ardamax | 9181d5fefe749fda5ef2f64e22b2b3ef0744b48dfefd2c14ac780c9c3f0b37a6

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
Size

1.6MB
MD5

a7013195b8247cbd78831f8401912d27
SHA1

59d0c0b692c149d00e3ceb6c4cb877a67e1783af
SHA256

9181d5fefe749fda5ef2f64e22b2b3ef0744b48dfefd2c14ac780c9c3f0b37a6
SHA512

68a362b659c2fe23f0ed2785b2dbdda96b25ffa1c66fdfc7dd62782e856b2687dcce9faab93297b0fc37ddbc5e9481aea5f87f0954aa3ebc7e1ae570a4babdae
SSDEEP

24576:RVgxh339yktt1Pa+YhV5+cdYGebiAM4sZoDHJrv7BfI1cZIV1J1SkriU2iuLngAY:Xg/9yYtVlYhPj4Hd9fVZUiKangAwbz

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d21-35.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
344	Install.exe
928	DupeMuAwaY.exe
2380	OPWG.exe

Loads dropped DLL 16 IoCs

pid	Process
2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
344	Install.exe
344	Install.exe
344	Install.exe
344	Install.exe
2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
344	Install.exe
344	Install.exe
2380	OPWG.exe
2380	OPWG.exe
2380	OPWG.exe
2380	OPWG.exe
2380	OPWG.exe
928	DupeMuAwaY.exe
928	DupeMuAwaY.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OPWG Agent = "C:\\Windows\\SysWOW64\\28463\\OPWG.exe"	OPWG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	OPWG.exe
File created	C:\Windows\SysWOW64\28463\OPWG.001	Install.exe
File created	C:\Windows\SysWOW64\28463\OPWG.006	Install.exe
File created	C:\Windows\SysWOW64\28463\OPWG.007	Install.exe
File created	C:\Windows\SysWOW64\28463\OPWG.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OPWG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DupeMuAwaY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Kills process with taskkill 30 IoCs

evasion

pid	Process
2744	taskkill.exe
788	taskkill.exe
2708	taskkill.exe
2576	taskkill.exe
2184	taskkill.exe
1576	taskkill.exe
2832	taskkill.exe
2096	taskkill.exe
1160	taskkill.exe
2836	taskkill.exe
2604	taskkill.exe
1904	taskkill.exe
1772	taskkill.exe
2816	taskkill.exe
2460	taskkill.exe
1672	taskkill.exe
2172	taskkill.exe
768	taskkill.exe
2316	taskkill.exe
264	taskkill.exe
2156	taskkill.exe
1700	taskkill.exe
480	taskkill.exe
2788	taskkill.exe
2844	taskkill.exe
2360	taskkill.exe
2780	taskkill.exe
2852	taskkill.exe
2924	taskkill.exe
564	taskkill.exe

Modifies registry key 1 TTPs 12 IoCs

Modify Registry

T1112

pid	Process
3472	reg.exe
1672	reg.exe
1264	reg.exe
2556	reg.exe
3296	reg.exe
3356	reg.exe
3460	reg.exe
1144	reg.exe
2148	reg.exe
860	reg.exe
3480	reg.exe
3500	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	788	taskkill.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2172	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	480	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	2788	taskkill.exe
Token: SeDebugPrivilege	2816	taskkill.exe
Token: SeDebugPrivilege	2844	taskkill.exe
Token: SeDebugPrivilege	2852	taskkill.exe
Token: SeDebugPrivilege	2576	taskkill.exe
Token: SeDebugPrivilege	2744	taskkill.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeDebugPrivilege	2708	taskkill.exe
Token: SeDebugPrivilege	1904	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	2460	taskkill.exe
Token: SeDebugPrivilege	2924	taskkill.exe
Token: SeDebugPrivilege	2096	taskkill.exe
Token: SeDebugPrivilege	1576	taskkill.exe
Token: SeDebugPrivilege	564	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	2316	taskkill.exe
Token: SeDebugPrivilege	1772	taskkill.exe
Token: SeDebugPrivilege	2360	taskkill.exe
Token: SeDebugPrivilege	2832	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	264	taskkill.exe
Token: 33	2380	OPWG.exe
Token: SeIncBasePriorityPrivilege	2380	OPWG.exe
Token: SeDebugPrivilege	1700	taskkill.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
928	DupeMuAwaY.exe
2380	OPWG.exe
2380	OPWG.exe
2380	OPWG.exe
2380	OPWG.exe
2380	OPWG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	30
PID 2524 wrote to memory of 788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	30
PID 2524 wrote to memory of 788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	30
PID 2524 wrote to memory of 788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	30
PID 2524 wrote to memory of 1160	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	31
PID 2524 wrote to memory of 1160	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	31
PID 2524 wrote to memory of 1160	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	31
PID 2524 wrote to memory of 1160	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	31
PID 2524 wrote to memory of 2240	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2240	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2240	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2240	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	34
PID 2524 wrote to memory of 2172	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	35
PID 2524 wrote to memory of 2172	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	35
PID 2524 wrote to memory of 2172	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	35
PID 2524 wrote to memory of 2172	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	35
PID 2524 wrote to memory of 768	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	36
PID 2524 wrote to memory of 768	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	36
PID 2524 wrote to memory of 768	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	36
PID 2524 wrote to memory of 768	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	36
PID 2524 wrote to memory of 480	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	38
PID 2524 wrote to memory of 480	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	38
PID 2524 wrote to memory of 480	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	38
PID 2524 wrote to memory of 480	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	38
PID 2524 wrote to memory of 2788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2788	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	41
PID 2524 wrote to memory of 2816	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	43
PID 2524 wrote to memory of 2816	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	43
PID 2524 wrote to memory of 2816	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	43
PID 2524 wrote to memory of 2816	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	43
PID 2524 wrote to memory of 2780	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	44
PID 2524 wrote to memory of 2780	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	44
PID 2524 wrote to memory of 2780	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	44
PID 2524 wrote to memory of 2780	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	44
PID 2524 wrote to memory of 2680	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2680	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2680	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2680	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	45
PID 2524 wrote to memory of 2708	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	47
PID 2524 wrote to memory of 2708	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	47
PID 2524 wrote to memory of 2708	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	47
PID 2524 wrote to memory of 2708	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	47
PID 2524 wrote to memory of 2852	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	48
PID 2524 wrote to memory of 2852	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	48
PID 2524 wrote to memory of 2852	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	48
PID 2524 wrote to memory of 2852	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	48
PID 2524 wrote to memory of 2836	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	50
PID 2524 wrote to memory of 2836	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	50
PID 2524 wrote to memory of 2836	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	50
PID 2524 wrote to memory of 2836	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	50
PID 2524 wrote to memory of 2604	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	53
PID 2524 wrote to memory of 2604	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	53
PID 2524 wrote to memory of 2604	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	53
PID 2524 wrote to memory of 2604	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	53
PID 2524 wrote to memory of 2844	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	56
PID 2524 wrote to memory of 2844	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	56
PID 2524 wrote to memory of 2844	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	56
PID 2524 wrote to memory of 2844	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	56
PID 2524 wrote to memory of 2744	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	57
PID 2524 wrote to memory of 2744	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	57
PID 2524 wrote to memory of 2744	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	57
PID 2524 wrote to memory of 2744	2524	a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe	57

C:\Users\Admin\AppData\Local\Temp\a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a7013195b8247cbd78831f8401912d27_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1160
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2240
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2172
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:768
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:480
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2788
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2816
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2680
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:860
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2852
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2604
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2844
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2744
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2148
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2640
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2696
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3032
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1076
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:1144
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:344
- - C:\Windows\SysWOW64\28463\OPWG.exe
    "C:\Windows\system32\28463\OPWG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2380
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im egui.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1904
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ekrn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2184
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Panda anti-virus service"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Windows\SysWOW64\net.exe
    net stop "Panda anti-virus service"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Panda anti-virus service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1228
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im ApVxdWin.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2460
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im AVENGINE.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2924
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im pavsrv51.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:564
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im psimreal.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im PsImSvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1576
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im WebProxy.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:264
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v APVXDWIN /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3356
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcagent.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcdash.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2316
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mghtml.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2832
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcmnhdlr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2096
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsshld.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1772
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im McVSEscn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im mcvsftsn.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:860
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCAgentExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2280
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v McRegWiz /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3480
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v MCUpdateExe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v CleanUp /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3460
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- - C:\Windows\SysWOW64\reg.exe
    reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v VirusScan Online /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3500
- C:\Users\Admin\AppData\Local\Temp\DupeMuAwaY.exe
  "C:\Users\Admin\AppData\Local\Temp\DupeMuAwaY.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:928

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "211163934212610108901124670909134447723220970327781032053891-1835949761-1945305571"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1109168031-21176020891789254046621124059-14654059646753456120951861441708490969"
1⤵
PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\DupeMuAwaY.exe

Filesize
72KB

MD5
65af515a752fc159c5cbc424b99889dc

SHA1
daf1e0363008df36b040326116d93c06433c99a4

SHA256
488476029d16d4a2891e10bf8de91c70d4c6bc901cce8807f3fe58326dc3f328

SHA512
e2137ea0cbd321423dcd8c504996a367694a8bdbc39063cb49ee4a31a80ba1b830c2c3ad1b99e7f67ce2e9f09740c96e204ebe4b5fa896dff3e31757ee723f8b

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\OPWG.001

Filesize
528B

MD5
0cf722506f9b3b92de375dd71115c5ff

SHA1
c7781c3507a3b6e8b28f48eedf083b23d974aad3

SHA256
88bc17f4225af97fa59944deae318428237998f332ef54406b5cd36fef09537d

SHA512
b317b63f04123fc53932701cdba365c0a8380edd8ff6f5bba79da60e10c6eda54a7895efde311e7220aa9fd6d9c07bc1828cd25bfd1606eb8f2227e4760f38c9

Download Submit
C:\Windows\SysWOW64\28463\OPWG.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\OPWG.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
\Users\Admin\AppData\Local\Temp\@C311.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
478KB

MD5
ee131df0325ba0e536e14fab3c2af5b5

SHA1
a718f36b6bfac1d799402724ee661f9627043913

SHA256
fccb33818ba029225e1dc9c05ba01cedda4982c81e0e7c77297a6428b0e1c3ff

SHA512
b44935a0d60d74a5ba7f555c98dfc23b36c65220764ed52f1ba3c757a0c8f50716dd9021e9795edbbb02012e416843d319d059e1a7bc9ef25d112fba68c310f4

Download Submit
\Windows\SysWOW64\28463\OPWG.exe

Filesize
472KB

MD5
7ca78f42e7c88f01fb7fd88321b283ff

SHA1
8f6fb4e3f5b696cac4fd54490d5f8c1862d0bb6b

SHA256
2354f408b272232ea4bb74d17d22a4332b97f1003fb9bace174a9811f2b41729

SHA512
06e822f04a4657b492a485b5a542e5c8400060abf7e71020d17965fee11f1f7c0807e32b5f9426a4fb9b4d7dd05a68ae871e5fef0807e24204351ebe569eb4ca

Download Submit
memory/2524-46-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2524-42-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2524-1-0x0000000000780000-0x0000000000842000-memory.dmp

Filesize
776KB

Download
memory/2524-2-0x0000000000401000-0x0000000000407000-memory.dmp

Filesize
24KB

Download
memory/2524-0-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads