ardamax | 6149855591c7e4babbaa357c87db758a16f8f593c79bc72c4696466b01e5a509

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
Size

1.1MB
MD5

ba6865851d485da09c8bdec42d948462
SHA1

18e362f19436db3cc6866e404f144d50ddbe0515
SHA256

6149855591c7e4babbaa357c87db758a16f8f593c79bc72c4696466b01e5a509
SHA512

8db89b9701c14290d931b28424e1e039d0733f3d1ec6a0310160407a73be7e932d1293a765117e446fd3aada366b1ec84d3df27935b8ad816a2a06e70a1cf1de
SSDEEP

24576:3U4oT8KkjTGgGXL8aufWWYBPDIQjYiGyjZhn/19CPhrq9HDfMfGx8a:3ULTHETwXo+7cQEkjeBq9gZ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016d4f-6.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2860	ENF.exe

Loads dropped DLL 3 IoCs

pid	Process
1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
2860	ENF.exe
2884	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ENF Start = "C:\\Windows\\SysWOW64\\YKGKYD\\ENF.exe"	ENF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\YKGKYD\ENF.002	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\AKV.exe	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.exe	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.006	ENF.exe
File opened for modification	C:\Windows\SysWOW64\YKGKYD\ENF.006	ENF.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.004	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\YKGKYD\ENF.001	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\YKGKYD\	ENF.exe
File created	C:\Windows\SysWOW64\YKGKYD\Web_Dec_02_2024__22_09_51.html	ENF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ENF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f08e47fc0645db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{25E34A61-B0FA-11EF-8778-C60424AAF5E1} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fad5492b7d4a1d469f20d1c73e162967000000000200000000001066000000010000200000002b038895ac2c008d97d1358174c5b8f6b4175315db6fe4428d5e2455011e3233000000000e8000000002000020000000a01327b76f116af9e45877825da490bf9b9d6af80eabda31035b95bb102e1f2520000000325083c0a8ad28386d9d9c053d7c45c2f34865939cf529d6289d7b2ae5632770400000003ea42bf317a001b38c9ee269c9d7c15536b0476fa3758c529edd357ca1c1a19f923bed305ed731320459b5bb6abb8b01cd68b447ecb0272f81f60f5b2f313241	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fad5492b7d4a1d469f20d1c73e16296700000000020000000000106600000001000020000000361bfe0e6edd8d21aa3217d7e7df9f78eb53f8eda4d84beab8cbb57ee727cdaa000000000e80000000020000200000007be16d889c2136063b2ab5b75a72d9be7832de19c0ea848a0bd8246d83de808c9000000046e26a39c502d694abfda84aecf8d821987f0384f110a6669e718a5ca7d16a0e6254f3bbed33c993900087c486661a4f18bf6c594e57d2af367e9835b9bdceb119693474e2a18e937318b5ca534d7c3e5898151d8d1163bc9efb16b3d88f04ffac0ad53edc5e4e27fb64b089ebf9f9fc45cdcd3c7f1f368cbf3d7d6ec4091d1ee481c73c8e73623a730533067420a6144000000090baa92ccb2b02641d5c89f11bbacd6b6c7127acafccf8225c656b1add1c1dd5385e986d5c7acb955c5013e919632c9efc3029c7850c8985c5ef67345d137fb3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439339257"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2860	ENF.exe
Token: SeIncBasePriorityPrivilege	2860	ENF.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2892	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2860	ENF.exe
2860	ENF.exe
2860	ENF.exe
2860	ENF.exe
2892	iexplore.exe
2892	iexplore.exe
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE
2884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2860	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2860	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2860	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2860	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2892	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2892	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2892	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	31
PID 1448 wrote to memory of 2892	1448	ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe	31
PID 2892 wrote to memory of 2884	2892	iexplore.exe	32
PID 2892 wrote to memory of 2884	2892	iexplore.exe	32
PID 2892 wrote to memory of 2884	2892	iexplore.exe	32
PID 2892 wrote to memory of 2884	2892	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ba6865851d485da09c8bdec42d948462_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\SysWOW64\YKGKYD\ENF.exe
  "C:\Windows\system32\YKGKYD\ENF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2860
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Meu X1.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
c9e22d3f0d574463497015b0e4f4e7b2

SHA1
fa78c24d95e5d081b79f717fde8a0260dfff9ca9

SHA256
34ee009fbcfe9e9d6110b877140dbe20364b534a5c2100d9f611d8b6f2f89a11

SHA512
e72b3d60d9d32bb031140eb48c9f2e692724e927c242905c1b6862fd3a8e6f28fef30c548305744f1facf53b5810327671f155fcbc83f272dd07b00aafa87d04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
78ccf00d0e97ea4689b5402471f47631

SHA1
968b223c4ef98a01713c904cf5da5faf5038fc2d

SHA256
97e847750bc1f56c3620ed94e4f4360e7b33ae0b6abb839669b9bc6d03d98113

SHA512
9e75c68ce20ed5b22628c5ee51eef0659e9edae8a58496bfafe2d429d4f75126c5f444cd300fd5fd61d176a25689f39cf24797602d1516cbcc4c50b0b67dd2e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dfbae7b64fa1b782b8d2b605a6593ab

SHA1
3ea11122cb7fbfcec04d622502a22dc767447045

SHA256
336cec92ae6e59053b6d8cad9380d376ab617a57b15f297aea95b5ab4e039212

SHA512
40a7aecbd260a10f2d359ed8b2c15b45328a1b29b9afe9702c3e8a6d4627d45a1532ad6d791a423a998e4fd0046d351cc6f636b30df24ef7565a8932b16a0fed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
225738332ccf0ed6deb1f690587563c5

SHA1
9b425d3f0c8f842aa3392c8664cbc18355815ab5

SHA256
299d2dbfe17d8273f1672d7792bb52576eb237e6bf845fc32637beaecbab92f6

SHA512
2d2e0d6131d5b46bdb96f2b8261c57655546c4516ff0231bb78db126351daafdbc7b75afd3b1886aed828c241565dd160afe1d0c7284377929c2a4d7984ea570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9d940b27b25d00dabc2b6c7ab6b0a9e

SHA1
bf4acaf91aa26cf7a90552aaea0dbcf3a39fef10

SHA256
8155935f0c2de9c76c460c110ec48a3efa8ba3c7c2f2bfae10d7b3bd490cc725

SHA512
60bade825edfa8178a9a87fc042bd731d7c2299d1ce5282d60776165c13865e47f925ba67b404fcc677bca7a711b56e692f6872ade613a96459e790dcc5e4262

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64c29ba5fd2c7f384ca7cca8b2f835dc

SHA1
3a9045bc3ac64f5fcdfc10a8c74fd5000cc35c81

SHA256
2d9c1c1850d95707f4b90bfd7c8d74f95b612638aff68eed5a8153e1d0e084d9

SHA512
53a3eb907548be48fc05b6495914cc2ec2d3a7a1d587e649afa2a9138483a7af9ea90eaecc21d24209e0e8fccf10378af2417f05729599ad05c5a5635aeb77e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2e9c21fd1b820e86005fc0dc905e036

SHA1
3854d9b1f15965b9f08922b17d7fdec0c77e3980

SHA256
fc40a418acc1e93a545f2d39afd10fe0a15d2a8ffa02187ace65c8e4f8da9737

SHA512
26a9aca6252168576eedc1dd8867621a43b94f5ae702d83878d11247c47a123bd9316fa0edb5cf2c9027e55225d302371394fc2bc4021a7ae63c8512e43065c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6ea55be7aebb4e4bfabcb5bd79f027e

SHA1
58a2080d456b2d53fcce3699076dbb4131f2a76c

SHA256
764695bc651e5ab73832926d8fffae368751cbdf8a8ad31aaa298b9f69d59f73

SHA512
4d55b8d383acb1ea13cfd712157165686816197c5932182e87333c008c01f2ae65e054988a5214f1992d41de9e3b21b946e4a431bed15e219da675d0b87deeb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0026e5bbb4ceb8c71793521aa1718afb

SHA1
956db6fa22d8aa47b72dd3811bfde12fdbab728b

SHA256
d5e99b7e2a4604e5cc2170b48b38d464658ff25254cba03fc700c0a76de4495b

SHA512
a78fc23f5e5d5f3b435961f08db727dc6fddab59db9b12bc28ef6d87512999208d7ddb87c50552a58c64410ba7d746dae028a6414b6de7022050476d4a5f3a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d09ba766a4b795c99fb5d858e1af0d9

SHA1
ed6474df8fc3c597ccd9894932d990b160702e5b

SHA256
f0cb682ad3a612d3c78ad57019a0054c5ca45c17307ed072753f4379eded8796

SHA512
dc0127e3ea38603a806659c00bf006c70cce74236780fd1e20481ded8c03188a44a1c763d167875bed73cf2ab853bf20b6f97889e8c2401e29cd3d26b61d4bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1b50f9ae910be630688a997f61178d9

SHA1
fb5f0c1858a0ef5ec99777144f5d658c2a0ecb0d

SHA256
bb194ab191033055a09591e9bc523f400a57a510be70a6e02f864b64cc2516b1

SHA512
d1878712b143afdabec682d1cd741a38ff733fdb1ecb07cdb4beba93b88c1cd3099ccf301be6a7be3ad56d933ef9ebd9dd5c1d0c7264a7b1499c7b78b14d1f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b40fc51bdf893e6d46f23f1edfd46358

SHA1
b9cb4af41b6e89064e39487873484d3341ff804f

SHA256
d12f9dbab30ddb0a6019ea6b981710bc82c185c8aa16db68e1a19dad03bddf85

SHA512
572779771a189f56802e5423be81a2dcd3d5eb80818f5623afb70bb2e32d3933d2e87c17deb3a676efac4f2a7c074e1a73d2290f73db6f928331a249140112f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d49ca62e5410eec53c000a315cad3ccd

SHA1
c7387cc159e6afc7cac2888fc4c5aeab95eb35ac

SHA256
7afd52c67534b8073ddb7b6aa41eb74a989bd7292b47d94ccaa9fd096fc71290

SHA512
621c9648dd4332e19a1386c9fae4b05fb336a6dcc276daffccb8ad5250f6b570b25074b66bf8e65864b21e5a09c2e2c2b5dadb2750210fd5de3318e03aaf3702

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38248e68cad75d952e47633c2637563c

SHA1
5a49bdc28fc15705ade6db1721a613fcf530f940

SHA256
7d27e62aee2e201d9199de8818a5386ff5cedb6fb3d70a657b1e91aa72bd1568

SHA512
d699af6a5b0f014f5c3652a33b50f4d52ced64a76a6f6aa358ae9bdaf5cd2daa8104978af2900cee2916c2f885d9e15f8963e4fc52a94466e7a400287172e721

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d806ae4385989afc51c460a9385dae3c

SHA1
9f2c8244f3e3e05c0332b912dac4711c3b06c5be

SHA256
7837b2f18bdd4b25b603edf23426086a6ed8e5afce9edd4169d65c3976e60a38

SHA512
3dbd7abd3a459c361eed31d654e297d91eb8e59cb4d63697957e8b01ecd3597c63deae4fa2627aa57f373c35d86d6cef8db8a7004ee7981430ed6ef21d8e1008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c6aaa0bc0eae38a939682bf6c207b70

SHA1
918c92bd7dc715d20288063d7c7d7ed2708f8abb

SHA256
811abc824cb370e69712a7ede2a595f6a2ced5c1c102b09ac26a456722e70cd5

SHA512
a337736fe65053e0340ef290c7682caaa2b32b6fab52cf05c32c6bb4b708e880d33c3ed69d4ffc29557052d869336fb3c4085739fa1c43234d2c21166d0c82ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1a6a7e224e15d1bc0e5e931fbeb24c1

SHA1
1def2e24ccb61a7b3a0047130804a31f741933da

SHA256
338670bcfec97afef5c1c005385a21b4d4918fff4e79c7be384d277623d283d6

SHA512
16410fabc39c314b40cc13170d740e0334dac6ffd8474c2f0cf22bbb593f0da5077d952f51bef3fcc5c9024a3f6cac98db0ac5240c2f76e3af208013962683ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79a39221ea7964f718c4fb5411331afc

SHA1
4ad8872f5bb666ab7071bb983eadca536da533f6

SHA256
8be4b54f7a2c0e82636eb3e0278277e6420d0df647eeec7bd0d34796858efb9b

SHA512
fa728b452b93d306c064b1f2c2fe7c22b58d89793dc19976e3ba9d5e7996639394cdfa785e19817a9c630dcc35756660ff27efc08ec095b99d15a70eaa92e381

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c39dc425f5543621e69ab91b8c1f7602

SHA1
2b154666cf75fbcab709018847ca7f99cf7573e8

SHA256
403bcaf6d39d18f24be2ff31a81ab06acac23f941a59dfc9bb7d606fb5a32d95

SHA512
7d7ac34088572c54083e1f8819b79dc14ba3510d2eb122578cda4c173ea5bd1695d13671f25c5f8897e3979636afc216f66307661695cc843399396940d56526

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
484fa2e0d0af023d87ae42ef3d494873

SHA1
5a406022b1028c6ff47c17f1ec349a746355196b

SHA256
cddabafaa622a8e74460a8c33d1d6a15e0e0e3101d1f326bc142c402bb9ea80c

SHA512
9cdf690f1e6610b74658b725e8ecf4c325e126cefaa44e0c7882573cfd373dc0bed3200c3bdd3ed473446b3c4713b069b5b8b086706938b97abc29a4ebee541b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
953f40905f881f3873eacfc407fc2d0d

SHA1
c0d642ba9ea40b6ee4e6e7e4693d6f00cdf6de06

SHA256
2bbca7227ba405d350fdf80ec91a44967013952e9faad0642bcf56f7aea22262

SHA512
3f9560fc2d892f1fac2a3939875411d7a99f90f41fb9a10eb8070d75c1c54f11cc551d89c347040cd4d41b39b3492e95dae289a761fb49ba2c3160d645469b86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ad8427cae5b1e179b32a0ded8c988548

SHA1
1c0a24d484e8f86ee153d96fcfe58211f427b2b9

SHA256
44c333dc9d32d11dce80b73630c4c7606428102f4a77958178b5a51b0022fa84

SHA512
655631a837a3f7f26188b6dbc5aa4ee5d99d736ca45bf4641aaf3c03f0d0c95fb2a65bb560c1915f5645c0514e8810dc2985a5987722a55909918fab973c5831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QS2MOPHD\U8KSKJ01.htm

Filesize
5KB

MD5
68b4b73b0011ed6665a8eb2a82376c9e

SHA1
85f223d2ec5a92ac174c9e6583a3a7ca190e2305

SHA256
f2d5adae8b8b0e3ea24e63b9f6fe1ecc9b7de88e975bc74f4ae5529e7c6355b9

SHA512
8b652fee2e1c3393de30696023a7f93de5cb8c77381f4058f91ed78428688d6b2ab73012a84bc5770291418979ca8543e3dc12a11e2bb2ac542de01f2b93b756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y1738IZL\5QRL3EIV.htm

Filesize
167B

MD5
0104c301c5e02bd6148b8703d19b3a73

SHA1
7436e0b4b1f8c222c38069890b75fa2baf9ca620

SHA256
446a6087825fa73eadb045e5a2e9e2adf7df241b571228187728191d961dda1f

SHA512
84427b656a6234a651a6d8285c103645b861a18a6c5af4abb5cb4f3beb5a4f0df4a74603a0896c7608790fbb886dc40508e92d5709f44dca05dd46c8316d15bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF4E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Meu X1.htm

Filesize
1KB

MD5
25353579bd802fa2e39d2a9ba462bcde

SHA1
5d67321e57b8dc31e6e9760e5fae54155d07274f

SHA256
ee602e03640dd70aa69463e3aacb7c2e84ce297a1417e00fbcdb697f83295fcd

SHA512
473f7d6f79b99d489cdcb47ff74d7e72451b59919af2feffb4cb0b2128a667513c9b449ad0de434ad19038f36f860e99f64c03829d84e9bf5f5b2c6f87095c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DC7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\YKGKYD\AKV.exe

Filesize
456KB

MD5
48cfaed4d566c34716326302b49bdad2

SHA1
566e0989b6bc7ed205f9ae250ea98e3a4d7fba52

SHA256
54c2e10de3ed7135d20c239a7f656c6ff57d1158607fa4c6779e042681de87ea

SHA512
96c871ed9af039142aab5904021d3ef3f75a58c5cc1fdf4d59e40e3699fd03e7cff384b788f7359a1de519ebdcafdad55891fef4f67e2c216ea89ebc945996a0

Download Submit
C:\Windows\SysWOW64\YKGKYD\Dec_02_2024__22_09_51.006

Filesize
287B

MD5
c7e43905a1f8af30767e41153277eb7d

SHA1
c6e30cf537ac25ab92ab89632d548101b675901f

SHA256
621cb6b381af8727b5bf7c6659e2a589db50e6fcf1258c90c0ba83a0366d7a77

SHA512
806e385a1d3ede43bdd91784919cfebc7dc019320ea98cec50d37ab54abbf80d11c47f2247125ed403ee3f8df53dbd7957b3641a34725f52428beb6ac4e93fe9

Download Submit
C:\Windows\SysWOW64\YKGKYD\ENF.002

Filesize
43KB

MD5
daabecdfba287a3333b60ae82211acd7

SHA1
e67b4c7bf0dd71ad47263a58bb60be4bce504b84

SHA256
12981c35adf6f00c7dddbc3ab23c04c30133cc5be107015dab9fd7ba4e8b4173

SHA512
937f551f959bd823292fe5983bbfb1c3a6dd86426a5da228dc7ddba38138c898599bc713d707b9d3463b20825cee0783d92c1c19019cd0328986a8aef5c1222f

Download Submit
C:\Windows\SysWOW64\YKGKYD\ENF.004

Filesize
1KB

MD5
154d24bd0642c39e1e3ea10ef3dd9f68

SHA1
7764cd4c590809bbe42a5f72655226dd934b11e1

SHA256
3f3e6bcfa0a3be2a972e4319333f296816218d48c90f9b54285dcfac7d1b04d5

SHA512
42b3aa93cb0c669ab78eeeca5c5caa882e2aa0c881176a656d52ce8d8ed0c7c89c25e11db6d2f63a8be09456fed123963b280444eadcfc913099d60dd19cbc1e

Download Submit
\Windows\SysWOW64\YKGKYD\ENF.001

Filesize
60KB

MD5
a15c556f17d7db8287e023138942d5db

SHA1
880bf8ec944120830dc2e2e040e5996e4e0e6c83

SHA256
f3716810ab011a4cb7693d31b69cd540380ef2a067724e0d568070c8a558694e

SHA512
930339711e3d73e5af0778367a648c94411c20d23bf4c27ec5d72222e76b8902eb3fc0992d70cc4141600c19087159514246d42f1e762c98dad306f8e0bd99cd

Download Submit
\Windows\SysWOW64\YKGKYD\ENF.exe

Filesize
1.7MB

MD5
f3819a6cab8ae058254c4abb3844d87e

SHA1
0f8b1a74af87f1823ec0d76e21a8d54d55a53a8b

SHA256
3d656d1364b4b2382020f64990a2c630b7b9422ca7b7fe2c30646fda3303e6c9

SHA512
dfe9d342f3ad543fec8bd278e21ac5059b1c36ed3f735734e9b92d639cb25609f9307862ab2b35ea3e88713f4a652abe5863871225f915462c79d493ac5e1f57

Download Submit
memory/2860-481-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2860-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads