ardamax | 09abaf754ff9d3739ce8e871d7009df0065468c537da9b5ed88371c216f06e83

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23/10/2024, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
Size

882KB
MD5

6fd623b53ad08afc12e78d86a5d2ef43
SHA1

b42c45fea5ffd0ce3024e844611423f493f88180
SHA256

09abaf754ff9d3739ce8e871d7009df0065468c537da9b5ed88371c216f06e83
SHA512

d78ad22c369e2eb37f47abce88eafd5009f1de5592977211d22f45f9eeb6a8b00d985f675971d12193b01f240cb978725123a5aac35f0a8082f951f2ccbf6caf
SSDEEP

24576:DYMN9LB6VmQDWzzTWCqK2di16PniFYTBaL+POlc8:DHhB6VZCqpd0AiF4BI+PCN

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001925d-13.dat	family_ardamax

Executes dropped EXE 3 IoCs

pid	Process
2892	WGCD.exe
2724	setup_akl.exe
568	HTV.exe

Loads dropped DLL 23 IoCs

pid	Process
2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2892	WGCD.exe
2724	setup_akl.exe
2892	WGCD.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
2724	setup_akl.exe
568	HTV.exe
568	HTV.exe
568	HTV.exe
568	HTV.exe
568	HTV.exe
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WGCD Agent = "C:\\Windows\\SysWOW64\\28463\\WGCD.exe"	WGCD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\WGCD.001	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\WGCD.006	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\WGCD.007	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\WGCD.exe	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	WGCD.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.006	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.003	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.004	setup_akl.exe
File created	C:\Program Files (x86)\HTV\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\HTV\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.007	setup_akl.exe
File created	C:\Program Files (x86)\HTV\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\HTV\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\HTV\HTV.chm	setup_akl.exe
File created	C:\Program Files (x86)\HTV\Uninstall.exe	setup_akl.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WGCD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000019da9-19.dat	nsis_installer_1
behavioral1/files/0x000500000001a4a5-69.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b96000000000200000000001066000000010000200000009a96ecbf7b5aaecb1a4ec21f7e7f77d00fbef5ba2fc8c0f186b6efb1f54ac909000000000e80000000020000200000006ad0d9d0afcc512745dff9b7573f63a5518e2af82ab89fd3f0df01e2497d259090000000b8daf2d80f6f6687d4d8381e248d01f578e4fa518bf9aec639a860a020b4298c641eb7c5f4403f9c2590dc6027d94f26d35f9e58d07b245c413ae543b576bf4dd8f5180a15ac5720d5b48710169d490f1feae7f0ac3e6f60c46b0dc496f8b67823705aa6a58416646bb3817d777c4a0eb3c11ce1ca0dc72cafd6d43c949a2d634dcd7f2a51f43f289340175c7746b27a400000002d99a94d6b0e551ec65473b311d8cba8d3d072951c159378baf358aee5582510be419e3dca91a4bfa6d5e301fc6f02a59ad895ee7ff1b97ff20845908c348f09	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2032cfc96725db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000774a853bca005e8a0efbf3af0da21d42ee4a791e590bb62c361c2537b3816be3000000000e8000000002000020000000c3cc5981197070b1cf130437d1707b5f0954894488b6413fdc4ab98a76f21ec820000000440132c984e39380ae98a9193147f9bcadf96cdc52e3b16f19559c895dd0379f40000000c9197fa0a00515c9c4bc89545285fbd4728063363f5853ead7856a7579150f80218bd089fe4ad2dfbd3be08f062dc0a13757a04f6c686025465caaf8aa193176	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F4F3A8A1-915A-11EF-8D2A-5E7C7FDA70D7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435862400"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2892	WGCD.exe
Token: SeIncBasePriorityPrivilege	2892	WGCD.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1324	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2892	WGCD.exe
2892	WGCD.exe
2892	WGCD.exe
2892	WGCD.exe
2892	WGCD.exe
1324	iexplore.exe
1324	iexplore.exe
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE
1612	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2892	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2892	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2892	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2892	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	31
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2724	2956	6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe	32
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 568	2724	setup_akl.exe	33
PID 2724 wrote to memory of 1324	2724	setup_akl.exe	34
PID 2724 wrote to memory of 1324	2724	setup_akl.exe	34
PID 2724 wrote to memory of 1324	2724	setup_akl.exe	34
PID 2724 wrote to memory of 1324	2724	setup_akl.exe	34
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35
PID 1324 wrote to memory of 1612	1324	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fd623b53ad08afc12e78d86a5d2ef43_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\28463\WGCD.exe
  "C:\Windows\system32\28463\WGCD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2892
- C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:568
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1324
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1324 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\Uninstall.exe

Filesize
44KB

MD5
83cac9da65204dca68d957c5731a7059

SHA1
0291f20c8144494e9eb06b818bed447afee91f09

SHA256
9704a03d01c430189525b18b519d77337e230ccd09ca37d2ee1a25a38f5cec0f

SHA512
4be4fc5cfd21ba4affff87ca1698ba63a62a2d899538ba6034e71a2451d63f545b4e29f8fd5875e0339f97eca360b46fac85d7ca26c7e37a8ea4b3ca65457673

Download Submit
C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96142f8ac0e95bb40361d48bfd41a54b

SHA1
629821e490b4f8e2a5ed3929658e6ea495544647

SHA256
081a1194ed70159f40075979ff87970f74780c9983c5ae14119098770fb5b3c5

SHA512
3ff51d6b5b699a6d05de2e4739031a2379f1b5e373ad05ff00f881ad7d8b74445674e0edb590f936d46140247572014e568f98c3f56bc41d69a275ca274643f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb164c2cd0ed19ba274c132591e4f238

SHA1
d59582a507a268c3412e4a2010d38599faffcefc

SHA256
6cf46f7df3c58dac2e83ec003a5caa80089bbf00ca94b128f1728c0ed4d6d61e

SHA512
2f673aaaa902b27d7de6320b964ec1767a783c1f701e6d193091c9a1ab03cd548610864308aaedf31a8c1f10b906864def098005184084f4f0b023b9dc660ae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
855bdfb90fb9a2941e48b93c730446a1

SHA1
bdf5acd8957cd5182056a15200bd08205a6570af

SHA256
f295941a270eebc551c7afffc8c053799134e6e99db0497a5980390078c939cd

SHA512
64263e9c95504ea1753c9c49ca6ab2f825822dd498906e069162effd6fbaa5e8ffd88905b7c99ce42e2fc9117cccfd21ff4924d5e857cbdb37cbda84c8765e64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa54ab48baf0481278c07f8c6db0ce09

SHA1
0b10f193c86ceabac0e15c98306d748b9c2ce4d5

SHA256
435beb5b4960f3eb88b59851c8b48ba7252bf07eee26cdfd81035136de36ec7e

SHA512
b8aa08b138ce85a7196b0b7b20b513762c7e8c35fb67a90f05140c89819f00a4815ead35c09609fe61d2bfdf358b8af9de071423133cf45d0a00657726e35ecd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd57399e461935486e43c202e010b3ff

SHA1
f5541d5ae63f4e21c509edad3e51f891767667fa

SHA256
e986e56321e0578f89d8f6cc3690f060571e4793cb6f15366e4df0d202c32423

SHA512
e8745c992820f5e686ae71d6a179b0fa764666e40510435b764f05586bf012f8a87341078fe91939630b9080e15e984ce28de93528c4470894c4618a49f46a33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5a26b690d15f48174900eb6cf2749b8

SHA1
36c309ce944ccc5f4037be6c44413d21e342e143

SHA256
538706a7b5e9a628d6c2577b62eba13dac255f19b419f222a04ec43fa299bd48

SHA512
ad0d555f4ecbcc463f1ffd47ef36dc4cfecd8463a70090c8e468673e867fccc88a25b6bb9ef172c19072a5ccd437a323151e30a2a440284752270cbe6f6f3594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f0c75a0fc4bdf2c72df41b559396cfa

SHA1
cd6c869872b8ea41ffdb98a982fba9453c8830c7

SHA256
e9a5d54ac3f5bc26541bd09d01819218a458bf9e30fc6693fb8ea6b3a355eca6

SHA512
fdad73f4f48b909d337c7f18aa571c659ad2b70481e034ab93ff00dd87624c9888fa446772be9e62ac0b93cf5907a191810169766a3bde6a11568a2a8b1a6923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e9c85348ebda649e9342a7e08be98f7

SHA1
46bd1c42d7505e03e7d21d68a4ac1162b72f6b5a

SHA256
4f2e25375154698b03bc1bcd8fbc8f2bbdb34e0a7858c2e872bc98865989c04f

SHA512
edcab1461093ca5badd222618e49cb55b20558bccc32dd3d2c2511a128c8463e89a73fbeabf205098ffe3e4dc8457763882e0efade2437c901e523c09b937801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46a438800223171e8adf0f6d801a5bf2

SHA1
785b4bf95a8539b3ed5a6dfc49d98e8321ac1f55

SHA256
686d5e25b73fb016422eafbc3dd2cbc971f9962e8df121ec2b6470cf70d7e182

SHA512
4676cc1f89d891e48852de23c45ef4ab9416cb48cc80b5866d09bcdfbbc247cae72b789daceeb3620f247ce20ac72f04327c3a983942898ab86927f8f331e2a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e43320d933d530e6e4fc08ae4aa8424e

SHA1
f300040c779744b52e5a4a52d39e27aebac00c83

SHA256
336f7655ac3bf9e5954dd223e5b61b329b68d2a0d3aac410564607d8e4334866

SHA512
d4af2f9703a31503c71ced8a543218fcc1f9fbbee02b84a057e2c591b5814cb7023c3113420f75db1f50395a7ba6cbdeae809e6cc5a02d91cd2305d607385bb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e27918439cf28f9bed09e611134da7a2

SHA1
0ea388921de40b052aded5ae4eb85e82468b5d50

SHA256
67e02083f6b862958addb7f35448aa3c967c0f4492c63e2e87a86f15505d2ac3

SHA512
9546b8be06241a4493faa15dc319222b18e478a8891b2ddc4f92636ac1f58f559e649f949478f985e66669193a17ffef5a5a40fb48b682be1df9fcdde3ffb60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcadbf081081f6aafc686671c2dd2f78

SHA1
266d18afeaf97145a94739cc683e0da885d0d0da

SHA256
0735fa376db1605c0178a5b65d0b6397c846ff733c4aa10cc834dc9fa1325cfe

SHA512
7a5d93996f8086acff12ccb8d80473fcd411968948174b5fe4f418afbf1521da9ccef3d140cf74ea8f514cc1f2b3c0d71095b2853435fc471496c024e6ccb252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
20d38d41c788abe46b6ba49c042c06d7

SHA1
907856e8fcbce360b6c635cfd7b9d59fe37bb191

SHA256
b41a0df54a521396358e275a61b577261fb4e31fc3c93fb50bd45dc358d1d6dc

SHA512
cbb9173432507bc62cb8e80be4775cd3d50891c3bb9c48762485dd80c9068b0df048607df2dff994f8c23474b2ef29017c57b50e4ab209066f487d77b2fa5d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71954b680964d93b2a2e1f17195e4f93

SHA1
fb4f02fcf6faa4b4d475048eb0f3c5224c98d307

SHA256
84f8089d7d2a9498002f072768a845b961f31266e807c9fcee20e495e613ed34

SHA512
fcba699fda43e0e429500d37b2e0c37c4e529eca2b57a22c00afaffcaff7e15b8ddcfa3e2cc0b71b1b90e318c814861e4d3ce30e23ad2d5a3516ab1185455a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9aac3a4365dc640e1560b60cada12d0

SHA1
ab0178b92ed24fe06a7b1b1c3bd7f34cbc58821f

SHA256
8aa9f669290f9938b2cc95e41b6d1cf03ca37f7f5a0abb7e9831a08295ac6cb9

SHA512
f76de2c1ee509ab1b8bb5e999523269c5aa59f6240e5fe782c13561e181dc5a35226f58223887c65a19c7bef4bd77983dc972a797ade56543308701bc58bed7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58ed3cf847a99f273afddbedbf0430d5

SHA1
d6b8d2686313b4dabc5ab2ad19434b78bbb0e9e4

SHA256
29e8af534290c0c18911bbd894b42eaabaf55ffd859185d6a098caf23e6423e5

SHA512
70d1f18d3dc3b0df72715f62427f3a41eed6e1dae438bf972d19943a09a49bcb6d9d42ccd8ad801a3363b6ccc551eb6fca50f32c5ed5fd595a63ae2a1e33963b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab65D7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6677.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjE88D.tmp\ioSpecial.ini

Filesize
810B

MD5
b73a25b285a0bf9663fd3728db6d9ccf

SHA1
3ac8584485646882ac14c25d7dc39d77a4cb3361

SHA256
004ec8ba57e757d0c4e6fb4ca51869909e5442fd8783fce82f01b80d01c97d35

SHA512
7062f85b8d38aea4ed1a57f8b78cad316513c1415829fe80ff89528d3c21fd30320cf8975c6522bc0950b9b630c1be02bf8d50c66a32f4f1b71312ff852e9231

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjE88D.tmp\ioSpecial.ini

Filesize
736B

MD5
b5a74de7d923cd7b587076bd1fe03a5e

SHA1
e6c3dbf9620a9af1a4f3e62623d14d5640b90cd5

SHA256
2761217218dc2b8f62b7111bd09a17e47f4f06440533016806996e55f391ab94

SHA512
a5c5986c34da409c2260a0e9b45eefb85074da96d3db42bea3bf4c00fb4151ed9bf3e9c29654d2bca4d05ac7a3e80a10aed179f46948cd3ed3e8522e2e1d185a

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
a655980f1ccb7e183aef71419e01051f

SHA1
26bf8f2a1c096fcf014f4d38a7262d4c8a5eae5e

SHA256
d2af94a00c4de38dbc481c50e439768a9aa0ee2cca057efb759a10068c66e57b

SHA512
66fed05ff2a9dd9ea9565274cd32dec3ad42a0ff41ab468f1d751697fbf246a5ed1112ce8f556ffcec607eefce1cdfd5a3d9954a99b1b58e342a9239592c97ad

Download Submit
C:\Windows\SysWOW64\28463\WGCD.001

Filesize
422B

MD5
f9dc00b4b763eedcdb780ee6ecb55768

SHA1
ec156bcf9f9d1be96752838ff4646827a819ea1e

SHA256
cc507ef9c445b4c23100a9a888575970e9c3343b109b9f2a8b79699340f5072c

SHA512
1df042ed2a0540fe0e4fca520d495d9da833d36b3526e28faa4b9673c1af314673ba2b12a6fb8e9927f79966bf6a1747146a4c288899239f4a617688f994b217

Download Submit
C:\Windows\SysWOW64\28463\WGCD.006

Filesize
7KB

MD5
c8cea38934bbb1d53dabd5680d12612e

SHA1
438b909d2a80b2995e2eb5e4fc12d21185bd7f9e

SHA256
77d3390580bc51da413b5a4fdce4f70c23dba979904f0f64f5aa8091e300c8ad

SHA512
4fd62a8b1260e6ead4c1ea178e35255ed8a1f31819080ef358f8b6f1975f705f9df0b901c870be58b10aa7b34263bd670afaeee315247fb5eb262caf70fc10a8

Download Submit
C:\Windows\SysWOW64\28463\WGCD.007

Filesize
5KB

MD5
00ff3cd6c61e7d48ee1ae5f6b6b3876b

SHA1
efe6bcdb012525d11d2f2f10a3c362c06fe48a22

SHA256
043b156e49a23c85ea6524729ca89c0932a7ffa5d39328182be212c7f403719e

SHA512
52aa11472123dc19a2bea54fbf18b3cb5803ce47f831427d0316421653826a945a8cb914e592b4e9311ff97884f998021d8dbc0c94e2c69e04c99103e55986a4

Download Submit
C:\Windows\SysWOW64\28463\WGCD.exe

Filesize
471KB

MD5
b19358a11fc5bf245df5816361d4d24c

SHA1
22c92178047080c254aa2ed601f027a52f22c44b

SHA256
fb6bd2ac12914944697900aeaaf5606c475e8d3c5a5c9bdc345ce037a2218a74

SHA512
e92f9d73b25c1d922dd742ca63a0af7152eb6e748d2b06e84993273636a31fdf09071414c3576f4734da70f0f15835caaaa812da1a928abff1d67879ed6a2d45

Download Submit
\Users\Admin\AppData\Local\Temp\@E753.tmp

Filesize
4KB

MD5
91374d9ab21e5ebc2cc82c2b5d46d116

SHA1
2107cdb63bd762a1d12c5b7475f73fc433fd05b6

SHA256
2aaf236aefea2d3500d57b78cc683a50843e73b8270279686a1eb78e37937d23

SHA512
465061b230203c464cbfea3447249d7b603773b60c3c882a254b19699dd825ddc01bba2c475dd2fc1081927b97de0d395b99d6afe365faf8b0c9db24c0d4323b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE88D.tmp\InstallOptions.dll

Filesize
12KB

MD5
b3ebe1cb6bdd529302c121dd4e2e0d00

SHA1
305f022e7e3ef0ae6cdc5f18bd6adc3032f64304

SHA256
5a1696f9892567b3339faf2bf4df5eb1d2d886c49807529028b65f0f493e79b2

SHA512
6f6ea4aec1588bb6f7ab4f8422942ac0acbddb8b916af2ead039b434bec6db4d0bf64deb3b8d6cc33666cabd70024a1208411ab6e0ee10bcf98c47951f8d359a

Download Submit
\Users\Admin\AppData\Local\Temp\setup_akl.exe

Filesize
417KB

MD5
0e1de64ff61e6514142b68fd71cd0273

SHA1
05d2bb3d08d39014cd72f6f9d877729116e83dfc

SHA256
66683e591b6520d8f215b16ef985f106b5642fe00b7a2d3618f4e84c44fafa53

SHA512
4b46ccd9cb938b3f7b69ec087803f614efb9e54bbbf9c851e18f9349956d5ba20872d700859ae4ac368b63e19838236c8149022b17de27cf67c1a60636a46195

Download Submit
memory/2892-40-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2892-45-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads