ardamax | c2c16ebe19392e3651fe0abde3865eb7e6ffc62f4c81f13aa889e8ac565875e5

Analysis

max time kernel
149s
max time network
131s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12-07-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe
Size

1.3MB
MD5

3deb1b80bd7b6803260b0f3497991e1e
SHA1

9ed30034d9c78134feb2a445341d893f0bc4eb79
SHA256

c2c16ebe19392e3651fe0abde3865eb7e6ffc62f4c81f13aa889e8ac565875e5
SHA512

bbe266a2bf89585dceb8ec0c8942756a185aada94299a7e693e404cd7f7cd9a96eb4da0df68d39426c1ff1c3caa4d768afcf78a7c19cb41eaf3054394856192c
SSDEEP

24576:u8gmUG1W4B5aKt2VWC8ijrjsCQafDv2QrRWxme7CkYjG0ngOtA:u8jZ1W43aKtiWC8mrjsCQaz2QrRWx7Wu

Score

10^/10

ardamax discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a4d8-241.dat	family_ardamax

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55E24AD2-DA5C-C1E2-12D1-A32D214AA1BC}\stubpath = "C:\\Windows\\icsru.exe"	svchost.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0004000000004ed7-464.dat	acprotect

Executes dropped EXE 13 IoCs

pid	Process
2268	66 KIS Keys.exe
2784	YahooMessenger..exe
2764	YahooMessenger.exe
1508	YahooMessenger.exe
520	server-loggermyself.exe
2988	ar_install.exe
2972	inst_ctfmon.exe
1176	icsru.exe
2848	UILT.exe
2440	ctfmon.exe
2084	rinst.exe
2192	ctfmon.exe
1504	svchots.exe

Loads dropped DLL 47 IoCs

pid	Process
2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe
2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe
2784	YahooMessenger..exe
2784	YahooMessenger..exe
2764	YahooMessenger.exe
2764	YahooMessenger.exe
2764	YahooMessenger.exe
2764	YahooMessenger.exe
2988	ar_install.exe
2988	ar_install.exe
2988	ar_install.exe
2848	UILT.exe
2848	UILT.exe
2848	UILT.exe
2988	ar_install.exe
2988	ar_install.exe
2848	UILT.exe
2848	UILT.exe
2972	inst_ctfmon.exe
2972	inst_ctfmon.exe
2972	inst_ctfmon.exe
2972	inst_ctfmon.exe
2084	rinst.exe
2084	rinst.exe
2084	rinst.exe
2084	rinst.exe
2084	rinst.exe
520	server-loggermyself.exe
520	server-loggermyself.exe
2084	rinst.exe
2084	rinst.exe
2084	rinst.exe
2084	rinst.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
2848	UILT.exe
2784	YahooMessenger..exe
2784	YahooMessenger..exe
2784	YahooMessenger..exe
2972	inst_ctfmon.exe
3064	svchost.exe
3064	svchost.exe
3064	svchost.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2924-2-0x0000000000400000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2924-15-0x0000000000400000-0x0000000000579000-memory.dmp	upx
behavioral1/files/0x0005000000018728-114.dat	upx
behavioral1/memory/2764-133-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/files/0x000500000001985e-178.dat	upx
behavioral1/memory/2764-186-0x0000000000400000-0x00000000004C4000-memory.dmp	upx
behavioral1/memory/520-189-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1176-214-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/520-302-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1176-314-0x0000000000400000-0x0000000000439000-memory.dmp	upx
behavioral1/memory/1176-467-0x0000000000400000-0x0000000000439000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UILT Agent = "C:\\Windows\\SysWOW64\\YOF\\UILT.exe"	UILT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchots = "C:\\Windows\\SysWOW64\\svchots.exe"	svchots.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\rinst.exe	rinst.exe
File created	C:\Windows\SysWOW64\YOF\UILT.001	ar_install.exe
File created	C:\Windows\SysWOW64\YOF\UILT.006	ar_install.exe
File created	C:\Windows\SysWOW64\YOF\UILT.exe	ar_install.exe
File created	C:\Windows\SysWOW64\pk.bin	rinst.exe
File created	C:\Windows\SysWOW64\inst.dat	rinst.exe
File opened for modification	C:\Windows\SysWOW64\pk.bin	svchots.exe
File created	C:\Windows\SysWOW64\YOF\UILT.007	ar_install.exe
File opened for modification	C:\Windows\SysWOW64\YOF	UILT.exe
File created	C:\Windows\SysWOW64\svchots.exe	rinst.exe
File created	C:\Windows\SysWOW64\svchotshk.dll	rinst.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\inst_ctfmon.exe	YahooMessenger.exe
File opened for modification	C:\Windows\icsru.exe	icsru.exe
File opened for modification	C:\Windows\wltre.vbn	svchost.exe
File created	C:\Windows\ar_install.exe	YahooMessenger.exe
File opened for modification	C:\Windows\icsru.exe	server-loggermyself.exe
File created	C:\Windows\icsru.exe	server-loggermyself.exe
File created	C:\Windows\msklm.bat	server-loggermyself.exe
File opened for modification	C:\Windows\icsru.dll	icsru.exe
File created	C:\Windows\icsru.dll	icsru.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2084	rinst.exe
2084	rinst.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3064	svchost.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1504	svchots.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	520	server-loggermyself.exe
Token: SeSecurityPrivilege	520	server-loggermyself.exe
Token: SeTakeOwnershipPrivilege	520	server-loggermyself.exe
Token: SeLoadDriverPrivilege	520	server-loggermyself.exe
Token: SeSystemProfilePrivilege	520	server-loggermyself.exe
Token: SeSystemtimePrivilege	520	server-loggermyself.exe
Token: SeProfSingleProcessPrivilege	520	server-loggermyself.exe
Token: SeIncBasePriorityPrivilege	520	server-loggermyself.exe
Token: SeCreatePagefilePrivilege	520	server-loggermyself.exe
Token: SeBackupPrivilege	520	server-loggermyself.exe
Token: SeRestorePrivilege	520	server-loggermyself.exe
Token: SeShutdownPrivilege	520	server-loggermyself.exe
Token: SeDebugPrivilege	520	server-loggermyself.exe
Token: SeSystemEnvironmentPrivilege	520	server-loggermyself.exe
Token: SeRemoteShutdownPrivilege	520	server-loggermyself.exe
Token: SeUndockPrivilege	520	server-loggermyself.exe
Token: SeManageVolumePrivilege	520	server-loggermyself.exe
Token: 33	520	server-loggermyself.exe
Token: 34	520	server-loggermyself.exe
Token: 35	520	server-loggermyself.exe
Token: SeIncreaseQuotaPrivilege	1176	icsru.exe
Token: SeSecurityPrivilege	1176	icsru.exe
Token: SeTakeOwnershipPrivilege	1176	icsru.exe
Token: SeLoadDriverPrivilege	1176	icsru.exe
Token: SeSystemProfilePrivilege	1176	icsru.exe
Token: SeSystemtimePrivilege	1176	icsru.exe
Token: SeProfSingleProcessPrivilege	1176	icsru.exe
Token: SeIncBasePriorityPrivilege	1176	icsru.exe
Token: SeCreatePagefilePrivilege	1176	icsru.exe
Token: SeBackupPrivilege	1176	icsru.exe
Token: SeRestorePrivilege	1176	icsru.exe
Token: SeShutdownPrivilege	1176	icsru.exe
Token: SeDebugPrivilege	1176	icsru.exe
Token: SeSystemEnvironmentPrivilege	1176	icsru.exe
Token: SeRemoteShutdownPrivilege	1176	icsru.exe
Token: SeUndockPrivilege	1176	icsru.exe
Token: SeManageVolumePrivilege	1176	icsru.exe
Token: 33	1176	icsru.exe
Token: 34	1176	icsru.exe
Token: 35	1176	icsru.exe
Token: 33	2848	UILT.exe
Token: SeIncBasePriorityPrivilege	2848	UILT.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1504	svchots.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2848	UILT.exe
2848	UILT.exe
2848	UILT.exe
2848	UILT.exe
2848	UILT.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe
1504	svchots.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 2268	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2268	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2268	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2268	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2784	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	32
PID 2924 wrote to memory of 2784	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	32
PID 2924 wrote to memory of 2784	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	32
PID 2924 wrote to memory of 2784	2924	3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe	32
PID 2784 wrote to memory of 2764	2784	YahooMessenger..exe	33
PID 2784 wrote to memory of 2764	2784	YahooMessenger..exe	33
PID 2784 wrote to memory of 2764	2784	YahooMessenger..exe	33
PID 2784 wrote to memory of 2764	2784	YahooMessenger..exe	33
PID 2764 wrote to memory of 1508	2764	YahooMessenger.exe	34
PID 2764 wrote to memory of 1508	2764	YahooMessenger.exe	34
PID 2764 wrote to memory of 1508	2764	YahooMessenger.exe	34
PID 2764 wrote to memory of 1508	2764	YahooMessenger.exe	34
PID 2764 wrote to memory of 520	2764	YahooMessenger.exe	35
PID 2764 wrote to memory of 520	2764	YahooMessenger.exe	35
PID 2764 wrote to memory of 520	2764	YahooMessenger.exe	35
PID 2764 wrote to memory of 520	2764	YahooMessenger.exe	35
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2988	1508	YahooMessenger.exe	36
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 1508 wrote to memory of 2972	1508	YahooMessenger.exe	37
PID 520 wrote to memory of 1176	520	server-loggermyself.exe	38
PID 520 wrote to memory of 1176	520	server-loggermyself.exe	38
PID 520 wrote to memory of 1176	520	server-loggermyself.exe	38
PID 520 wrote to memory of 1176	520	server-loggermyself.exe	38
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2848	2988	ar_install.exe	39
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2988 wrote to memory of 2440	2988	ar_install.exe	40
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2972 wrote to memory of 2084	2972	inst_ctfmon.exe	41
PID 2084 wrote to memory of 2192	2084	rinst.exe	42
PID 2084 wrote to memory of 2192	2084	rinst.exe	42
PID 2084 wrote to memory of 2192	2084	rinst.exe	42
PID 2084 wrote to memory of 2192	2084	rinst.exe	42
PID 2084 wrote to memory of 2192	2084	rinst.exe	42

C:\Users\Admin\AppData\Local\Temp\3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3deb1b80bd7b6803260b0f3497991e1e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Users\Admin\AppData\Local\Temp\66 KIS Keys.exe
  "C:\Users\Admin\AppData\Local\Temp\66 KIS Keys.exe"
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Users\Admin\AppData\Local\Temp\YahooMessenger..exe
  "C:\Users\Admin\AppData\Local\Temp\YahooMessenger..exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\YahooMessenger.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\YahooMessenger.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\YahooMessenger.exe
      "C:\Users\Admin\AppData\Local\Temp\YahooMessenger.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:1508
    - - C:\Windows\ar_install.exe
        
        "C:\Windows\ar_install.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\SysWOW64\YOF\UILT.exe
        
        "C:\Windows\system32\YOF\UILT.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2848
      - C:\Users\Admin\AppData\Local\Temp\ctfmon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ctfmon.exe"
        6⤵
        Executes dropped EXE
        
        PID:2440
    - - C:\Windows\inst_ctfmon.exe
        
        "C:\Windows\inst_ctfmon.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2972
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\rinst.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\rinst.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\RarSFX1\ctfmon.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\ctfmon.exe"
        7⤵
        Executes dropped EXE
        
        PID:2192
        
        C:\Windows\SysWOW64\svchots.exe
        
        C:\Windows\system32\svchots.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: SetClipboardViewer
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} about:blank
        8⤵
        
        PID:2176
  - - C:\Users\Admin\AppData\Local\Temp\server-loggermyself.exe
      "C:\Users\Admin\AppData\Local\Temp\server-loggermyself.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:520
    - - C:\Windows\icsru.exe
        
        C:\Windows\icsru.exe c
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3064
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Windows\msklm.bat" "
        5⤵
        
        PID:776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\[email protected]

Filesize
1KB

MD5
41c7672ef78ed972b80efa57e25ce6d9

SHA1
e2ec0a243d78271a81c7ca60bc7f599ec8caacbe

SHA256
5137679924d4143c215f70ac16a6b34c2bd55d3fcadacc856c6012f596fb6aea

SHA512
5271bbee9d716d354afdae2e868fd80d9aed033748f47b6806065b52fa98e68fea8d474f0a31b596ec5f21bcc13ead7eae729c9f96ea61e1253cc7b8715112d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS 2008 - egydown.com (11).KEY

Filesize
2KB

MD5
ca878c194bf335fd5e380968f6a7c119

SHA1
3194a8b85e8bd53e6aa46aac0b90647b0260d00e

SHA256
db0145bc882f45313930d17032253662278bb928253c63304f76426efbdc0bd0

SHA512
4d10913679113a1970cda3afe3c298756b2d1514b26063853c69b1d917b2461fb0b054f9c0284c790f6ae17957c40d5b09433463bc00c015bd62a50df84a0fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS 2008 - egydown.com (12).KEY

Filesize
2KB

MD5
468f6828ccd53e285dc1fafbe31d5e13

SHA1
3539a312063ddb9bff998852944f87641776b6ea

SHA256
f7909d3f4b5af822a2bcb1de385c48113ae3964e2814ecf67bc7adbc46b4171f

SHA512
b05a04567f956369abd0fbc087ebb95bf7be3c8d84bf7d157486269efa8129e1c2e9d6138dca2d844c81280c896d503a9eb2cd20c4b26871629728f5deecca96

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS 2008 - egydown.com (13).KEY

Filesize
2KB

MD5
6bd2660ed991cbf5bc2b3b376a0ac903

SHA1
615b0404c85e372c85ff7a7b4d68165823046b78

SHA256
253bb9ba7eed1c543cf0b6aac12e914631362a8844769c074085f57da751f4e3

SHA512
6f6bef76246175ccc468e7fe054e6fadeba58e78e147740d6f9f040e3ecdff0e6f243cbfaa9c447abd809dc1879cf1f33afb686cbe7f7a90852a08762faf4544

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS 2008 - egydown.com (14).KEY

Filesize
2KB

MD5
64b652a743875ad4e6bf965da623e087

SHA1
b93729e73782dd766e975c672b43a70cd4f0ccf0

SHA256
2056ee3f175d1e7e43ca193a70f2b3deaf702e253a0e93854a5182608f9f93ad

SHA512
629327adbfa415723ce869c0c5d6ab0816501f4ba1ef1e18e16a8d6c88b859c9d936457b8866f0647e5569085789eb61620916e131ec7e4cd8258cbe4cc142e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS78_20081128_0394D89E.KEY

Filesize
1KB

MD5
ad78f0d676f6bea2baa61a3ca5cd5efa

SHA1
d8f6c708292abaf7aa0bb6b26c42c1e10b743a08

SHA256
0b601f223bc34b21b2d8ddd576bed436dfaf18594861b6a7e90430b2de9f40e4

SHA512
176f1765f54aa18c4c34ab1715795ab5dadbd91ab9d36f7f880526b87196bbe80fec95c5bcc75686827ae977edde65b1972ed05608b5b3fd59c2a74a166bc309

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS7_20080722_0379ED0E.KEY

Filesize
1KB

MD5
0168612f4e89c3cce2c180c83e66674e

SHA1
459b905bce30d1602c89419e4207c5b349688175

SHA256
6c93afa7162839b04241f2a6fc7585245b3e7cdaa6c4193d4e51240450b80706

SHA512
7ede3933801e8ca49fd522b3c8951757f4613d3cd83d85182ffeb57228dafc8308d4f3605882055073c37f31f59c4052b35b46d4f642a5fba7988750766b3195

Download Submit
C:\Users\Admin\AppData\Local\Temp\66 KIS Keys\KIS8_20090629_03BB33E7.KEY

Filesize
2KB

MD5
053171209b5219f8b6709c06309929ae

SHA1
fb114c8ab53d2f8368821ef11b64fffeda436aff

SHA256
d9aeb9f34a4d8ddc467386eb83bf020a93171808ffb4de8de9ad6740cd779a67

SHA512
bcec5497f5c1ed9bbb6af3b299e46c9f6829de41cd3d4ff51b8ce55778f0c33254787d428513e6898870bfaf0554e3fb08b51b71b4fcf0a352edacbede8909ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\inst.dat

Filesize
1KB

MD5
11ffacd522885e2d4645eb836c9a75e3

SHA1
74f5fd02421615d02cda770666191d07e35d5f06

SHA256
b970efdf7a35305285a81cb7c93630680e3c4c395da25e13b61aae9a063558c9

SHA512
1bf7254d196c6d180b682851a9dc6d4d17ec2e0c13dee319b460d23d13ed61c86c61e00818d8ddbdfb72bfe899c3d5997aeb1aa9691d0b5661cbef9572a32bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\pk.bin

Filesize
7KB

MD5
09bb125ba6fefd2094218121b5935572

SHA1
fb7d1366c31f87467fd23e25546611cade20fdea

SHA256
413aab1542e3b82c47682a826f1fbabb57f67cd6f17a1a9ffbf94fb2608d906c

SHA512
beb1d5f36b3d8a4ac4267accefacb20866fca870dd322b6d98f574e2260c65caddf0fc4d7187ef7f163dd06be365edffabf303e9d94badb369e65cfeed8e1282

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\svchots.exe

Filesize
404KB

MD5
0c9b3ed8d4103465b06cdbaadb1f0bdc

SHA1
ca2ac7aa8fdd6dd00b1baa2b136afc97040cecd4

SHA256
18aebca8a04235c238a9d39ccd79c898202e5de7877b22fc80e5dab63eef4951

SHA512
b4e786f40144a7f7cfc5b14fa86e1d8264d81838e29af1f87e2e7b2b9b2b4c349b86a477866345a1fa8a5fb7c3480d3141811a2b8ccf8a82e9a6dac66db39673

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\svchotshk.dll

Filesize
21KB

MD5
d3a6f7e82f7fa5abfe48a93315eef72a

SHA1
8e962ef850bbc78b11ee6db13a632aef2243c1ef

SHA256
cf27ac55480fb95cd2a6ccbff8cb86bf264d2d519a1c4bd7686869f8a731abf8

SHA512
f5fe80d1c3e250bd6331af12db752b98383ae9fefa5173127c2c0af98c4172e56251b19414d0296302b547c9cafc4034a0a3a64356ff9329988fb1b88870422c

Download Submit
C:\Users\Admin\AppData\Local\Temp\YahooMessenger..exe

Filesize
789KB

MD5
e0b36d28d3bae9cee2c60643587d7cac

SHA1
8885d0dfa5724527cd9ce5773b1d7cca4077eb92

SHA256
29a0db83897d8d11fe391099643ab8ea3aeafa8637e70f3322a90a39901d07f8

SHA512
a2f869575faa2b961c8d6bbb4b3c1b946afcb6660335dd705965e6ffdaee33e7dd0adc7d6c56bbb39ba0a38a2ca8eeb3edcb0a67998b1a32284585f088f8c635

Download Submit
C:\Users\Admin\AppData\Local\Temp\YahooMessenger.exe

Filesize
596KB

MD5
07d0dae9e5630861413691ca6f307622

SHA1
962c9cb0e8f7cf92c7a2e2e17e980815e212d154

SHA256
ba7f02a17704b1cd42b6fde7b1879ec2f64afbd0e5420478194c97a3d6442bc2

SHA512
e1c12cc13e95330ade03bc42d1e22c16a1e4f798adeef9cf8d3826c32b07a724bd50bc966079c22e063f67925c5f9e007725020c6e4ec9896a9ce2751222f5df

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfmon.exe

Filesize
15KB

MD5
24232996a38c0b0cf151c2140ae29fc8

SHA1
b36d03b56a30187ffc6257459d632a4faac48af2

SHA256
d2fed8ccae118f06fd948a4b12445aa8c29a3e7bb5b6fe90970fbc27f426f0b0

SHA512
c7b855a664d3359c041c68dffe75c118f9b6cef6c91f150686fb51ad63c1b7daa1b37c0a5de04ec078646f83a2bdea695d7d5e283e651135624208c04dc1cab1

Download Submit
C:\Windows\SysWOW64\YOF\UILT.001

Filesize
578B

MD5
b7663ec1689745f3236ae6dd778d271e

SHA1
285043cafe8d36808795d41e838a44fd54ed5c9d

SHA256
d168e6b7f7bdf811008a112ac5a5313a8b80af1d0df862e7158c992ea4f8b364

SHA512
89ae6a7570fb62906a4af672f5f730acef30f4f66e84fd63963598118bd96e1e0f2f6005a1f3fa7d9934d34e69e3b02405e5e6a7f853b5e0f89a3512a4b9c4d4

Download Submit
C:\Windows\SysWOW64\YOF\UILT.006

Filesize
8KB

MD5
1acf05c81017fb2a272d9c10caeb67f9

SHA1
e782df7f04a0146cec392f2200379fc42a4a74ad

SHA256
fa5e1d9a2240a678a99a0a11b1d49d6c692bc3ef24a0a1f2cc8f85c1d4e5a894

SHA512
c64e5b9c43af483c551b2fd4e143517c79cdef5b4144258f8964695dae3d0e3689194f0be5500369b19d666d0a08b46e15662bc8f1c51e314eee8af54cccb1c3

Download Submit
C:\Windows\SysWOW64\YOF\UILT.007

Filesize
5KB

MD5
1f154a8e3d92b44b66de52ea426c772d

SHA1
5cca6e4b88dafa2caae56ad98df6ca4bdabbd92f

SHA256
6e08d5b0986bd2f6a9f7a981a6d951b9e6b71616ec894a9a3b40a0c12ceb3b95

SHA512
06501a567500a05082d03818d33d49f3bf7afcdd5ea6e68ed37f09ed4fe6a945f2e86ce418a86a98d42d436d4b76ffaef2434642c8f2fb24f2f445797e5e8c55

Download Submit
C:\Windows\ar_install.exe

Filesize
298KB

MD5
8b9935e635a508afa6ecc522d2e98f75

SHA1
2266b8da85fcf058b345a2d613d1ef9860a0cb52

SHA256
9ba7a0b29b1d119cfdedda7d0edb940ae2021ad0996e478b11f3b71b94adf1ca

SHA512
405b904aaa882e7887704bd16b8d2146b97ad33534aaf408269721f092c021eb96136841df807f13144b08a04db4c495703971c17dec3ede84e62677d2556e4f

Download Submit
C:\Windows\icsru.dll

Filesize
86KB

MD5
0f19f3bd9863df715c1456ae5a30372f

SHA1
2ac8ee46c9fba6b2fc605748778f80f957f1e607

SHA256
8fd57133aa41acd1874623e9b809e4e977f136735aea50dd2b24da13176f10f4

SHA512
125d24adba32fe4827944f51eb712035928b186563590033ac1ebf3b2d8a308bd78521c0dede482a8775a3ea82dd3dada3d92f18594bc932f8c985dab1ce8dd1

Download Submit
C:\Windows\inst_ctfmon.exe

Filesize
278KB

MD5
82844572ec3f7763ef1dca7881eb6783

SHA1
7d7ee81b263da2babcc778beb97a809508a64926

SHA256
a65c858866f4e3855e0f16ff4ed907ee61a80c89b2d51b957a8fabd2e3aa206f

SHA512
dffb6d237a74252d0c0a43c7f2b71fb2e2e8d44e4b081a5a60dbb9d9d83829abfb41b5825e2e79e8c7b727f02b4e09c43b3ef83ab5f97413d4993263fcd48a90

Download Submit
C:\Windows\msklm.bat

Filesize
154B

MD5
d20205b6852e04ce262f33ba6af56c25

SHA1
4b9390404bea0a37760fe5546feb08f0094fb3c7

SHA256
99240e280cb244065790ffdb2149ae865fe74e7803a9585f65e42efe908013d2

SHA512
284e5053c3a45c70dff302ad6466bab4a08a6543bea9fab156ef5079fb06fac8e5e5364e19245e06ad39d042cc6177faaa53618d5de7917985ea7a55cdebeff8

Download Submit
C:\Windows\wltre.vbn

Filesize
134B

MD5
7723728afe8174b2dd19247433083d61

SHA1
13e347252fdbeb01fbdaa5245aacbcbc238cd839

SHA256
0634fd9d72b8b7cae5887083955f1d3fc309f32d98994a0b3b5ab5ded7f20cce

SHA512
3c13cb64023e4991014f4f22eb3f6b61e8bbc61b78ef5b2900ee18842e3fecb34deaf21f28e53816fd70284c54090b7e985ba3c9f6166d477a60317a32232133

Download Submit
\Users\Admin\AppData\Local\Temp\66 KIS Keys.exe

Filesize
566KB

MD5
c31d7497253001efd27bced8a4838242

SHA1
4eb51446b657ef47bbfea8de47b7cf88ec170f96

SHA256
835ca6a83ff422de571141dde96712de9f160c99881997b993037878b5429c03

SHA512
f1a0b07a5f526482db14939e3465cf0252f91cf68b074c0db291f8a6cdd788733cccc5fcaff8eef755d82eb7987de062dbd85b6680e0752e9a17395e6de6c3d1

Download Submit
\Users\Admin\AppData\Local\Temp\@F94D.tmp

Filesize
4KB

MD5
0850d0451f7b387627be1d8448d4e8cc

SHA1
f7f346dbb9399a5f3c1e783c66bc82b7110d6f32

SHA256
d0f4b9b1c98c68a583e99af328f25220072bf99350407f4d8168cc15714ed9e1

SHA512
bb403196ff80b8971486d4a71246de4d4e4b1bbea4505940574ce2d375bc1d55a5ba7606bba9d4b726ad3ef3fe89a1ed377d6d984f2f08fa1f938694fb2f6535

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\YahooMessenger.exe

Filesize
709KB

MD5
deae6bccbeb90c080f39de346552405c

SHA1
b3dda0a81fbeb30aedc18d7bbe2456b15f79d685

SHA256
669ef4b5c02de238125c8b9d6355220e450e717798ffcb8c58bfc1a084b837cf

SHA512
305186b0f3f668841269e0998a1f5d34c697734192a62f1a631dbf6f22d4e073007751a8ebd697d88491f06a8257c6cfe770cca35bd5e2430c8e91e29fb1627e

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\rinst.exe

Filesize
22KB

MD5
9a00d512f9e1464ad793702cf2b1eda0

SHA1
39a47a90cd3dd132dbab9f5052dda38dbd7c63f6

SHA256
98d257f639ee9df968f77b1f66c78230d07d86e58a7ddf0d306a24af3873dc5b

SHA512
18604f20351db1d418f48f2eb023be07588754b428b5d6abb0a7c40d6bf174ce7dcab2ae6e06f22585e12f1bfdb6e408b17bf20e2a7ba137620002ac04b8b4ba

Download Submit
\Users\Admin\AppData\Local\Temp\server-loggermyself.exe

Filesize
107KB

MD5
c7b6508fd767776a3ffa08f8dc45fe91

SHA1
eb588a747e27053c21350279851ee13da039e5fd

SHA256
1368226f2adf7137b5d7a503e5c6b769ca1982250b9b4366181979215757351e

SHA512
afce422c2118277fa158daaa156f09140ca3bb24bbc4f6fb5eb9643bef0d1387080f84ce2813da40cb2dbc417f6871023b8685f699dbc292b6e053cf8675476b

Download Submit
\Windows\SysWOW64\YOF\UILT.exe

Filesize
540KB

MD5
3fcec6436ceefe496759d5d95a72946d

SHA1
90741b60963323ccff6aacc4f9a4e947967f3c65

SHA256
e9f4f9a93da9c4977f330450aa485665789b5f0d422ede2e67237c64eb975434

SHA512
44c675bc06b036c64f364db3198db29a8affce246006f8d51cd8de45c131de575ded4d5e1aefeeccd8c82d52529a3b312379ea524b7e49d662249a61c71aab06

Download Submit
\Windows\SysWOW64\svchots.exe

Filesize
404KB

MD5
2f5d609d4500a45255b90ce7b8f7d3c0

SHA1
085cb5756eb14c645b190da6d86c9689f0143b7b

SHA256
3afba7546ef28d94b4ec8842f390d9a91e550b739e4c90927f7887903fc34cf5

SHA512
87c482bfa3aafff1e9cb5f52aeeb95e6af4053ffb3eb0240ff9d5336e19720c7b4dd983af2a2847cc61520cac9b4fc7f25a720329164c33d69fc0958b2d3dcff

Download Submit
memory/520-208-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/520-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/520-213-0x0000000000260000-0x0000000000299000-memory.dmp

Filesize
228KB

Download
memory/520-189-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1176-214-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1176-314-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1176-467-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1176-323-0x0000000010410000-0x000000001044C000-memory.dmp

Filesize
240KB

Download
memory/1508-197-0x0000000000400000-0x000000000049C000-memory.dmp

Filesize
624KB

Download
memory/2268-166-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2764-186-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2764-133-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2784-127-0x00000000032C0000-0x0000000003384000-memory.dmp

Filesize
784KB

Download
memory/2784-312-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/2784-128-0x00000000032C0000-0x0000000003384000-memory.dmp

Filesize
784KB

Download
memory/2924-2-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2924-15-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2972-313-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3064-324-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/3064-330-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/3064-339-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download