ardamax | cf2608dfeb55a14e1639e8431d5e0ace8f5d4eb984bcdb41c0ec44ac3da7f664

Analysis

max time kernel
143s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
Size

3.1MB
MD5

c2bf07204c260e0a402bb177dae94d9d
SHA1

e8e7e20d9ed8b10ea25f8b7115ee3af2bf218f23
SHA256

cf2608dfeb55a14e1639e8431d5e0ace8f5d4eb984bcdb41c0ec44ac3da7f664
SHA512

2f7b6949fa3d806f5f76df3cf92c0b6849a1a8c117a10ef453ba58e523da6e8fd79f016e6ab2deeb8ce127a3097c61a44f03a32b1cc93dbad84fb0931403ecb0
SSDEEP

98304:JSB61iAVLYb+FqK1sPPMwSB61iAVLYb+FqK1sPPMu:K61ZjqKgQ61ZjqKgx

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023e27-36.dat	family_ardamax

Disables RegEdit via registry modification 2 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 1 IoCs

flow	pid	Process
36	7856	Process not Found

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe

Executes dropped EXE 6 IoCs

pid	Process
1000	Install.exe
1772	Sky Cash Generator Versão 1.5.exe
5764	Install.exe
6508	Sky Cash Generator Versão 1.5.exe
8456	LIPM.exe
1152	LIPM.exe

Loads dropped DLL 12 IoCs

pid	Process
1000	Install.exe
5764	Install.exe
8456	LIPM.exe
8456	LIPM.exe
8456	LIPM.exe
5764	Install.exe
5764	Install.exe
5764	Install.exe
5764	Install.exe
6508	Sky Cash Generator Versão 1.5.exe
6508	Sky Cash Generator Versão 1.5.exe
6508	Sky Cash Generator Versão 1.5.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LIPM Agent = "C:\\Windows\\SysWOW64\\28463\\LIPM.exe"	LIPM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\LIPM.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.007	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	LIPM.exe
File opened for modification	C:\Windows\SysWOW64\28463\LIPM.001	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.006	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.001	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.006	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\LIPM.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1124	8456	WerFault.exe	366

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LIPM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
7872	MicrosoftEdgeUpdate.exe

Kills process with taskkill 60 IoCs

defense_evasion

pid	Process
116	taskkill.exe
5936	taskkill.exe
5904	taskkill.exe
5880	taskkill.exe
1240	taskkill.exe
2520	taskkill.exe
4044	taskkill.exe
3932	taskkill.exe
216	taskkill.exe
3960	taskkill.exe
5864	taskkill.exe
5872	taskkill.exe
628	taskkill.exe
5128	taskkill.exe
4612	taskkill.exe
1832	taskkill.exe
3712	taskkill.exe
5832	taskkill.exe
5856	taskkill.exe
3584	taskkill.exe
4796	taskkill.exe
4108	taskkill.exe
4228	taskkill.exe
4600	taskkill.exe
696	taskkill.exe
5952	taskkill.exe
220	taskkill.exe
4824	taskkill.exe
1764	taskkill.exe
2752	taskkill.exe
5944	taskkill.exe
5928	taskkill.exe
5912	taskkill.exe
380	taskkill.exe
4728	taskkill.exe
572	taskkill.exe
2440	taskkill.exe
2872	taskkill.exe
2684	taskkill.exe
1424	taskkill.exe
5144	taskkill.exe
5824	taskkill.exe
5920	taskkill.exe
1628	taskkill.exe
1860	taskkill.exe
440	taskkill.exe
4860	taskkill.exe
3804	taskkill.exe
5152	taskkill.exe
4940	taskkill.exe
5888	taskkill.exe
5848	taskkill.exe
3312	taskkill.exe
5136	taskkill.exe
3680	taskkill.exe
1204	taskkill.exe
1800	taskkill.exe
1200	taskkill.exe
3892	taskkill.exe
4400	taskkill.exe

Modifies registry class 34 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\ = "Inizor"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\TypeLib\ = "{4C96B937-0762-AB67-FF94-38B43ADC29E6}"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\VersionIndependentProgID\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\ProgID\ = "IMEAPI.CImePropertyJK.15"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\ = "IAS SDO Helper 1.0 Type Library"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\FLAGS\	LIPM.exe
Key created	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\ProgID	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0	LIPM.exe
Key created	\REGISTRY\USER\S-1-5-21-705198581-2062733989-3666524522-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\InprocServer32	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\InprocServer32\ = "C:\\Windows\\SysWOW64\\IME\\shared\\imjkapi.dll"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\win32	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\sdohlp.dll\\1"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\FLAGS\ = "0"	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\TypeLib\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\win32\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\InprocServer32\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\ProgID\	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\sdohlp.dll\\1"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\TypeLib	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\VersionIndependentProgID	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA79F3BC-ED25-4DBE-2B82-933BED64FA79}\VersionIndependentProgID\ = "IMEAPI.CImePropertyJK"	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\win64	LIPM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\0\win64\	LIPM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4C96B937-0762-AB67-FF94-38B43ADC29E6}\1.0\FLAGS	LIPM.exe

Modifies registry key 1 TTPs 44 IoCs

Modify Registry

T1112

pid	Process
8764	reg.exe
8900	reg.exe
8876	reg.exe
7068	reg.exe
8260	reg.exe
8328	reg.exe
8844	reg.exe
8028	reg.exe
8460	reg.exe
8648	reg.exe
8820	reg.exe
8388	reg.exe
8728	reg.exe
8836	reg.exe
8772	reg.exe
7468	reg.exe
4220	reg.exe
7320	reg.exe
4492	reg.exe
8892	reg.exe
8172	reg.exe
8156	reg.exe
8188	reg.exe
8396	reg.exe
8804	reg.exe
8852	reg.exe
8924	reg.exe
8780	reg.exe
7460	reg.exe
7356	reg.exe
8376	reg.exe
8860	reg.exe
8036	reg.exe
8164	reg.exe
8196	reg.exe
8828	reg.exe
8796	reg.exe
8868	reg.exe
8884	reg.exe
8912	reg.exe
3988	reg.exe
8268	reg.exe
8336	reg.exe
8812	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 62 IoCs

description	pid	Process
Token: SeDebugPrivilege	220	taskkill.exe
Token: SeDebugPrivilege	1240	taskkill.exe
Token: SeDebugPrivilege	3584	taskkill.exe
Token: SeDebugPrivilege	1800	taskkill.exe
Token: SeDebugPrivilege	440	taskkill.exe
Token: SeDebugPrivilege	380	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	116	taskkill.exe
Token: SeDebugPrivilege	4824	taskkill.exe
Token: SeDebugPrivilege	216	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	1764	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	2520	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	1200	taskkill.exe
Token: SeDebugPrivilege	1424	taskkill.exe
Token: SeDebugPrivilege	2684	taskkill.exe
Token: SeDebugPrivilege	572	taskkill.exe
Token: SeDebugPrivilege	4728	taskkill.exe
Token: SeDebugPrivilege	3892	taskkill.exe
Token: SeDebugPrivilege	4796	taskkill.exe
Token: SeDebugPrivilege	3960	taskkill.exe
Token: SeDebugPrivilege	3312	taskkill.exe
Token: SeDebugPrivilege	1860	taskkill.exe
Token: SeDebugPrivilege	4860	taskkill.exe
Token: SeDebugPrivilege	4044	taskkill.exe
Token: SeDebugPrivilege	5952	taskkill.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	5824	taskkill.exe
Token: SeDebugPrivilege	696	taskkill.exe
Token: SeDebugPrivilege	1832	taskkill.exe
Token: SeDebugPrivilege	3712	taskkill.exe
Token: SeDebugPrivilege	3932	taskkill.exe
Token: SeDebugPrivilege	5888	taskkill.exe
Token: SeDebugPrivilege	5848	taskkill.exe
Token: SeDebugPrivilege	4940	taskkill.exe
Token: SeDebugPrivilege	4612	taskkill.exe
Token: SeDebugPrivilege	5872	taskkill.exe
Token: SeDebugPrivilege	5904	taskkill.exe
Token: SeDebugPrivilege	5880	taskkill.exe
Token: SeDebugPrivilege	5856	taskkill.exe
Token: SeDebugPrivilege	5128	taskkill.exe
Token: SeDebugPrivilege	3680	taskkill.exe
Token: SeDebugPrivilege	5152	taskkill.exe
Token: SeDebugPrivilege	5928	taskkill.exe
Token: SeDebugPrivilege	5136	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeDebugPrivilege	5944	taskkill.exe
Token: SeDebugPrivilege	4108	taskkill.exe
Token: SeDebugPrivilege	1628	taskkill.exe
Token: SeDebugPrivilege	5936	taskkill.exe
Token: SeDebugPrivilege	5912	taskkill.exe
Token: SeDebugPrivilege	4400	taskkill.exe
Token: SeDebugPrivilege	1204	taskkill.exe
Token: SeDebugPrivilege	5832	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	5864	taskkill.exe
Token: 33	8456	LIPM.exe
Token: SeIncBasePriorityPrivilege	8456	LIPM.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
8456	LIPM.exe
8456	LIPM.exe
8456	LIPM.exe
8456	LIPM.exe
8456	LIPM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 220	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	86
PID 4264 wrote to memory of 220	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	86
PID 4264 wrote to memory of 220	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	86
PID 4264 wrote to memory of 3584	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	87
PID 4264 wrote to memory of 3584	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	87
PID 4264 wrote to memory of 3584	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	87
PID 4264 wrote to memory of 4872	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	88
PID 4264 wrote to memory of 4872	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	88
PID 4264 wrote to memory of 4872	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	88
PID 4264 wrote to memory of 216	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	89
PID 4264 wrote to memory of 216	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	89
PID 4264 wrote to memory of 216	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	89
PID 4264 wrote to memory of 4824	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	90
PID 4264 wrote to memory of 4824	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	90
PID 4264 wrote to memory of 4824	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	90
PID 4264 wrote to memory of 440	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	91
PID 4264 wrote to memory of 440	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	91
PID 4264 wrote to memory of 440	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	91
PID 4264 wrote to memory of 4796	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	92
PID 4264 wrote to memory of 4796	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	92
PID 4264 wrote to memory of 4796	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	92
PID 4264 wrote to memory of 4600	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	93
PID 4264 wrote to memory of 4600	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	93
PID 4264 wrote to memory of 4600	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	93
PID 4264 wrote to memory of 116	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	94
PID 4264 wrote to memory of 116	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	94
PID 4264 wrote to memory of 116	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	94
PID 4264 wrote to memory of 2404	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	95
PID 4264 wrote to memory of 2404	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	95
PID 4264 wrote to memory of 2404	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	95
PID 4264 wrote to memory of 3312	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	96
PID 4264 wrote to memory of 3312	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	96
PID 4264 wrote to memory of 3312	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	96
PID 4264 wrote to memory of 380	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	98
PID 4264 wrote to memory of 380	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	98
PID 4264 wrote to memory of 380	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	98
PID 4264 wrote to memory of 1764	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	99
PID 4264 wrote to memory of 1764	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	99
PID 4264 wrote to memory of 1764	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	99
PID 4264 wrote to memory of 2684	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	100
PID 4264 wrote to memory of 2684	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	100
PID 4264 wrote to memory of 2684	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	100
PID 4264 wrote to memory of 2872	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	101
PID 4264 wrote to memory of 2872	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	101
PID 4264 wrote to memory of 2872	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	101
PID 4264 wrote to memory of 1240	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	102
PID 4264 wrote to memory of 1240	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	102
PID 4264 wrote to memory of 1240	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	102
PID 4264 wrote to memory of 1800	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	103
PID 4264 wrote to memory of 1800	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	103
PID 4264 wrote to memory of 1800	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	103
PID 4264 wrote to memory of 1820	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	104
PID 4264 wrote to memory of 1820	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	104
PID 4264 wrote to memory of 1820	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	104
PID 4264 wrote to memory of 2164	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	105
PID 4264 wrote to memory of 2164	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	105
PID 4264 wrote to memory of 2164	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	105
PID 4264 wrote to memory of 3308	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	107
PID 4264 wrote to memory of 3308	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	107
PID 4264 wrote to memory of 3308	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	107
PID 4264 wrote to memory of 2420	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	108
PID 4264 wrote to memory of 2420	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	108
PID 4264 wrote to memory of 2420	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	108
PID 4264 wrote to memory of 1592	4264	JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe	109

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4264
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:220
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:4872
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:7348
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:216
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:440
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4796
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:116
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:2404
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3312
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:380
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1240
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1800
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  PID:1820
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:7460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:2164
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:7068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7468
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:8036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8156
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:1000
- - C:\Windows\SysWOW64\28463\LIPM.exe
    "C:\Windows\system32\28463\LIPM.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:8456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 8456 -s 836
      4⤵
      Program crash
      PID:1124
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:3916
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8164
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:3548
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8328
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1432
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8172
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:2084
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4220
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4324
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:7320
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4228
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:7292
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:7360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3892
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1200
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4108
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4044
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:8336
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2520
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3960
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3652
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:8196
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  PID:4668
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:8376
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2396
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8188
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2136
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3988
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:884
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - Modifies registry key
    PID:7356
- C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe"
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:4416
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3256
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:2120
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8772
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:1096
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8780
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1628
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:4232
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:8504
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:8788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:696
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4940
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1204
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3680
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:4340
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8804
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1832
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4400
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4612
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5128
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5136
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5144
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5160
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5172
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - Modifies registry key
    PID:8812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:5184
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:5192
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:4492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  PID:5200
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8860
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:5764
- - C:\Windows\SysWOW64\28463\LIPM.exe
    "C:\Windows\system32\28463\LIPM.exe"
    3⤵
    - Executes dropped EXE
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8892
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:5788
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8844
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5800
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8868
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:5808
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5816
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8764
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5824
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5832
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  PID:5840
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    PID:8752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      PID:9048
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5848
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5856
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5872
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5880
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5888
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  PID:5896
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - Modifies registry key
    PID:8852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5928
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5936
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5944
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5960
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - Modifies registry key
    PID:8900
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5968
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8648
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  PID:5976
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - Modifies registry key
    PID:8828
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  PID:5984
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - Modifies registry key
    PID:8912
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5992
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8884
- C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe
  "C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6508
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:6516
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8388
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
  2⤵
  PID:6524
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  PID:6532
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6544
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:8260
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6552
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore /v DisableRegistryTools /t REG_DWORD /d 1
    3⤵
    - Modifies registry key
    PID:8796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe"
1⤵
- Modifies registry class
PID:4892

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe"
1⤵
- Modifies registry class
PID:664

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe"
1⤵
- Modifies registry class
PID:5516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\FirewallControlPanel.dll,ShowWarningDialog "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c2bf07204c260e0a402bb177dae94d9d.exe"
1⤵
- Modifies registry class
PID:6356

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:8196

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 8456 -ip 8456
1⤵
PID:8600

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MDA4NTBFOTEtMTkzNC00MDFBLTk5MjEtM0FBMzhGRjMyQzk4fSIgdXNlcmlkPSJ7NzBCOTU0NDItQjE3RS00NjcyLUI4NTMtOTdDMkU3MzQwQTIzfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTIyN0QyOTAtRDQzMS00M0ZDLUJENjctNjFBNUY3Rjc0Qzg1fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDU4NjAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxODIxNjMwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzk0ODU2NTgxIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:7872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9A5B.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
787KB

MD5
38b59b4c0a4205166ec43446e1f9a5e1

SHA1
d31eb555371b970980c8de9de3a83b6b8c03cc28

SHA256
29c40c78c67f54c6a0627feac1462b45e6c552e48572c82f94abd6b8db266ddd

SHA512
9618c9bf53fae302e17044f2de24547f7c5d2381d37af0809ab04b7f1bdd1f9077ff22e08e98350cf7587a23c2ee638fdbe17a12d1261641dc53c81d9130276d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sky Cash Generator Versão 1.5.exe

Filesize
767KB

MD5
fe375c5525d2f01592c64809ee1751a9

SHA1
8f18dae4f5a5663ead139be446c2494629ee0c7b

SHA256
ca3cd0f306a68051163ebdf1bceac2a0f277d05f382ca6c25259423ba247e9a2

SHA512
72211055564da4cd4a6e57639f881658748d748d14439eabcca8307a2cafd3f7180c66f3c781f38fa556699b09db0980472debeccdd6dea919ae6b3cac372684

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\LIPM.001

Filesize
492B

MD5
dcf1397c56a1fb64bee877a80bc54926

SHA1
48e1999237ed8a317ec37ae27974f4f769ce05ad

SHA256
5cafe0a0bf758cf21329aebb9b089b31a36164bb0e09aa60ac429bb02d432a11

SHA512
cd62356378c767c65fb01d824197f5c450421502b5928edec6b699881e9294d5f350972f6b49b8ba09952c8453e7587cbfff5cb31df0dce457aea6cfd52df856

Download Submit
C:\Windows\SysWOW64\28463\LIPM.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\LIPM.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\LIPM.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/1152-69-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1772-43-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/6508-47-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/6508-73-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/8456-44-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/8456-71-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads