ardamax | ef90f55d789dc83abda7fad3e66cd87a0069fe0439ed31b0611db5e30a3d66b5

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
Size

2.5MB
MD5

0f5f2e640ed8bfb8d23cdc99a1d1b586
SHA1

a08db0712aa28c3c7f9e80270acb568ec77e14a7
SHA256

ef90f55d789dc83abda7fad3e66cd87a0069fe0439ed31b0611db5e30a3d66b5
SHA512

717aa5248f21ad8c5a30dc74a1ae28b177e31ddacb329766457f70c2fc3fa045450513df7bf6685cab34d6c56c96c919dfcfb5282ae0bde6aa499c295ca7a59b
SSDEEP

49152:F5Geq1NlCqtFuVZwOMCODC5Geq1NlCqtFuVZwOMCODz:6eq1ptFUZkDD5eq1ptFUZkDDz

Score

10^/10

ardamax discovery evasion keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000019284-28.dat	family_ardamax

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Executes dropped EXE 6 IoCs

pid	Process
2600	SpeeD Hack.exe
1044	SAKE.exe
2380	HastyMu.exe
2992	SpeeD Hack.exe
4512	SAKE.exe
4900	HastyMu.exe

Loads dropped DLL 20 IoCs

pid	Process
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
2600	SpeeD Hack.exe
2600	SpeeD Hack.exe
2600	SpeeD Hack.exe
2600	SpeeD Hack.exe
1044	SAKE.exe
1044	SAKE.exe
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
2992	SpeeD Hack.exe
2992	SpeeD Hack.exe
2992	SpeeD Hack.exe
2992	SpeeD Hack.exe
2380	HastyMu.exe
4512	SAKE.exe
4512	SAKE.exe
4900	HastyMu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAKE Agent = "C:\\Windows\\SysWOW64\\28463\\SAKE.exe"	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAKE Agent = "C:\\Windows\\SysWOW64\\28463\\SAKE.exe"	SAKE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\SAKE.007	SpeeD Hack.exe
File opened for modification	C:\Windows\SysWOW64\28463	SAKE.exe
File created	C:\Windows\SysWOW64\28463\SAKE.007	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.exe	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.exe	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\key.bin	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	SpeeD Hack.exe
File opened for modification	C:\Windows\SysWOW64\28463	SAKE.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.001	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.006	SpeeD Hack.exe
File opened for modification	C:\Windows\SysWOW64\28463\SAKE.001	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.006	SpeeD Hack.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	SpeeD Hack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAKE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpeeD Hack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 60 IoCs

evasion

pid	Process
2084	taskkill.exe
2328	taskkill.exe
1424	taskkill.exe
3936	taskkill.exe
4684	taskkill.exe
1000	taskkill.exe
1636	taskkill.exe
3900	taskkill.exe
2764	taskkill.exe
2228	taskkill.exe
1752	taskkill.exe
3944	taskkill.exe
2932	taskkill.exe
4364	taskkill.exe
2160	taskkill.exe
4696	taskkill.exe
1548	taskkill.exe
108	taskkill.exe
4032	taskkill.exe
4496	taskkill.exe
2832	taskkill.exe
1932	taskkill.exe
3888	taskkill.exe
2576	taskkill.exe
2272	taskkill.exe
4420	taskkill.exe
1556	taskkill.exe
1728	taskkill.exe
1324	taskkill.exe
2420	taskkill.exe
2792	taskkill.exe
1168	taskkill.exe
3988	taskkill.exe
4396	taskkill.exe
276	taskkill.exe
2112	taskkill.exe
2512	taskkill.exe
3872	taskkill.exe
4284	taskkill.exe
4324	taskkill.exe
4564	taskkill.exe
3032	taskkill.exe
2864	taskkill.exe
476	taskkill.exe
1572	taskkill.exe
1660	taskkill.exe
4444	taskkill.exe
2776	taskkill.exe
2848	taskkill.exe
2888	taskkill.exe
1736	taskkill.exe
4260	taskkill.exe
4636	taskkill.exe
2388	taskkill.exe
2296	taskkill.exe
4388	taskkill.exe
4704	taskkill.exe
1908	taskkill.exe
328	taskkill.exe
4604	taskkill.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\ProgID\ = "LDAP"	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\0\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\0\win32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE"	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\HELPDIR\	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\Version	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\ = "Cemoj Esekizeg Wobot class"	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\ProgID	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\0\win32	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\FLAGS	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\FLAGS\ = "0"	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\HELPDIR	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\TypeLib	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\Version\ = "1.0"	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\InprocServer32	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\0\win32\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\TypeLib\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\InprocServer32\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\ = "Microsoft Excel 14.0 Object Library"	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\FLAGS\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\Version\	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\InprocServer32\ = "%SystemRoot%\\SysWow64\\adsldp.dll"	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\TypeLib\ = "{50CFF2D2-05E1-14AD-353F-3ADD424531E6}"	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D12BC12B-7BD4-4626-D1A6-44315E0AE037}\ProgID\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\	SAKE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\0	SAKE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{50CFF2D2-05E1-14AD-353F-3ADD424531E6}\1.7\HELPDIR\ = "[{00020813-0000-0000-C000-000000000046}]"	SAKE.exe

Modifies registry key 1 TTPs 44 IoCs

Modify Registry

T1112

pid	Process
5196	reg.exe
5256	reg.exe
5368	reg.exe
4492	reg.exe
4052	reg.exe
4232	reg.exe
4052	reg.exe
3164	reg.exe
5576	reg.exe
5600	reg.exe
5592	reg.exe
3184	reg.exe
5560	reg.exe
5632	reg.exe
2528	reg.exe
1668	reg.exe
888	reg.exe
3360	reg.exe
1132	reg.exe
3128	reg.exe
5212	reg.exe
280	reg.exe
1540	reg.exe
236	reg.exe
4232	reg.exe
4944	reg.exe
3124	reg.exe
3108	reg.exe
4176	reg.exe
5168	reg.exe
5584	reg.exe
5608	reg.exe
3120	reg.exe
5420	reg.exe
5616	reg.exe
5624	reg.exe
2140	reg.exe
1912	reg.exe
3088	reg.exe
5408	reg.exe
5568	reg.exe
3116	reg.exe
4184	reg.exe
5432	reg.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
2380	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe
4900	HastyMu.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3032	taskkill.exe
Token: SeDebugPrivilege	2764	taskkill.exe
Token: SeDebugPrivilege	1636	taskkill.exe
Token: SeDebugPrivilege	2084	taskkill.exe
Token: SeDebugPrivilege	2420	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: 33	1044	SAKE.exe
Token: SeIncBasePriorityPrivilege	1044	SAKE.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	2328	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	1000	taskkill.exe
Token: SeDebugPrivilege	2888	taskkill.exe
Token: SeDebugPrivilege	2792	taskkill.exe
Token: SeDebugPrivilege	2388	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2848	taskkill.exe
Token: SeDebugPrivilege	1728	taskkill.exe
Token: SeDebugPrivilege	328	taskkill.exe
Token: SeDebugPrivilege	476	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1556	taskkill.exe
Token: SeDebugPrivilege	2272	taskkill.exe
Token: SeDebugPrivilege	1932	taskkill.exe
Token: SeDebugPrivilege	2296	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	1908	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	276	taskkill.exe
Token: SeDebugPrivilege	1168	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	1736	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeDebugPrivilege	2228	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	1548	taskkill.exe
Token: SeDebugPrivilege	3900	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	108	taskkill.exe
Token: SeDebugPrivilege	3944	taskkill.exe
Token: SeDebugPrivilege	1572	taskkill.exe
Token: SeDebugPrivilege	4032	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3888	taskkill.exe
Token: SeDebugPrivilege	2932	taskkill.exe
Token: SeDebugPrivilege	2112	taskkill.exe
Token: SeDebugPrivilege	1324	taskkill.exe
Token: SeDebugPrivilege	3988	taskkill.exe
Token: SeDebugPrivilege	4260	taskkill.exe
Token: SeDebugPrivilege	4284	taskkill.exe
Token: SeDebugPrivilege	4684	taskkill.exe
Token: SeDebugPrivilege	4364	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe
Token: SeDebugPrivilege	4604	taskkill.exe
Token: SeDebugPrivilege	4444	taskkill.exe
Token: SeDebugPrivilege	4564	taskkill.exe
Token: SeDebugPrivilege	4636	taskkill.exe
Token: SeDebugPrivilege	4388	taskkill.exe
Token: SeDebugPrivilege	4396	taskkill.exe
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: 33	4512	SAKE.exe
Token: SeIncBasePriorityPrivilege	4512	SAKE.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
1044	SAKE.exe
1044	SAKE.exe
1044	SAKE.exe
1044	SAKE.exe
1044	SAKE.exe
4512	SAKE.exe
4512	SAKE.exe
4512	SAKE.exe
4512	SAKE.exe
4512	SAKE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2576	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2576	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2576	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2576	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2420	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2420	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2420	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2420	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	31
PID 2100 wrote to memory of 2412	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2412	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2412	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2412	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	33
PID 2100 wrote to memory of 2084	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	35
PID 2100 wrote to memory of 2084	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	35
PID 2100 wrote to memory of 2084	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	35
PID 2100 wrote to memory of 2084	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	35
PID 2100 wrote to memory of 2388	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	36
PID 2100 wrote to memory of 2388	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	36
PID 2100 wrote to memory of 2388	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	36
PID 2100 wrote to memory of 2388	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	36
PID 2100 wrote to memory of 1000	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	38
PID 2100 wrote to memory of 1000	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	38
PID 2100 wrote to memory of 1000	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	38
PID 2100 wrote to memory of 1000	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	38
PID 2100 wrote to memory of 3032	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	40
PID 2100 wrote to memory of 3032	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	40
PID 2100 wrote to memory of 3032	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	40
PID 2100 wrote to memory of 3032	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	40
PID 2100 wrote to memory of 1636	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	43
PID 2100 wrote to memory of 1636	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	43
PID 2100 wrote to memory of 1636	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	43
PID 2100 wrote to memory of 1636	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	43
PID 2100 wrote to memory of 2328	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	44
PID 2100 wrote to memory of 2328	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	44
PID 2100 wrote to memory of 2328	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	44
PID 2100 wrote to memory of 2328	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	44
PID 2100 wrote to memory of 2080	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	46
PID 2100 wrote to memory of 2080	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	46
PID 2100 wrote to memory of 2080	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	46
PID 2100 wrote to memory of 2080	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	46
PID 2100 wrote to memory of 2776	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	48
PID 2100 wrote to memory of 2776	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	48
PID 2100 wrote to memory of 2776	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	48
PID 2100 wrote to memory of 2776	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	48
PID 2100 wrote to memory of 2764	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	49
PID 2100 wrote to memory of 2764	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	49
PID 2100 wrote to memory of 2764	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	49
PID 2100 wrote to memory of 2764	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	49
PID 2100 wrote to memory of 2832	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	52
PID 2100 wrote to memory of 2832	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	52
PID 2100 wrote to memory of 2832	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	52
PID 2100 wrote to memory of 2832	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	52
PID 2100 wrote to memory of 2848	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	53
PID 2100 wrote to memory of 2848	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	53
PID 2100 wrote to memory of 2848	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	53
PID 2100 wrote to memory of 2848	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	53
PID 2100 wrote to memory of 2864	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	54
PID 2100 wrote to memory of 2864	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	54
PID 2100 wrote to memory of 2864	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	54
PID 2100 wrote to memory of 2864	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	54
PID 2100 wrote to memory of 2888	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	56
PID 2100 wrote to memory of 2888	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	56
PID 2100 wrote to memory of 2888	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	56
PID 2100 wrote to memory of 2888	2100	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	56

C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2412
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:236
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:2080
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:1912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2792
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2784
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:1668
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2796
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:280
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:2896
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:2528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:2140
- C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2600
- - C:\Windows\SysWOW64\28463\SAKE.exe
    "C:\Windows\system32\28463\SAKE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Users\Admin\AppData\Local\Temp\HastyMu.exe
    "C:\Users\Admin\AppData\Local\Temp\HastyMu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:868
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1540
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:1232
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:236
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:852
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4232
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:5188
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5204
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1224
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2272
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2296
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1556
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:760
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:3088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:920
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:408
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3108
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:1132
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3360
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2620
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4052
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3128
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2196
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1132
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:1120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4052
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1168
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1536
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1660
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1736
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:4944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3888
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4176
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4092
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:5168
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:3120
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1732
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:5196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:408
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5212
- C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:2992
- - C:\Windows\SysWOW64\28463\SAKE.exe
    "C:\Windows\system32\28463\SAKE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\HastyMu.exe
    "C:\Users\Admin\AppData\Local\Temp\HastyMu.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:4136
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5368
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4152
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5408
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4260
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4284
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:4304
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5520
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:5552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4364
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4396
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4476
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5256
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:4728
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:5560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4740
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:5568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:5632
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:4856
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:5576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5600
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4964
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:4988
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:4996
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:5624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5608

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-195975620712595666191696018307309324851-2008886180337369040495850778-715176251"
1⤵
PID:888

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-48150942-1614923238-1169800742-436137667-257926148812153642110235835-1259370071"
1⤵
PID:1912

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "55222413-1580672627-2066140092993684064-17292642631740088721-1289742240-734985956"
1⤵
PID:236

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2084845472-1436705374-1497979834-1299447454899460370-15680998041074157636-1265947798"
1⤵
PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HastyMu.exe

Filesize
460KB

MD5
8f76933cff19c919dc9a03b4ade123c2

SHA1
5617b624fbfbfce2bfbfe55a0c881c231cfa7d12

SHA256
bb44894cc641d8446f8f9a5f9d4698dd3aa4fb22308efd55cefdd8af39669200

SHA512
25d2ddf41057b6b03642c0f8a75b7523ae4301410c35271269381fd681a3e19db05eabd8412c8502597fa794439e12fd990230fe6203ba65360550110b49a49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe

Filesize
1.2MB

MD5
b5130cc30896476ac6dba205e441b5c9

SHA1
060834cd3695486f23c79453aaf555fedaf03440

SHA256
0506380afef7a77fb111aecdf02af95f72f098f636dfb13eb0e54492e88721c1

SHA512
89ef9a7945f94da7bc845e4a01c2af7cc5a670afae274ec6a5a6c5982a8a7f6a21d417ab0d003ddc7b7700f32f661e8c742c580c98d73c8f8f938676357b891d

Download Submit
C:\Users\Admin\AppData\Local\Temp\winmode.dll

Filesize
48KB

MD5
fc7e01c227c5ab419ccb639484fd33a0

SHA1
fc3a72601818dfc389e76a77f4090c639896cd12

SHA256
10c6adbbf1614dc0f3e256327ae345a7592d7177ba98b2cdf359c65ef3714bbd

SHA512
cff80e568119b67fb0f07f3dcb51e07bafecc001231188ea8866cfc74026b7ba197d43288756878df97b482777bef295fa80645f2cb0cfb8ffc6ab37ce51d6ec

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\SysWOW64\28463\SAKE.001

Filesize
484B

MD5
2562d047781d39404ece07a394b9f71b

SHA1
944b14cc5b4b5332634d68c7d36046eb35581483

SHA256
9d96192e38fde561eab790975965697b51a1fbdfacc7ad219b0c3ff3474a8cc0

SHA512
29e8440776d07b348d9af74c5976ae8c17176e3b1a85660889f573c2f2eed74bebe3338cd79c197fea58b275fac6e3ef3a3d8762dd4c7c840d5a866b68c92db8

Download Submit
C:\Windows\SysWOW64\28463\SAKE.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\SysWOW64\28463\SAKE.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\SysWOW64\28463\SAKE.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@C716.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
memory/1044-81-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/1044-32-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2380-114-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-120-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-129-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-89-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-126-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-123-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-93-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-117-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-96-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-111-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-99-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-108-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-105-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2380-102-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/2600-31-0x0000000002770000-0x0000000002850000-memory.dmp

Filesize
896KB

Download
memory/2992-68-0x0000000002860000-0x0000000002940000-memory.dmp

Filesize
896KB

Download
memory/4512-70-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4512-91-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4512-100-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4900-116-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-122-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-98-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-104-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-95-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-119-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-110-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-113-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-92-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-125-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-107-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-128-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-101-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download
memory/4900-131-0x0000000000400000-0x0000000000515000-memory.dmp

Filesize
1.1MB

Download