Analysis Overview
SHA256
f65a6c764b773dbe55a8dc0b5a992b55e0b3621bf11081ffb273d71eece10641
Threat Level: Known bad
The file 6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Ardamax main executable
Ardamax
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Checks installed software on the system
Adds Run key to start application
Drops file in System32 directory
Unsigned PE
Program crash
Enumerates physical storage devices
System Location Discovery: System Language Discovery
NSIS installer
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-24 08:00
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-24 08:00
Reported
2024-07-24 08:02
Platform
win7-20240704-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Ardamax
Ardamax main executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\KGCU Agent = "C:\\Windows\\SysWOW64\\28463\\KGCU.exe" | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OTKQ Agent = "C:\\Windows\\SysWOW64\\28463\\OTKQ.exe" | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| Token: 33 | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe"
C:\Windows\SysWOW64\28463\KGCU.exe
"C:\Windows\system32\28463\KGCU.exe"
C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
C:\Windows\SysWOW64\28463\OTKQ.exe
"C:\Windows\system32\28463\OTKQ.exe"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.jar"
Network
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe
| MD5 | a5f59c67e5389f26d603a3480300522c |
| SHA1 | 02b58320d4992933538c5ce758156a7d55772344 |
| SHA256 | cb5560d6115f7a5b198f46ac38b959bb06c0a782afbd29c22349389c2c77bf3a |
| SHA512 | 0537c9cb587135dbf208160fb52db578a4e02fd7f556e69604f2ec0c1d4162790a0dc3377674addee5a5fcb7eb9f9970b3dc22e348c47d180195dd441dfc2163 |
\Users\Admin\AppData\Local\Temp\@E070.tmp
| MD5 | 25530555085337eb644b061f239aa9d4 |
| SHA1 | 8d91e099aba5439d4bfa8bce464c94e3e1acf620 |
| SHA256 | 3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325 |
| SHA512 | b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a |
\Windows\SysWOW64\28463\KGCU.exe
| MD5 | 97d8ad45f48b4b28a93aab94699b7168 |
| SHA1 | 8b69b7fd7c008b95d12386f6da415097e72151de |
| SHA256 | 661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331 |
| SHA512 | 3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a |
C:\Windows\SysWOW64\28463\AKV.exe
| MD5 | d63cc8679a63448db1c64252e14e4ab5 |
| SHA1 | 10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e |
| SHA256 | 29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d |
| SHA512 | cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768 |
C:\Windows\SysWOW64\28463\KGCU.chm
| MD5 | 4cacfe8589b381143e7436a67138bd6b |
| SHA1 | 9b32ec887ccf78e89b647c7b2d0d8f714b4f57cf |
| SHA256 | fc790cdfa6002c81b16af111100286e601c93490485df0a394c8f462e838103a |
| SHA512 | fa0988c0cb2315e614d5467c6c92694b9347c4044d8e9152430adad893e39a55b6470b94a8d21bb0fed74630b68ddbf6073e2e1c879869abebe0be6f78dd404b |
C:\Windows\SysWOW64\28463\KGCU.007
| MD5 | e9fbdcc2f5fb657fa519b3f5c69fc52d |
| SHA1 | c49cca77b46a59d620711de7564d43e5dafcd2b5 |
| SHA256 | cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4 |
| SHA512 | 913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1 |
C:\Windows\SysWOW64\28463\KGCU.006
| MD5 | 81e20f4361cf8f5a57812871c24d945e |
| SHA1 | 5d7877d6959ab26599b05795a71633f00c37a3da |
| SHA256 | e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d |
| SHA512 | 69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818 |
C:\Windows\SysWOW64\28463\KGCU.004
| MD5 | 1e9efc9747213f87a89eefb656d221a1 |
| SHA1 | beaa459418de39ded935109cdfc6ef1c9924cad0 |
| SHA256 | fb38bfcf3c9067cf387311b10ba5a817e2016dba5e00ff4a144218e5bab78fac |
| SHA512 | 7c8d344eb920f5c494fa835b8ff49d6074caa3bed09438244c51b787cc3cb3508807160976b8087e400e29056978bb6ee3172c23120a22eabb950aaa5a2320b0 |
C:\Windows\SysWOW64\28463\KGCU.001
| MD5 | 5c1f64b94ca19c5f180da89e8d760391 |
| SHA1 | 7fdc5d16777994203ae0f65c8a7bc371211c55d4 |
| SHA256 | a7bf4e3713d5e8f378bb395eeea9740b241fd5ae56d7fbf50d1312cf34bf37c1 |
| SHA512 | d9f92ca7e2bd728cc3bcc016d41b787c90b98b7ff249414ac2b19583b9a6e17f37c9a56c3338a210edfeda480d3696f1e6233978c654ad74f7f17039fc5addc0 |
memory/2732-41-0x00000000001E0000-0x00000000001E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe
| MD5 | fc68feb55209138d4afdd985b26f1f81 |
| SHA1 | 8d6a2e5864444376ba763b5a3e608858624b398f |
| SHA256 | f18237ed1188eeb6289710efd7cd3505c73c093d01bab9bfd9fed6707a047567 |
| SHA512 | 296805acb72f28c5f31135a5c851d75c94a532a5ddd51e6f98dc0d6b6c007afb97c50f78cf399747a3cc39849f9cef89113efa939c2ef8aaa12c1726b17b4425 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
| MD5 | bdb7540a3514347c8156c332b8792239 |
| SHA1 | c3b5f467047ea2ddf4c42afa529cdbc7dcec9e56 |
| SHA256 | 918b396d1dc07cc04e223271204d186ba3cd65dab2ddeb1308c7ff18a0627d66 |
| SHA512 | 23c473cb35cc52bc0267687bdfaaba1a3105bddab2dbd1686d114287a67d2cb99ccf3dcdf575da896ab7d589f75cca531eec91f9ceb1f9d3694806d748758ac9 |
C:\Users\Admin\AppData\Local\Temp\minecraft.jar
| MD5 | 4203826f35e1036f089919032c3d19d1 |
| SHA1 | add3809d2c075e985d4b583632dac3d9c3872945 |
| SHA256 | e993b789dd450e1538667def644e1376bd702fe26eebec3197598d5157042684 |
| SHA512 | 4902e4805454174c00b98d1fd44b737302103b0c3919ad453aed79c83153729b4e6205de6c5e299a2833b9127a2ad97b74d5c2cea801343a225596286a4e4f5a |
C:\Windows\SysWOW64\28463\OTKQ.001
| MD5 | 8a873315194627354e5ba557a523eb6d |
| SHA1 | 3138603dc2cb31282052f50c0535d5172fff24a6 |
| SHA256 | 40d5dfd79b8cab534511554b6cc0da570fdea75eb3da82c183ded04f3bd15ad0 |
| SHA512 | 6eb6f194945beae199bfe3ef091332a4196cd6ea5ae362f5d407d65a8fd9ca23cd88b0d94952c17a71e46621d6420948af9e642facc9b8414d8a04c332a6b92a |
memory/2536-112-0x0000000001B60000-0x0000000001B61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-24 08:00
Reported
2024-07-24 08:02
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Ardamax
Ardamax main executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\KGCU Agent = "C:\\Windows\\SysWOW64\\28463\\KGCU.exe" | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
Checks installed software on the system
Drops file in System32 directory
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\28463\KGCU.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\28463\OTKQ.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\28463\KGCU.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6ad76f2b1b2bbede5c9e2aa481100f97_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe
"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe"
C:\Windows\SysWOW64\28463\KGCU.exe
"C:\Windows\system32\28463\KGCU.exe"
C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe
"C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1216 -ip 1216
C:\Windows\SysWOW64\28463\OTKQ.exe
"C:\Windows\system32\28463\OTKQ.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1216 -s 840
C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\minecraft.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Ardamax Keylogger 2.8.exe
| MD5 | a5f59c67e5389f26d603a3480300522c |
| SHA1 | 02b58320d4992933538c5ce758156a7d55772344 |
| SHA256 | cb5560d6115f7a5b198f46ac38b959bb06c0a782afbd29c22349389c2c77bf3a |
| SHA512 | 0537c9cb587135dbf208160fb52db578a4e02fd7f556e69604f2ec0c1d4162790a0dc3377674addee5a5fcb7eb9f9970b3dc22e348c47d180195dd441dfc2163 |
C:\Users\Admin\AppData\Local\Temp\@55AE.tmp
| MD5 | 25530555085337eb644b061f239aa9d4 |
| SHA1 | 8d91e099aba5439d4bfa8bce464c94e3e1acf620 |
| SHA256 | 3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325 |
| SHA512 | b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a |
C:\Windows\SysWOW64\28463\KGCU.exe
| MD5 | 97d8ad45f48b4b28a93aab94699b7168 |
| SHA1 | 8b69b7fd7c008b95d12386f6da415097e72151de |
| SHA256 | 661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331 |
| SHA512 | 3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a |
C:\Users\Admin\AppData\Local\Temp\Ardamax Keylogger.exe
| MD5 | fc68feb55209138d4afdd985b26f1f81 |
| SHA1 | 8d6a2e5864444376ba763b5a3e608858624b398f |
| SHA256 | f18237ed1188eeb6289710efd7cd3505c73c093d01bab9bfd9fed6707a047567 |
| SHA512 | 296805acb72f28c5f31135a5c851d75c94a532a5ddd51e6f98dc0d6b6c007afb97c50f78cf399747a3cc39849f9cef89113efa939c2ef8aaa12c1726b17b4425 |
C:\Windows\SysWOW64\28463\KGCU.chm
| MD5 | 4cacfe8589b381143e7436a67138bd6b |
| SHA1 | 9b32ec887ccf78e89b647c7b2d0d8f714b4f57cf |
| SHA256 | fc790cdfa6002c81b16af111100286e601c93490485df0a394c8f462e838103a |
| SHA512 | fa0988c0cb2315e614d5467c6c92694b9347c4044d8e9152430adad893e39a55b6470b94a8d21bb0fed74630b68ddbf6073e2e1c879869abebe0be6f78dd404b |
memory/1216-45-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
| MD5 | bdb7540a3514347c8156c332b8792239 |
| SHA1 | c3b5f467047ea2ddf4c42afa529cdbc7dcec9e56 |
| SHA256 | 918b396d1dc07cc04e223271204d186ba3cd65dab2ddeb1308c7ff18a0627d66 |
| SHA512 | 23c473cb35cc52bc0267687bdfaaba1a3105bddab2dbd1686d114287a67d2cb99ccf3dcdf575da896ab7d589f75cca531eec91f9ceb1f9d3694806d748758ac9 |
C:\Windows\SysWOW64\28463\KGCU.007
| MD5 | e9fbdcc2f5fb657fa519b3f5c69fc52d |
| SHA1 | c49cca77b46a59d620711de7564d43e5dafcd2b5 |
| SHA256 | cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4 |
| SHA512 | 913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1 |
C:\Windows\SysWOW64\28463\KGCU.006
| MD5 | 81e20f4361cf8f5a57812871c24d945e |
| SHA1 | 5d7877d6959ab26599b05795a71633f00c37a3da |
| SHA256 | e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d |
| SHA512 | 69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818 |
C:\Windows\SysWOW64\28463\KGCU.004
| MD5 | 1e9efc9747213f87a89eefb656d221a1 |
| SHA1 | beaa459418de39ded935109cdfc6ef1c9924cad0 |
| SHA256 | fb38bfcf3c9067cf387311b10ba5a817e2016dba5e00ff4a144218e5bab78fac |
| SHA512 | 7c8d344eb920f5c494fa835b8ff49d6074caa3bed09438244c51b787cc3cb3508807160976b8087e400e29056978bb6ee3172c23120a22eabb950aaa5a2320b0 |
C:\Windows\SysWOW64\28463\AKV.exe
| MD5 | d63cc8679a63448db1c64252e14e4ab5 |
| SHA1 | 10b3a9ac4bc16e8ac1cd05e50b4d540fa3ef223e |
| SHA256 | 29b3646a556879a4a48e4f2f81e09179c34ac2051ed3e4f4c28e293092470d3d |
| SHA512 | cb1911e1a77fb9be560aa4fd8bbef65e181b6d4438d65657501dbcd8dbf488ba01738a7222f35f8d4317e8df8c6f307d9e3623d6e3e45753e138b80fb68ff768 |
C:\Windows\SysWOW64\28463\KGCU.001
| MD5 | 5c1f64b94ca19c5f180da89e8d760391 |
| SHA1 | 7fdc5d16777994203ae0f65c8a7bc371211c55d4 |
| SHA256 | a7bf4e3713d5e8f378bb395eeea9740b241fd5ae56d7fbf50d1312cf34bf37c1 |
| SHA512 | d9f92ca7e2bd728cc3bcc016d41b787c90b98b7ff249414ac2b19583b9a6e17f37c9a56c3338a210edfeda480d3696f1e6233978c654ad74f7f17039fc5addc0 |
C:\Users\Admin\AppData\Local\Temp\minecraft.jar
| MD5 | 4203826f35e1036f089919032c3d19d1 |
| SHA1 | add3809d2c075e985d4b583632dac3d9c3872945 |
| SHA256 | e993b789dd450e1538667def644e1376bd702fe26eebec3197598d5157042684 |
| SHA512 | 4902e4805454174c00b98d1fd44b737302103b0c3919ad453aed79c83153729b4e6205de6c5e299a2833b9127a2ad97b74d5c2cea801343a225596286a4e4f5a |
memory/4936-90-0x000002038F570000-0x000002038F571000-memory.dmp