ardamax | cf2608dfeb55a14e1639e8431d5e0ace8f5d4eb984bcdb41c0ec44ac3da7f664

Analysis

max time kernel
145s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-02-2025 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
Size

3.1MB
MD5

c2bf07204c260e0a402bb177dae94d9d
SHA1

e8e7e20d9ed8b10ea25f8b7115ee3af2bf218f23
SHA256

cf2608dfeb55a14e1639e8431d5e0ace8f5d4eb984bcdb41c0ec44ac3da7f664
SHA512

2f7b6949fa3d806f5f76df3cf92c0b6849a1a8c117a10ef453ba58e523da6e8fd79f016e6ab2deeb8ce127a3097c61a44f03a32b1cc93dbad84fb0931403ecb0
SSDEEP

98304:JSB61iAVLYb+FqK1sPPMwSB61iAVLYb+FqK1sPPMu:K61ZjqKgQ61ZjqKgx

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000017525-51.dat	family_ardamax

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Executes dropped EXE 6 IoCs

pid	Process
1312	Install.exe
1620	Sky Cash Generator Versão 1.5.exe
1636	Install.exe
3588	Sky Cash Generator Versão 1.5.exe
1484	LIPM.exe
264	LIPM.exe

Loads dropped DLL 26 IoCs

pid	Process
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
1312	Install.exe
1312	Install.exe
1312	Install.exe
1312	Install.exe
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
1636	Install.exe
1636	Install.exe
1636	Install.exe
1636	Install.exe
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
1312	Install.exe
1636	Install.exe
1484	LIPM.exe
1484	LIPM.exe
264	LIPM.exe
264	LIPM.exe
1484	LIPM.exe
1484	LIPM.exe
3588	Sky Cash Generator Versão 1.5.exe
264	LIPM.exe
264	LIPM.exe
1620	Sky Cash Generator Versão 1.5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LIPM Agent = "C:\\Windows\\SysWOW64\\28463\\LIPM.exe"	LIPM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\LIPM.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	LIPM.exe
File created	C:\Windows\SysWOW64\28463\LIPM.001	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\LIPM.001	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\LIPM.006	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.006	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.007	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sky Cash Generator Versão 1.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 60 IoCs

defense_evasion

pid	Process
2612	taskkill.exe
2372	taskkill.exe
3808	taskkill.exe
3608	taskkill.exe
2732	taskkill.exe
3044	taskkill.exe
1752	taskkill.exe
2056	taskkill.exe
844	taskkill.exe
3460	taskkill.exe
1568	taskkill.exe
2116	taskkill.exe
2716	taskkill.exe
3720	taskkill.exe
3936	taskkill.exe
3972	taskkill.exe
2924	taskkill.exe
2708	taskkill.exe
2444	taskkill.exe
2960	taskkill.exe
2680	taskkill.exe
2688	taskkill.exe
1624	taskkill.exe
3544	taskkill.exe
3004	taskkill.exe
3756	taskkill.exe
2916	taskkill.exe
1564	taskkill.exe
2432	taskkill.exe
2584	taskkill.exe
1472	taskkill.exe
1124	taskkill.exe
3328	taskkill.exe
2676	taskkill.exe
1696	taskkill.exe
2476	taskkill.exe
3920	taskkill.exe
3964	taskkill.exe
1724	taskkill.exe
2160	taskkill.exe
3912	taskkill.exe
1848	taskkill.exe
3000	taskkill.exe
984	taskkill.exe
1732	taskkill.exe
2652	taskkill.exe
2728	taskkill.exe
576	taskkill.exe
3800	taskkill.exe
2224	taskkill.exe
1772	taskkill.exe
1760	taskkill.exe
1724	taskkill.exe
2836	taskkill.exe
2080	taskkill.exe
3928	taskkill.exe
984	taskkill.exe
3196	taskkill.exe
3500	taskkill.exe
3356	taskkill.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\ProgID\ = "WinHttp.WinHttpRequest.5.1"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\ = "Anezi Ibidifih Class"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\MiscStatus	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\0\win64\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\ProgID	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\ProgID\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\MiscStatus\ = "0"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\ProgID\ = "MsRDP.MsRDP.5"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\RegCtrl.dll"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\rdpcorekmts.dll"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\Version\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\Control\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\Version	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\TypeLib\ = "{220282F9-A2FD-4AAA-1990-F74BD791ABCA}"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\VersionIndependentProgID	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\FLAGS\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\InprocServer32\ = "%systemroot%\\SysWow64\\mstscax.dll"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\FLAGS	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\InProcServer32	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\HELPDIR	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\TypeLib	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\Version\ = "5.1"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\InprocServer32	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\InprocServer32\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\Version\ = "1.0"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\ = "Qirelsog.Eciteh"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\FLAGS	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\0\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\FLAGS\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\HELPDIR\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\0\win32\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\HELPDIR\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\TypeLib\ = "{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\0\win32	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\HELPDIR\ = "%SystemRoot%\\system32"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\ToolboxBitmap32\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\InProcServer32\ = "%SystemRoot%\\SysWow64\\winhttp.dll"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\0	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\VersionIndependentProgID\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\ToolboxBitmap32\ = "%systemroot%\\SysWow64\\mstscax.dll, 1"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\TypeLib	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\VersionIndependentProgID\ = "MsRDP.MsRDP"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\0\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\ProgID\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\ToolboxBitmap32	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\MiscStatus\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\ = "Registration Control"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\0\win64	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\InProcServer32\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}\1.0\ = "KM Rdp Protocol Provider 1.0 Type Library"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D7C6AC85-039D-497E-10AB-58BCB3D35B35}\TypeLib\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6F1623C6-8E2C-BE9F-0222-C671E60BBAC9}	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\0\win32	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{05909C6A-83F1-4398-B295-212B2415B80D}\Programmable\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{220282F9-A2FD-4AAA-1990-F74BD791ABCA}\1.0\0	LIPM.exe

Modifies registry key 1 TTPs 44 IoCs

Modify Registry

T1112

pid	Process
3512	reg.exe
3568	reg.exe
3264	reg.exe
1728	reg.exe
1096	reg.exe
3688	reg.exe
2616	reg.exe
2244	reg.exe
3592	reg.exe
3752	reg.exe
3216	reg.exe
3152	reg.exe
3960	reg.exe
3496	reg.exe
3504	reg.exe
3444	reg.exe
2580	reg.exe
1696	reg.exe
3880	reg.exe
3788	reg.exe
1240	reg.exe
3576	reg.exe
3536	reg.exe
3552	reg.exe
3560	reg.exe
4008	reg.exe
1088	reg.exe
1884	reg.exe
3180	reg.exe
3036	reg.exe
3836	reg.exe
3952	reg.exe
3584	reg.exe
3028	reg.exe
3740	reg.exe
3140	reg.exe
3456	reg.exe
3816	reg.exe
1620	reg.exe
3520	reg.exe
3776	reg.exe
3100	reg.exe
3656	reg.exe
4092	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	2716	taskkill.exe
Token: SeDebugPrivilege	2224	taskkill.exe
Token: SeDebugPrivilege	3004	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2732	taskkill.exe
Token: SeDebugPrivilege	2584	taskkill.exe
Token: SeDebugPrivilege	2688	taskkill.exe
Token: SeDebugPrivilege	3044	taskkill.exe
Token: SeDebugPrivilege	2728	taskkill.exe
Token: SeDebugPrivilege	2612	taskkill.exe
Token: SeDebugPrivilege	2160	taskkill.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	576	taskkill.exe
Token: SeDebugPrivilege	2444	taskkill.exe
Token: SeDebugPrivilege	1564	taskkill.exe
Token: SeDebugPrivilege	2372	taskkill.exe
Token: SeDebugPrivilege	1472	taskkill.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	2080	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	2056	taskkill.exe
Token: SeDebugPrivilege	3720	taskkill.exe
Token: SeDebugPrivilege	3756	taskkill.exe
Token: SeDebugPrivilege	3800	taskkill.exe
Token: SeDebugPrivilege	3808	taskkill.exe
Token: SeDebugPrivilege	3920	taskkill.exe
Token: SeDebugPrivilege	3936	taskkill.exe
Token: SeDebugPrivilege	3928	taskkill.exe
Token: SeDebugPrivilege	3964	taskkill.exe
Token: SeDebugPrivilege	3912	taskkill.exe
Token: SeDebugPrivilege	844	taskkill.exe
Token: SeDebugPrivilege	1848	taskkill.exe
Token: SeDebugPrivilege	2652	taskkill.exe
Token: SeDebugPrivilege	2960	taskkill.exe
Token: SeDebugPrivilege	3972	taskkill.exe
Token: SeDebugPrivilege	984	taskkill.exe
Token: SeDebugPrivilege	3196	taskkill.exe
Token: SeDebugPrivilege	3460	taskkill.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	2676	taskkill.exe
Token: SeDebugPrivilege	3500	taskkill.exe
Token: SeDebugPrivilege	1568	taskkill.exe
Token: SeDebugPrivilege	2680	taskkill.exe
Token: SeDebugPrivilege	1760	taskkill.exe
Token: SeDebugPrivilege	3608	taskkill.exe
Token: SeDebugPrivilege	2116	taskkill.exe
Token: SeDebugPrivilege	1724	taskkill.exe
Token: SeDebugPrivilege	1124	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	3544	taskkill.exe
Token: 33	1484	LIPM.exe
Token: SeIncBasePriorityPrivilege	1484	LIPM.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
1484	LIPM.exe
1484	LIPM.exe
1484	LIPM.exe
1484	LIPM.exe
1484	LIPM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2924	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	31
PID 2796 wrote to memory of 2924	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	31
PID 2796 wrote to memory of 2924	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	31
PID 2796 wrote to memory of 2924	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	31
PID 2796 wrote to memory of 2708	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	32
PID 2796 wrote to memory of 2708	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	32
PID 2796 wrote to memory of 2708	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	32
PID 2796 wrote to memory of 2708	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	32
PID 2796 wrote to memory of 2920	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	34
PID 2796 wrote to memory of 2920	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	34
PID 2796 wrote to memory of 2920	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	34
PID 2796 wrote to memory of 2920	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	34
PID 2796 wrote to memory of 2688	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	36
PID 2796 wrote to memory of 2688	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	36
PID 2796 wrote to memory of 2688	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	36
PID 2796 wrote to memory of 2688	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	36
PID 2796 wrote to memory of 2916	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	38
PID 2796 wrote to memory of 2916	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	38
PID 2796 wrote to memory of 2916	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	38
PID 2796 wrote to memory of 2916	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	38
PID 2796 wrote to memory of 2716	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	39
PID 2796 wrote to memory of 2716	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	39
PID 2796 wrote to memory of 2716	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	39
PID 2796 wrote to memory of 2716	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	39
PID 2796 wrote to memory of 2224	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	40
PID 2796 wrote to memory of 2224	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	40
PID 2796 wrote to memory of 2224	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	40
PID 2796 wrote to memory of 2224	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	40
PID 2796 wrote to memory of 2732	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	41
PID 2796 wrote to memory of 2732	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	41
PID 2796 wrote to memory of 2732	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	41
PID 2796 wrote to memory of 2732	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	41
PID 2796 wrote to memory of 2584	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	43
PID 2796 wrote to memory of 2584	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	43
PID 2796 wrote to memory of 2584	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	43
PID 2796 wrote to memory of 2584	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	43
PID 2796 wrote to memory of 2580	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	44
PID 2796 wrote to memory of 2580	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	44
PID 2796 wrote to memory of 2580	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	44
PID 2796 wrote to memory of 2580	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	44
PID 2796 wrote to memory of 2836	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	47
PID 2796 wrote to memory of 2836	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	47
PID 2796 wrote to memory of 2836	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	47
PID 2796 wrote to memory of 2836	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	47
PID 2796 wrote to memory of 2612	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	48
PID 2796 wrote to memory of 2612	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	48
PID 2796 wrote to memory of 2612	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	48
PID 2796 wrote to memory of 2612	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	48
PID 2796 wrote to memory of 2728	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	49
PID 2796 wrote to memory of 2728	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	49
PID 2796 wrote to memory of 2728	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	49
PID 2796 wrote to memory of 2728	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	49
PID 2796 wrote to memory of 3044	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	56
PID 2796 wrote to memory of 3044	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	56
PID 2796 wrote to memory of 3044	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	56
PID 2796 wrote to memory of 3044	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	56
PID 2796 wrote to memory of 3000	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	57
PID 2796 wrote to memory of 3000	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	57
PID 2796 wrote to memory of 3000	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	57
PID 2796 wrote to memory of 3000	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	57
PID 2796 wrote to memory of 3004	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	58
PID 2796 wrote to memory of 3004	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	58
PID 2796 wrote to memory of 3004	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	58
PID 2796 wrote to memory of 3004	2796	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	58

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:2920
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:2064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2916
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2716
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2732
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3044
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3004
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:1800
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:1236
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:1940
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:1088
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1884
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1312
- - C:\Windows\SysWOW64\28463\LIPM.exe
    "C:\Windows\system32\28463\LIPM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1720
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3560
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:1748
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1096
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1320
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - Modifies registry key
    PID:3496
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1984
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3520
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3592
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2444
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:3528
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3544
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:612
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:3552
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2160
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2056
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2148
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:3576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2432
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2296
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:3568
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:988
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3536
- C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:3464
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3620
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3688
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3664
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3696
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3756
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:3788
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:3856
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:3880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3800
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3936
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3948
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4092
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3964
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3972
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:984
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2652
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:2924
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3216
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:2824
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:652
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3180
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:1636
- - C:\Windows\SysWOW64\28463\LIPM.exe
    "C:\Windows\system32\28463\LIPM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1484
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:2892
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2376
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3456
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:1468
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3296
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3140
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:112
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:1696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:3488
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:2372
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:2232
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2676
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3500
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1568
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:3416
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:3264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2680
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2116
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2432
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3544
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3528
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:1928
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3552
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3960
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:612
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:3776
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:2316
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3816
- C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3588
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3592
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:3676
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3880
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3660
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3100
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3644
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3692
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:3788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1922732857-1641889595-14455751831278364078-1014144736-1260508747608565830-1168724374"
1⤵
PID:2476

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "496865709599526651-143205289720843407991170970958209015929-18493464652132364537"
1⤵
PID:3520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1629954286-204830070-203671614-1148334952-19172824091578550352226165227125441354"
1⤵
PID:3504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1405073015-1630212691-1247262449104313216-16028684591918451394-152487489-1451470910"
1⤵
PID:1624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "54642432821258427481941024726-247754445139913045416859785962597079806019653"
1⤵
PID:3560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1839847693-1294128150-10436562164406301-275451437139473933-769829114-1542082577"
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\LIPM.001

Filesize
492B

MD5
dcf1397c56a1fb64bee877a80bc54926

SHA1
48e1999237ed8a317ec37ae27974f4f769ce05ad

SHA256
5cafe0a0bf758cf21329aebb9b089b31a36164bb0e09aa60ac429bb02d432a11

SHA512
cd62356378c767c65fb01d824197f5c450421502b5928edec6b699881e9294d5f350972f6b49b8ba09952c8453e7587cbfff5cb31df0dce457aea6cfd52df856

Download Submit
C:\Windows\SysWOW64\28463\LIPM.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\LIPM.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\LIPM.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@F20C.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
787KB

MD5
38b59b4c0a4205166ec43446e1f9a5e1

SHA1
d31eb555371b970980c8de9de3a83b6b8c03cc28

SHA256
29c40c78c67f54c6a0627feac1462b45e6c552e48572c82f94abd6b8db266ddd

SHA512
9618c9bf53fae302e17044f2de24547f7c5d2381d37af0809ab04b7f1bdd1f9077ff22e08e98350cf7587a23c2ee638fdbe17a12d1261641dc53c81d9130276d

Download Submit
\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe

Filesize
767KB

MD5
fe375c5525d2f01592c64809ee1751a9

SHA1
8f18dae4f5a5663ead139be446c2494629ee0c7b

SHA256
ca3cd0f306a68051163ebdf1bceac2a0f277d05f382ca6c25259423ba247e9a2

SHA512
72211055564da4cd4a6e57639f881658748d748d14439eabcca8307a2cafd3f7180c66f3c781f38fa556699b09db0980472debeccdd6dea919ae6b3cac372684

Download Submit
memory/264-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/264-81-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1484-67-0x0000000000240000-0x000000000031F000-memory.dmp

Filesize
892KB

Download
memory/1484-68-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1484-83-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1484-94-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1620-42-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3588-70-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads