ardamax | 05bdfdd5b994970fee884f875b67b7c9dafac6bba1ae6d5ea5369d90b0ca91c9

Analysis

max time kernel
141s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-10-2024 09:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe
Size

1.1MB
MD5

732d417731226c4b89e77bf962f2f981
SHA1

77a30165c462f59ba834c588125bc87825323f4f
SHA256

05bdfdd5b994970fee884f875b67b7c9dafac6bba1ae6d5ea5369d90b0ca91c9
SHA512

ab5d8b74ab6e509d62aedc716d186a7d9e6088cc4e491f565502613408dea7aba05632985c9d399293457bf3f5d5fb9d186d57016ec2d66fd93912944100ec47
SSDEEP

24576:AkKKTe3pTmXd/eawg9vKUXC4ZbE29w/u2SeA0i6e:AMTel5lg7XCME2shFiL

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000194fc-25.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2920	Alex o Elemento.exe
2652	VIKP.exe

Loads dropped DLL 10 IoCs

pid	Process
2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe
2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe
2920	Alex o Elemento.exe
2920	Alex o Elemento.exe
2652	VIKP.exe
2760	IEXPLORE.EXE
3024	IEXPLORE.EXE
2652	VIKP.exe
2760	IEXPLORE.EXE
3024	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VIKP Agent = "C:\\Windows\\SysWOW64\\28463\\VIKP.exe"	VIKP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\VIKP.007	Alex o Elemento.exe
File created	C:\Windows\SysWOW64\28463\VIKP.exe	Alex o Elemento.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Alex o Elemento.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Alex o Elemento.exe
File opened for modification	C:\Windows\SysWOW64\28463	VIKP.exe
File created	C:\Windows\SysWOW64\28463\VIKP.001	Alex o Elemento.exe
File created	C:\Windows\SysWOW64\28463\VIKP.006	Alex o Elemento.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Alex o Elemento.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VIKP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 62 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C64C7C1-91ED-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435925279"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0ad1031fa25db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000c9c64668fb4b9b8ddfdab59c4293d2df296121d183f638baaa5e86a12b8e861e000000000e800000000200002000000085cb658375aacab25f5c6592415ba4825354869c1af8ac784f59af69d396c80790000000f708e81e95dea63568e6650509e9dba209c0e06e88f9265e3780e3a30ee5fdfb5d8563bf8217d5c199078eb2f642deb944b518993b38c579789b42f11013a9efb300d8eb51a2db2a4e1f8fce949f895fc3d1e14f0509d20f335a872c3b3437b205ca42ad70efd6f3198edb9c965616357df4414e8c9b6128acc5205803ede343c9604ab09fc0f9153a77400ea3c5d3b840000000271b68576c2b53414738d25af761ad237688ece20be1e54e11af6beba22676922e363d22b1ddded09b3a6c40cf7a95d79dc4c141aeae9680feb6749e8a647ddf	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5C64EED1-91ED-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc50000000000200000000001066000000010000200000006be04b75ef5d47bf5debca9de324f02a2c2560544c3172b25604252bde0b7248000000000e8000000002000020000000b1047c68aa90c3e6d3d1025b4a7faf91073a58fd1f7add36a09d06c639837a0f200000008a7c6d088619fda0e28485eca89da302975914d81a1e8c8e42a0a86635580a004000000051209cdbc72fc125e14734874ea379b671ecc6c5f2c9399608de4a886941cebfe9329a470dc0d45d76dad06444c8a3ce25146048ded8351afdeb8a03597b833f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\VersionIndependentProgID\	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\InprocServer32	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\ProgID\ = "Psisdecd.AnalogCable.1"	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\Version\ = "1.0"	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\0\	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\FLAGS	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\VersionIndependentProgID\ = "Psisdecd.AnalogCable"	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\0	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\FLAGS\	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\VersionIndependentProgID	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\ = "STSCopy 1.0 Type Library"	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\0\win32	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\0\win32\	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\TypeLib\	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\Version\	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\ = "Papizwog.Perin class"	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\ProgID	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\FLAGS\ = "0"	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\TypeLib	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\InprocServer32\	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\InprocServer32\ = "C:\\Windows\\SysWOW64\\PsisDecd.dll"	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\TypeLib\ = "{BF7EBFA4-8D33-B711-D096-0D54645CDD05}"	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\Version	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3887495-A0B4-416D-D0AF-8CB075FB3C1C}\ProgID\	VIKP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0	VIKP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BF7EBFA4-8D33-B711-D096-0D54645CDD05}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\STSCOPY.DLL"	VIKP.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2652	VIKP.exe
Token: SeIncBasePriorityPrivilege	2652	VIKP.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1780	iexplore.exe
1884	iexplore.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe
1884	iexplore.exe
1884	iexplore.exe
1780	iexplore.exe
1780	iexplore.exe
3024	IEXPLORE.EXE
3024	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2652	VIKP.exe
2652	VIKP.exe
2652	VIKP.exe
2652	VIKP.exe
2652	VIKP.exe
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2920	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2920	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2920	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	30
PID 2112 wrote to memory of 2920	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	30
PID 2112 wrote to memory of 1780	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1780	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1780	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1780	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	31
PID 2112 wrote to memory of 1884	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	32
PID 2112 wrote to memory of 1884	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	32
PID 2112 wrote to memory of 1884	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	32
PID 2112 wrote to memory of 1884	2112	732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe	32
PID 2920 wrote to memory of 2652	2920	Alex o Elemento.exe	33
PID 2920 wrote to memory of 2652	2920	Alex o Elemento.exe	33
PID 2920 wrote to memory of 2652	2920	Alex o Elemento.exe	33
PID 2920 wrote to memory of 2652	2920	Alex o Elemento.exe	33
PID 1884 wrote to memory of 2760	1884	iexplore.exe	34
PID 1884 wrote to memory of 2760	1884	iexplore.exe	34
PID 1884 wrote to memory of 2760	1884	iexplore.exe	34
PID 1884 wrote to memory of 2760	1884	iexplore.exe	34
PID 1780 wrote to memory of 3024	1780	iexplore.exe	35
PID 1780 wrote to memory of 3024	1780	iexplore.exe	35
PID 1780 wrote to memory of 3024	1780	iexplore.exe	35
PID 1780 wrote to memory of 3024	1780	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\732d417731226c4b89e77bf962f2f981_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\Alex o Elemento.exe
  "C:\Users\Admin\AppData\Local\Temp\Alex o Elemento.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\28463\VIKP.exe
    "C:\Windows\system32\28463\VIKP.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2652
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Untitled-1.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3024
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Untitled-2.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1884 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
037ba592b6f7f4595fb79e50f57eab43

SHA1
827c7f1fa8bef97764ffbd27afd0e43736d6d2bf

SHA256
7924c75658779e1605bbcdfdad67e51a7475644a736c47f0bde9790fda2a9150

SHA512
1ca8a1af35852b24d3903e4583d87aa2597cf55bece866c75da4162967f42fa37a2afc6c798ab0165d94f55ccc4b75b70bc65d522a16aad00f8d82d37d1f24d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d35da64a105406afd5603c271d141ef3

SHA1
2f8130a4985337ff2c48ec8a0fedd9574f3cb447

SHA256
6fd628b3d8c36ddf706dd54a3b84813e66a0598b2e17f49cae74afe2691a90ea

SHA512
34abf992ed331d9a776da4f2f33dc6cf208d23987292a202093a3497672f239e408e20fdd3b72c87bd6a55715d9bcfc1f44b69e23de793ca515a784434eebc6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c894f9a3c40b93103af25d73e90b9daa

SHA1
6d6e9292917756002c3e99c2190bbc9e1e521cfa

SHA256
5c6f95d1bde8895edbc719e8b40591c2fea80b8b81e080c0ae33b06edc9f2571

SHA512
5dd13dc8c51ff3f522b8de9e3941c2a43e34ad958adc5e78e9c49dbce36684379f70a74f82d7df895a1cf373720826c8dc47a79e4d3f07fb7a07972a17555ecb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91fdc831c7a4a5577354fcb1b917e73e

SHA1
bd8051a36dab4bdc333dfbf803a52d26ae31cd19

SHA256
c0189ec0bec5484dd660c99d11ceaf52d6ab7977b72dc655142830a107377887

SHA512
2795db2f723a0b7af0509e6681ad9c4e6b438f7ee92e9ce6b96fb797747652f2ff3dfb0e99421f2f2248800113ad920dc2baa0c90bd9fbfdaeb070f05e4aa4fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9b602809947f5ecd2307c8a37139be0

SHA1
ebb8eb48e6b604bd50c8171404ae284cb6c244c1

SHA256
c842ddc853acd62faecc4fa78252435fa807be886ded85ed6ca3c528a61e8036

SHA512
98aaf2e6fbf9cd0cb87798ea646e05215c3ecb94e45c71ba8d64f1c3bce4249a5e62b47deb1bdc5ad6ef9e134edf7f86596e280bb0869d789b56d2fa97522137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f6b058df6f3da9d0b0e3f1161dd446c

SHA1
b947a499c2bf0a1863447221d0936c51d2afd98d

SHA256
b0291bd53365d251b1651cf33fa4876bd655505ad487d5fb924197b9cc598d13

SHA512
77f0994350cd9324fa9d1b49e4f643b2c84fedebcd16bf18d28b76168b77204418ca283e0596f830a8b3854747d7f9192729a94d680681d55ccf3707edcda19b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b0c2df099a915f9e59fb65f59249b76

SHA1
03a485bece3ec3aa58a1cbc394eb13b2e20a07b6

SHA256
a91303f56fc18a4e90a040c638088630aff9db82d02ce04ed7c5ef1797986b9d

SHA512
76719569a6473794a23f84461ee7ec35cbff790f4d083208172c1e6dc5c6565d26e96852f3608207551f9835f333cd7aac4caade05328dfd64a22f3cb6743702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8759aa200889ef12ea76a491741019ee

SHA1
a71e5084ce58ebc72ec76f043ba7e9d74f32b2a7

SHA256
a89ccb17d9725d3775bab2dc7376451bce09d5f3ec16cdef3a11036bfe19d8b1

SHA512
0e141357fbee022e4a8e69aabb408065947fa9e01074d4de91c9760a30d7c4692e608477f168d517fb5de20a8498ec32cd94e5c722508f42e4bf29ce89eb811f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c989ad6df7eaafa449710618a9dc0cb7

SHA1
9443490388d916cf2645fd7cdd0a9d57f946b6e5

SHA256
83774fc17171f50370a681d2967eec5ca1a31cebc28f8ee29023caa351a06905

SHA512
10ac63552f9460178cb58e9b619f4a6d330be0fcfd8ae4cf9c3bc5c46b1b51d9b5bf3cb41c10df192b577112587746bee459fb2a3c263ab6f81e2e183a7b4a53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1a982877c88a7374794b2ce41e5b33f

SHA1
4205184e66db144d388d29b361f7ab529c16e84a

SHA256
8ebe1100904c10c1b315b5dcb3c27c03ba4ff11b5cbde8d18a35102d048ef4f2

SHA512
cf09dc3b2a9adc0c494cd067895f4a596691f85060e0f5f832390bde4e9f3e04626a29ccb9f1fb318afb752adf0d4c1ce635ca1d136203818f227bdc27e66ef0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
389c33fba6155d9dcf1fdd9c5d8a2d6d

SHA1
a91b8a4b67f62961e72a79abb60096f2a946a83f

SHA256
d92c68637f9ee0c5ea15479b091df2260db4272da063b737d9015bdbca288cbb

SHA512
0cc7fe558805b271cb7be2a040aca639484538ac695a15e6a035e2f686a9ff05006405427f6bd621fcf899d241189307b0ba54338d86ff917893195835c76ac8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
811c70a922bda6c02e080503d6ab9f9c

SHA1
3143c14a610cbe406c124576dd8db91c1d25530a

SHA256
3e8300f1fb3bdd15621f36a1d0f86059f525695ae172d0bdf91b99d0efb6c81c

SHA512
a3dc75f0468a10d8ce62f779304d6e7ce534301f3792d800e6a0f9786d7b5367d52874aad458046a1d66869c4e818c78cd3ed315f343beaf78cf097b594987b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f107678de98a2ab344ba6123c3e55343

SHA1
4aad2656585e9bdf9b96e7b2f0f7bae9bbf122f3

SHA256
a480383b50a4139d43098152b7093d11ab86e044a60668927a0929306193a951

SHA512
a8a3b55151f57f977654652e1d70a55395269de8238ef13412b8737d066ef6efcfcc21bb55608b0b5b11a0b2b326097d195c6f3b0eb3ade7ad7069487d698b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ea766e6d9fc73ca5558b24b48820bc6

SHA1
eb639530cc311a5bba185cbb0fb61895def55b0d

SHA256
db10fc78b78de50dee395b076cd0ae6324ee52b8daf238390e123e1bf21a0ed7

SHA512
048eea873585bc0ce88d5635dc98f9148d6c0fad728cd7a4e78fa69999b9c44ff5531941c7b1b20a30314e2c0b056a4167fc4f6a945e5eff4a53bebea738f3f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90c1b8d472964601bb04ad16fec1c318

SHA1
b03e7f23f5f8dd38c13e4c9dd897e92b01c738bd

SHA256
b304a3fd536796234f78d7aa80d3d19552206f99e06bb592c8eb278226fefaa5

SHA512
df5c82741e09aa1b604dfead9f495bf5e115c0707e2e990ba45a5d43e0a080a41b8f64a3890298fd2038676882e0f15a216f208d6b19e72c235bd4c767f0129f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbcf7c7b4af537a8cc4e8021a8d289e1

SHA1
1aafce0ec945c2910bbc583a6c7e15a057317e11

SHA256
ecff2fea7bd48e24a9349e20373bcbde5879422bd39bc99bde03e22f2f3ccff8

SHA512
52a700bd74cc2fe0e292b6cc000ab7213ff2bb241f51796f957913fc259d4e1639f7271a525d80709cd120632863a0b438e2dbc363ac72df13398503221da54b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35c634596c4cb97d7c48e6fccf171f93

SHA1
61d683f29ddd55e32a09f0fbf4076c49484cfc0a

SHA256
5002889d588c74a5d0089f3e22c2664c83fd51aca5a0779f4dcbefa8afc615fd

SHA512
94133f308dc45d2a8c701e5bd4c4d3b056b118dfd5c27f9b4a3e40c0f31fa110f19f0f7c7078d6cd980f37cdd2e30c8e4470e45d4598138101d1f32bda94eb1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c5e4891770a2828bc429833b83a3545

SHA1
29b6654ed966d6d005a6198caef7d7cd3c30e074

SHA256
60392e21b404ba98a9148307a17d8ba4895a8612db99bb4e06319a4eb462cc07

SHA512
99ab4a23461d607eb5bd76adff9edebfaba39657513b1bc02d7f32604cb83d1754efa54a24f433943447cb5d44bb625509b77efdb52a88c1419ae6224f6fc545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C64C7C1-91ED-11EF-9CB9-62CAC36041A9}.dat

Filesize
3KB

MD5
dc621231bef18a3b76bb5028053fb546

SHA1
b4b2c69fd5715230a37f0dde3cc4725fc286cb40

SHA256
d50f3dc87b38d51832cc8f13389e18bc272d30871496c2f9a2bfdcc0ac2d0778

SHA512
083effccea09e5d779f0641c4ea7fa894f4557905f067b1740017a1dea75de3440fc4636d0fefcb5d40c0086c230f0028c58355ebacd5f05a623f29579fa413b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C64EED1-91ED-11EF-9CB9-62CAC36041A9}.dat

Filesize
5KB

MD5
5b35fb9476f5eed65a9d6856d19b576f

SHA1
6b83126edeca38e93d3dea4ab3f7d1e11ae6b163

SHA256
139f985f0273e917a5ba35620aebec159cdfaeb38568330b6a8359d20d4ac30a

SHA512
581d754ed0701ac37f51214e5c03f71a3baafb8eb649bc84019a4e902ee3f4e9095b8be9666594ec887f68aed85e3a5019372aa76fdecb3a4e467a17c7c6fe34

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF24.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFC3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Untitled-1.gif

Filesize
180KB

MD5
91d0d1edb284641da87aee7e3f9fbd9e

SHA1
a2896fe30e392ec4c82eec62c7fd816d42e8b197

SHA256
0b7dbb494ab80b4718a7b9cc385e72f5d3b48e715a5dd6e287333085999b0ebc

SHA512
c2f79c34350435eccdb10136f8bc1b66b43f599a11449c93c095e51a3f30b905e5173d60c012897513ffd3225cdc78121b2bbd80c2618cec61e698879d87c0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Untitled-2.gif

Filesize
129KB

MD5
8140056234c661a542fc06b22b0c91c8

SHA1
9ef6eaea0841d2768555a205111a82c36d0941bb

SHA256
cd505ef7f4fa9320d925fae49fa3ac8f53d262e152b41cb1d8da88f8e8aeb630

SHA512
1b4b772e44733d7f7b6f7653b00fce2205e3b97849e0a5826b09ff323b79f6b5c1dbb58cdcb3b2a691b2d21ef36511dd2e0ed633cf92ad818312232eb035ae66

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
f34b87951e1a931e01df1bc9f1b98207

SHA1
f3cc94e72bf7e9bf2afa7d8dbfef0ca2087358a1

SHA256
e6cf7cdc5895da8a65f8c4a1a1d0d0583218a1c28f66d25dc56fa67f9c34ed5b

SHA512
c2438d88489b9ed7c6c875ecde07411a488eac9115358c73f72d7029874f75803ebead03a41692a900648fb2b2be63b7c8b4e3a71984261185b6d5d6d7201641

Download Submit
C:\Windows\SysWOW64\28463\VIKP.001

Filesize
490B

MD5
4d6f9fbe0863b496f7815edccfaa4060

SHA1
0567060a2ae51ed25683d1b0428e7d065ba5f8da

SHA256
9deb04b61a22a0759bff4f8edfbe1a56bf87e5a8be662bfa447b2d3e9f4421a7

SHA512
b07ef6bfa0758a56fd44c57b5475309c59604c83138928ede41bd8dc71c4f1e780b5e8bd2592be53c170f7812bd899f9eb0bfcb7d8622bd923450f7405f837bf

Download Submit
C:\Windows\SysWOW64\28463\VIKP.006

Filesize
8KB

MD5
98d22fb2035a26a6b9b7decc0c0ff2fa

SHA1
43a75cf59fc2f8b59b1d962b4e685249eef816d5

SHA256
fd5c03fd9ea47c1e820d19bd307ad7c4e53f4b65d288cb675b05cbe76c9b5c25

SHA512
3cb7f765d6f4d1dc08a0087086f3fe243bd8ff9e699607cf1e4177892576665c0c799307751cba16fd3f1482e5abb884090024431be2ce86d4080f1d1134d91f

Download Submit
C:\Windows\SysWOW64\28463\VIKP.007

Filesize
5KB

MD5
15eb312db4b3e208b67082653acb8a02

SHA1
b0926b1e1733baa3d7f18d3806916f92704fccff

SHA256
72347b6d619bc7204a155486e4d09a62a4a494c35a8121349bfe2fecd5af99a8

SHA512
7e8d451bc9d1e83615db15d6cdf68230cdd333fa38362979f0408dc80bf680859a2bc3fc09c494805731317b0f136c3227226092f1bcc31c2c80cb73071aa443

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@AD4F.tmp

Filesize
4KB

MD5
36400e746829504282eb26b364826aa9

SHA1
d39ea9da98be0c331fd71002645f4f40664288a2

SHA256
c7ab756437211f6e0e3dcd7482bc67cb910e504345902049eb8abe34a656deb0

SHA512
5fe8fae2f5fcbd42c72cc8f6dd70aeec0afd94af5cfd905441630755790dc6ed346823ee009c21537b9cdb3b7b7a39eeed933606726ffd891dae47b60465f640

Download Submit
\Users\Admin\AppData\Local\Temp\Alex o Elemento.exe

Filesize
813KB

MD5
43e74709fb87cd1448469bd9a098908a

SHA1
882f2760870db3d544e766b72dda35100e37ba93

SHA256
4735e6559c3274a6feb204101228d3642277ee8d0a47f31cc853699cd42b7f5b

SHA512
168ee9a75b9746120786fb97707a7d3f954137840e2db01514232bbf0d79a280b65a3db8cc8e9e3f928edb0310c031850d3ca8ed34678c53a40a49015288f354

Download Submit
\Windows\SysWOW64\28463\VIKP.exe

Filesize
651KB

MD5
b181beaba4204ac3ce7bc8e6f0b74312

SHA1
4ab13763d2ecdf0968f15a39302aab2b1f0ab462

SHA256
f36bad234fd1599dd1398d20bc57499314fe96d5de20074536067b2d3c2b4f2d

SHA512
d1aaa2fd25e53986c8ea8213a8a02515927c9e9aa3e4d8077a138a29ba32c807ec81473b672a22ffb6ba26126ccd7e1d310e057ef964d3b21b1672a67af5fd7b

Download Submit
memory/2652-38-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/2652-500-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2652-53-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2652-54-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2652-35-0x00000000004E0000-0x000000000053A000-memory.dmp

Filesize
360KB

Download
memory/2652-36-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2652-37-0x0000000001EC0000-0x0000000001EC1000-memory.dmp

Filesize
4KB

Download
memory/2652-51-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2652-39-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2652-40-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2652-41-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2652-52-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2652-42-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2652-43-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2652-68-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2652-45-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2652-46-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/2652-66-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2652-34-0x0000000000400000-0x00000000004E0000-memory.dmp

Filesize
896KB

Download
memory/2652-67-0x00000000004E0000-0x000000000053A000-memory.dmp

Filesize
360KB

Download
memory/2920-28-0x0000000002A70000-0x0000000002B50000-memory.dmp

Filesize
896KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads