTQXZz3DQi8GJv6qRCsTh6rr9vX+RUThHf8DML:UVOpv47TODxHRCA8IGh/8YL

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024245-23.dat	family_ardamax

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	teste.exe

Executes dropped EXE 2 IoCs

pid	Process
2312	teste.exe
5796	PNEX.exe

Loads dropped DLL 4 IoCs

pid	Process
2312	teste.exe
5796	PNEX.exe
5796	PNEX.exe
5796	PNEX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PNEX Agent = "C:\\Windows\\SysWOW64\\28463\\PNEX.exe"	PNEX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\PNEX.007	teste.exe
File created	C:\Windows\SysWOW64\28463\PNEX.exe	teste.exe
File created	C:\Windows\SysWOW64\28463\key.bin	teste.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	teste.exe
File opened for modification	C:\Windows\SysWOW64\28463	PNEX.exe
File created	C:\Windows\SysWOW64\28463\PNEX.001	teste.exe
File created	C:\Windows\SysWOW64\28463\PNEX.006	teste.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	teste.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PNEX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 30 IoCs

defense_evasion

pid	Process
1564	taskkill.exe
2440	taskkill.exe
3452	taskkill.exe
5088	taskkill.exe
3952	taskkill.exe
2556	taskkill.exe
4356	taskkill.exe
5684	taskkill.exe
5788	taskkill.exe
3440	taskkill.exe
5620	taskkill.exe
4948	taskkill.exe
1504	taskkill.exe
5076	taskkill.exe
1284	taskkill.exe
1480	taskkill.exe
528	taskkill.exe
5028	taskkill.exe
5680	taskkill.exe
3460	taskkill.exe
4500	taskkill.exe
4928	taskkill.exe
1168	taskkill.exe
2336	taskkill.exe
5060	taskkill.exe
5112	taskkill.exe
5424	taskkill.exe
4516	taskkill.exe
2796	taskkill.exe
5104	taskkill.exe

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\ = "SPP WMI Provider 1.0 Type Library"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\0\win32	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\FLAGS	PNEX.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\ProgID\ = "Microsoft.Update.AutoUpdate.1"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\0\win32\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\HELPDIR\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\ = "Ewiromof Oriqe class"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\Programmable\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\TypeLib\ = "{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\Version	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\VersionIndependentProgID\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\0\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\HELPDIR	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\VersionIndependentProgID\ = "Microsoft.Update.AutoUpdate"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\FLAGS\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\InProcServer32\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\ProgID	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\0	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\Version\ = "2.0"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\InProcServer32	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\InProcServer32\ = "C:\\Windows\\SysWOW64\\usoapi.dll"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\sppwmi.dll"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\VersionIndependentProgID	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\HELPDIR\ = "%SystemRoot%\\System32"	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\Version\	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0C7DEEF-E218-02BC-E7FC-24ED897BD3A2}\1.0\FLAGS\ = "0"	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\TypeLib	PNEX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\TypeLib\	PNEX.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\ProgID\	PNEX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E99DB36-A97F-451A-FCA4-06F633EAB636}\Programmable	PNEX.exe

Modifies registry key 1 TTPs 22 IoCs

Modify Registry

T1112

pid	Process
5068	reg.exe
6104	reg.exe
3484	reg.exe
4988	reg.exe
5840	reg.exe
368	reg.exe
4064	reg.exe
1416	reg.exe
1628	reg.exe
2380	reg.exe
4820	reg.exe
4104	reg.exe
5396	reg.exe
4800	reg.exe
5276	reg.exe
2892	reg.exe
5708	reg.exe
5804	reg.exe
3140	reg.exe
5908	reg.exe
3276	reg.exe
392	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	5620	taskkill.exe
Token: SeDebugPrivilege	5684	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeDebugPrivilege	3952	taskkill.exe
Token: SeDebugPrivilege	5680	taskkill.exe
Token: SeDebugPrivilege	5788	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	1480	taskkill.exe
Token: SeDebugPrivilege	1284	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2796	taskkill.exe
Token: SeDebugPrivilege	4516	taskkill.exe
Token: SeDebugPrivilege	528	taskkill.exe
Token: SeDebugPrivilege	4928	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeDebugPrivilege	3440	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	3452	taskkill.exe
Token: SeDebugPrivilege	5424	taskkill.exe
Token: SeDebugPrivilege	2336	taskkill.exe
Token: SeDebugPrivilege	5112	taskkill.exe
Token: SeDebugPrivilege	2556	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	5076	taskkill.exe
Token: SeDebugPrivilege	5088	taskkill.exe
Token: SeDebugPrivilege	5104	taskkill.exe
Token: 33	5796	PNEX.exe
Token: SeIncBasePriorityPrivilege	5796	PNEX.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
5796	PNEX.exe
5796	PNEX.exe
5796	PNEX.exe
5796	PNEX.exe
5796	PNEX.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 5680	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	87
PID 4612 wrote to memory of 5680	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	87
PID 4612 wrote to memory of 5680	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	87
PID 4612 wrote to memory of 5620	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	88
PID 4612 wrote to memory of 5620	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	88
PID 4612 wrote to memory of 5620	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	88
PID 4612 wrote to memory of 5756	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	89
PID 4612 wrote to memory of 5756	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	89
PID 4612 wrote to memory of 5756	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	89
PID 4612 wrote to memory of 5684	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	91
PID 4612 wrote to memory of 5684	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	91
PID 4612 wrote to memory of 5684	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	91
PID 4612 wrote to memory of 2440	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	92
PID 4612 wrote to memory of 2440	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	92
PID 4612 wrote to memory of 2440	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	92
PID 4612 wrote to memory of 2796	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	94
PID 4612 wrote to memory of 2796	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	94
PID 4612 wrote to memory of 2796	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	94
PID 4612 wrote to memory of 528	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	95
PID 4612 wrote to memory of 528	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	95
PID 4612 wrote to memory of 528	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	95
PID 4612 wrote to memory of 4500	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	96
PID 4612 wrote to memory of 4500	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	96
PID 4612 wrote to memory of 4500	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	96
PID 4612 wrote to memory of 4516	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	97
PID 4612 wrote to memory of 4516	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	97
PID 4612 wrote to memory of 4516	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	97
PID 4612 wrote to memory of 1816	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	98
PID 4612 wrote to memory of 1816	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	98
PID 4612 wrote to memory of 1816	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	98
PID 4612 wrote to memory of 1564	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	99
PID 4612 wrote to memory of 1564	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	99
PID 4612 wrote to memory of 1564	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	99
PID 4612 wrote to memory of 5788	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	100
PID 4612 wrote to memory of 5788	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	100
PID 4612 wrote to memory of 5788	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	100
PID 4612 wrote to memory of 1480	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	101
PID 4612 wrote to memory of 1480	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	101
PID 4612 wrote to memory of 1480	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	101
PID 4612 wrote to memory of 3952	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	102
PID 4612 wrote to memory of 3952	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	102
PID 4612 wrote to memory of 3952	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	102
PID 4612 wrote to memory of 3460	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	104
PID 4612 wrote to memory of 3460	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	104
PID 4612 wrote to memory of 3460	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	104
PID 4612 wrote to memory of 1168	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	105
PID 4612 wrote to memory of 1168	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	105
PID 4612 wrote to memory of 1168	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	105
PID 4612 wrote to memory of 1284	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	106
PID 4612 wrote to memory of 1284	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	106
PID 4612 wrote to memory of 1284	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	106
PID 4612 wrote to memory of 1544	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	107
PID 4612 wrote to memory of 1544	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	107
PID 4612 wrote to memory of 1544	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	107
PID 4612 wrote to memory of 5296	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	108
PID 4612 wrote to memory of 5296	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	108
PID 4612 wrote to memory of 5296	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	108
PID 4612 wrote to memory of 1736	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	109
PID 4612 wrote to memory of 1736	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	109
PID 4612 wrote to memory of 1736	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	109
PID 4612 wrote to memory of 5612	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	110
PID 4612 wrote to memory of 5612	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	110
PID 4612 wrote to memory of 5612	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	110
PID 4612 wrote to memory of 3284	4612	JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe	111

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:5756
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:1816
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5296
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5612
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5804
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3284
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1628
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6020
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1040
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:1044
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:392
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5108
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:5788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5112
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1504
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3864
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:368
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3452
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5104
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3440
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6036
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:3612
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5840
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2408
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2380
- C:\Users\Admin\AppData\Local\Temp\teste.exe
  "C:\Users\Admin\AppData\Local\Temp\teste.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2312
- - C:\Windows\SysWOW64\28463\PNEX.exe
    "C:\Windows\system32\28463\PNEX.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5796
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5564
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2248
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3388
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2448
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3484

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe"
1⤵
- Modifies registry class
PID:1072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7884bfb95320b8e48d136f0aa8e4c699.exe"
1⤵
- Modifies registry class
PID:3396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@51C9.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
C:\Users\Admin\AppData\Local\Temp\teste.exe

Filesize
830KB

MD5
fe9bc0d4a980cbce809708e0a3b2418e

SHA1
bddcdd2ac694c2d380d98429e4be42dd9809c33a

SHA256
79d604a018a4a9d20e014df2f9d43f34027e639e3c0b70f85420e813ff9af00a

SHA512
51588241282448cb1f7415c8bdf8da751d0c21509d612d2fd5470252fc17702d69003e0a02ab0170393166732f6ce7346da8da6a3fb9ba87676160c697d31464

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\SysWOW64\28463\PNEX.001

Filesize
458B

MD5
5035c9d296ff25bd8f2c7cb34a80de59

SHA1
dfda34675bc86696d2750c89f660f957a0f474c7

SHA256
b4d4894165ada209f5b735fb939db3e41add47520d82943f826ab02e5abf27ac

SHA512
b4dc542e70c588df38e58a62589e4dbd538675b46179be44c4d026b1095c8c7465985024f15f7514283da89e4636842b17f966413a4e00bf7fa8e47744026e7a

Download Submit
C:\Windows\SysWOW64\28463\PNEX.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\SysWOW64\28463\PNEX.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\SysWOW64\28463\PNEX.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/5796-30-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5796-41-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/5796-45-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads