ardamax | 1c37555242c8c8d418ac6d6b2d0240fc17feded112e03fd61858f7ccc220793d

Analysis

max time kernel
145s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2024 07:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe05a91b9bcf2e18fe9338fdf8f8c1f1_JaffaCakes118.exe
Size

6.6MB
MD5

fe05a91b9bcf2e18fe9338fdf8f8c1f1
SHA1

842d372833b32d3ce92ed8ccef68e96755844411
SHA256

1c37555242c8c8d418ac6d6b2d0240fc17feded112e03fd61858f7ccc220793d
SHA512

9eb4986a437dcf5aa96ceb600052c98d75299611c8e84469cff58a12d8af4d0ad4b1a06cb0bef3112d3bbcede556997c8a5957111b526a01b61abdb3d77f1498
SSDEEP

49152:qvRdZcp2MgBsbrMyufXCy2SD/fqtE8pqO4bCNL7IvpvPII4XaT5KZxTqbjRunPSV:o

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000235ba-27.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	file1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	TeamViewer_Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WPMP.exe

Executes dropped EXE 4 IoCs

pid	Process
3104	file1.exe
2440	WPMP.exe
548	TeamViewer_Setup.exe
4580	TeamViewer_.exe

Loads dropped DLL 17 IoCs

pid	Process
3104	file1.exe
548	TeamViewer_Setup.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
2440	WPMP.exe
2440	WPMP.exe
2440	WPMP.exe
4580	TeamViewer_.exe
4580	TeamViewer_.exe
4992	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WPMP Agent = "C:\\Windows\\SysWOW64\\28463\\WPMP.exe"	WPMP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	file1.exe
File opened for modification	C:\Windows\SysWOW64\28463	WPMP.exe
File created	C:\Windows\SysWOW64\28463\WPMP.001	file1.exe
File created	C:\Windows\SysWOW64\28463\WPMP.006	file1.exe
File created	C:\Windows\SysWOW64\28463\WPMP.007	file1.exe
File created	C:\Windows\SysWOW64\28463\WPMP.exe	file1.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000235bf-44.dat	upx
behavioral2/memory/548-47-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/files/0x00070000000235c3-59.dat	upx
behavioral2/memory/4580-65-0x0000000000400000-0x0000000000449000-memory.dmp	upx
behavioral2/memory/548-67-0x0000000000400000-0x000000000043B000-memory.dmp	upx
behavioral2/memory/4580-298-0x0000000000400000-0x0000000000449000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4992	2440	WerFault.exe	92

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPMP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TeamViewer_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\ProgID\	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Server	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\FLAGS\ = "0"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\TypeLib\ = "{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}"	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\ProgID	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\0\win32\	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\TypeLib\	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Version	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Version\ = "8.0"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\ = "WMPRichPreviewLauncher 1.0 Type Library"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\0\	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSCorEE.dll"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\ProgID\ = "VsaVbRT.8.0"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Server\ = "VsaVb7rt.dll"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\FLAGS	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\ = "Mokoze Coseb Object"	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\0	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Programmable\	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Programmable	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\0\win32	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\TypeLib	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\InprocServer32\	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\0\win32\ = "%ProgramFiles(x86)%\\Windows Media Player\\wmprph.exe"	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5AD4EC3B-B6CC-6C88-E0E8-583485D3A240}\1.0\FLAGS\	WPMP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\InprocServer32	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Version\	WPMP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2DC7D5B2-8C86-4C03-97B1-E47877FE94B9}\Server\	WPMP.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2440	WPMP.exe
Token: SeIncBasePriorityPrivilege	2440	WPMP.exe
Token: SeIncBasePriorityPrivilege	2440	WPMP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2440	WPMP.exe
2440	WPMP.exe
2440	WPMP.exe
2440	WPMP.exe
2440	WPMP.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 3104	2384	fe05a91b9bcf2e18fe9338fdf8f8c1f1_JaffaCakes118.exe	91
PID 2384 wrote to memory of 3104	2384	fe05a91b9bcf2e18fe9338fdf8f8c1f1_JaffaCakes118.exe	91
PID 2384 wrote to memory of 3104	2384	fe05a91b9bcf2e18fe9338fdf8f8c1f1_JaffaCakes118.exe	91
PID 3104 wrote to memory of 2440	3104	file1.exe	92
PID 3104 wrote to memory of 2440	3104	file1.exe	92
PID 3104 wrote to memory of 2440	3104	file1.exe	92
PID 3104 wrote to memory of 548	3104	file1.exe	93
PID 3104 wrote to memory of 548	3104	file1.exe	93
PID 3104 wrote to memory of 548	3104	file1.exe	93
PID 548 wrote to memory of 4580	548	TeamViewer_Setup.exe	94
PID 548 wrote to memory of 4580	548	TeamViewer_Setup.exe	94
PID 548 wrote to memory of 4580	548	TeamViewer_Setup.exe	94
PID 2440 wrote to memory of 4428	2440	WPMP.exe	108
PID 2440 wrote to memory of 4428	2440	WPMP.exe	108
PID 2440 wrote to memory of 4428	2440	WPMP.exe	108

C:\Users\Admin\AppData\Local\Temp\fe05a91b9bcf2e18fe9338fdf8f8c1f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe05a91b9bcf2e18fe9338fdf8f8c1f1_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\file1.exe
  C:\Users\Admin\AppData\Local\Temp\\file1.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\28463\WPMP.exe
    "C:\Windows\system32\28463\WPMP.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 1072
      4⤵
      Loads dropped DLL
      Program crash
      PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\WPMP.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4428
- - C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version5\TeamViewer_.exe
      "C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version5\TeamViewer_.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1036,i,4356837537417149674,16553092232944545509,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
1⤵
PID:1264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2440 -ip 2440
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@4F44.tmp

Filesize
4KB

MD5
f1cf9fcbddeadabb738de497ffefdced

SHA1
7385a7c87e245da89cc5ef8f9295678c1566f25d

SHA256
086083bc73b14286f9c3c29df8b8dc6f014d8b084267fbaeee0af56344d1f779

SHA512
3a3b9d279b4c131ef3f358e0163f60ec9e60160a2cc45488adb915fea6642f3df5d35da2ccb6983d790401d237fbc808829f42c42ef958e7a0eac98fc33bb3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer\Version5\TeamViewer_.exe

Filesize
2.5MB

MD5
ab45e9a5e5de0ef88f13a2e121470cb5

SHA1
8bfb8c495ac515bac6a6798454dc6162c87f3e0a

SHA256
620d88abcae44c3b00decf90aaec4bdca29ec442aa189f52ae6325250f50e1ff

SHA512
d45a9d1d589baff58b59668ced65d3b42af8121c7378130a5bdf63332d111611b01cb21b1ce93f38f534ee1408e6512ef3e6db295ae394378408ef57074b2a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeamViewer_Setup.exe

Filesize
2.5MB

MD5
5392099ad5d282c1ed93aa13a47c60c5

SHA1
13e6fa57fe6c34bba2a85868d388628e147f6b42

SHA256
f2e9f8830a2b20609b7f59a9a8051eefb5b541e341cf3f6ebc5220565041bf43

SHA512
9096bceed15374d49446de5e71741a3ab4d07a12619c920fafcad07ea1ce27ee529cbb5878f03a3e59cd75160b0bd9cad18a285e2d6f4ccc413cc15adda08002

Download Submit
C:\Users\Admin\AppData\Local\Temp\file1.exe

Filesize
3.1MB

MD5
6293fde559f4e3c05af389fd0d17d096

SHA1
3fe6f62a15d87e56f7b736de2a4b43a446423c69

SHA256
9d4585b50086c1c6631590f6adb97ce85b5449d2b09b1f471c16e93e68e17f69

SHA512
86f500470e85d03f21bd7d0b3669d3fac99db9b13bf932cdfc7f1c2e267d3ed283a6b65ca3f51a6d9925dc5c95e04ec1642a91a736a7b3445a4d6c05abb66d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf5252.tmp\TvGetVersion.dll

Filesize
49KB

MD5
49626ee03cff91a643763ced5b363572

SHA1
fe921efdab33cbb77587f79b27ce2e65cdc7826d

SHA256
d550cbdabdad3e0f3349310e1af077cc06384bd0988350af6887d9c4852c8943

SHA512
cdc7a07c150e5b1b4bc4be860d4fc7bd5e452b372a0b541518072eab32e99f97f36abd84f4c6782fe382b0f2ff5cd4131d34a175896d8eb0c36bc45b009faf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\InstallOptions.dll

Filesize
14KB

MD5
0dc0cc7a6d9db685bf05a7e5f3ea4781

SHA1
5d8b6268eeec9d8d904bc9d988a4b588b392213f

SHA256
8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c

SHA512
814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\UserInfo.dll

Filesize
4KB

MD5
1e8e11f465afdabe97f529705786b368

SHA1
ea42bed65df6618c5f5648567d81f3935e70a2a0

SHA256
7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b

SHA512
16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\environment.ini

Filesize
661B

MD5
d49491c7ba7bd565e1b8ff473cd84c8e

SHA1
2522272cf01af17f8ace15a29759f7629ebdc94e

SHA256
0be1c22c6f540d98cd55d7f434f57aedffc67a19df4e4957f75eb034a7b3d9bb

SHA512
2207da44794bd8b8ed1161a0a1990d13824c91b651711d20fbd14769f898a95168884e217f24465b309901215961f3bcb287214b61c5ce2fbc020e8e21cb7b3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\host.ini

Filesize
975B

MD5
69a491a30f8fd22d3210847d54274a19

SHA1
7e19eb2b1424bb487708f91001d0a001e214ebb8

SHA256
49a8ab22496032d8286c7fa71d1e5fc3f13079572d45e4140d1b24be57202b53

SHA512
4ac8b38c91eb466cc31e8256cd7a59bf10ff088a3ff233510277be969134c7da2c784fb1254323c2a3e502d2daa98561c160d321a153914b65f97c6bec79207b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\start.ini

Filesize
983B

MD5
1885c519ebff7baf0ae16252235f497b

SHA1
b997c1bf6649b9501ea3245fe422a0048e394a9f

SHA256
ce453ca6b1afcdcdb73ff85bd7494b68c58fd86c845468ecebf27f6fbdf9eb47

SHA512
f14df980b74f909d8d8950aa60ca2d08e2341a2c47ac307af39e586e3b44ebc7abe61d59828f73b86875af268f19b583de7917b744827b8632ed3be54c74683f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh564B.tmp\start.ini

Filesize
1KB

MD5
5e3746082693fe8840326d1ff2146df0

SHA1
1f198c5be41ae8fa30188baf1e34b1659e793194

SHA256
67b95fb27754a3cfe1ad0c145ed65be96619a3079f77c5825f4933ead36dd7f8

SHA512
949debc3e96f02d3267f8cf595dba6965a2e6b68e8524cd556645120e57a49003e275cedb82fb57a89b89a7333b1ffedc9ddf864b9ad365fbd7b6d7c1af3939d

Download Submit
C:\Windows\SysWOW64\28463\WPMP.001

Filesize
370B

MD5
3847fbfbf16f87a8c37c240012f0383d

SHA1
01e24c3f8501c5ffeb47fd2159a048c60a4cbeb3

SHA256
b501fba824b474b1d6d418a32f5d3df0d160b8b084b82969a24898a977ef981c

SHA512
1415aa918d420fb3fad575dd8b99a3b5d8b95316fda5e31678d9d8d59ee3445a5e4e37e9cdabe10b4ec328adbfd3e7b68211673d27a83acd1d9d93b6f6b578cd

Download Submit
C:\Windows\SysWOW64\28463\WPMP.006

Filesize
8KB

MD5
31854a50b294dd312eb7fa9eb1c99537

SHA1
e0b1682a001e15d0e0e1c1ca732cafb5c80b3160

SHA256
2fe2d55aae2deef38a37c9679d74ecf05699d6919760794f69583b43b7fe308c

SHA512
0482a4981ba242d4e931bd8b9eb5d606492cffb7609fb69fb349ed19c7a9e36a7e240e5ebe759505d253c5e72fb771612a76419c36fb035987a166569a5111c2

Download Submit
C:\Windows\SysWOW64\28463\WPMP.007

Filesize
5KB

MD5
603451f504bedb28c3a7bae4c89abf24

SHA1
cbfe12186b54663f60663c349739c7a49950c44e

SHA256
e4d6577ea390274308877284b6d0cd6672aeb0e76c9c9847ac59c0964f050d13

SHA512
136e28e288b3ce26b37c82b078a3440e3232c0f874d7d33e8e6fb6eadfd0024b9009448500c716523b81f142fa3bebf7d11f1dd3e8e6143867b06335eb5f9612

Download Submit
C:\Windows\SysWOW64\28463\WPMP.exe

Filesize
648KB

MD5
ce568bcaf7285124f764aff92f5079d4

SHA1
886f698e2239cf615f12b503853a5fa28c53aefc

SHA256
59d7d6de8a9e2d5535703d22c36888889530fd011d7f71cf034e93e36e7527af

SHA512
9f6e3496930cb5dd9c9403acc865bc94f63f64af49a27ffeedbc9d9082d50bff4a7a772bb98d4a2719f0ecae144393de9cc273ba83ae00abe347b0be0d7c9866

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/548-67-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/548-47-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2384-8-0x00007FFAC74C0000-0x00007FFAC7E61000-memory.dmp

Filesize
9.6MB

Download
memory/2384-9-0x00007FFAC74C0000-0x00007FFAC7E61000-memory.dmp

Filesize
9.6MB

Download
memory/2384-7-0x000000001C780000-0x000000001C7CC000-memory.dmp

Filesize
304KB

Download
memory/2384-29-0x00007FFAC74C0000-0x00007FFAC7E61000-memory.dmp

Filesize
9.6MB

Download
memory/2384-10-0x00007FFAC74C0000-0x00007FFAC7E61000-memory.dmp

Filesize
9.6MB

Download
memory/2384-6-0x0000000000D10000-0x0000000000D18000-memory.dmp

Filesize
32KB

Download
memory/2384-5-0x000000001C4D0000-0x000000001C56C000-memory.dmp

Filesize
624KB

Download
memory/2384-4-0x000000001BB60000-0x000000001C02E000-memory.dmp

Filesize
4.8MB

Download
memory/2384-3-0x00007FFAC74C0000-0x00007FFAC7E61000-memory.dmp

Filesize
9.6MB

Download
memory/2384-2-0x00007FFAC74C0000-0x00007FFAC7E61000-memory.dmp

Filesize
9.6MB

Download
memory/2384-1-0x000000001B5E0000-0x000000001B686000-memory.dmp

Filesize
664KB

Download
memory/2384-0-0x00007FFAC7775000-0x00007FFAC7776000-memory.dmp

Filesize
4KB

Download
memory/2440-35-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2440-38-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/2440-295-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2440-296-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/2440-303-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2440-312-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/2440-311-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4580-65-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/4580-298-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads