ardamax | 0aad85d84f05a4a15d601dde72683f809fed0373f57c99c4e4029d9f8e1d5ef3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/12/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
Size

263KB
MD5

f6c0e59d2bf4e3a26bffbc4f534c8398
SHA1

357acce7d203efc55ac3208c2750226fca39d034
SHA256

0aad85d84f05a4a15d601dde72683f809fed0373f57c99c4e4029d9f8e1d5ef3
SHA512

ed0f0fcfaf42cd3ad019591a11e1c926b75fa191a0683b59aab80124e8e32975fb1f9e2895762bf8189b2a8b1ced42984f448e89d7819709ea3474fce1dba503
SSDEEP

6144:uMre14YG/6rQ+u5efO+0mX16ahX/K0KwjOKPbenLBKln:u/S3/saoO+0mX16jeOaKLByn

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00090000000191f3-12.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1040	MT.exe

Loads dropped DLL 9 IoCs

pid	Process
2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
1040	MT.exe
1040	MT.exe
1040	MT.exe
1040	MT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MT = "C:\\Program Files (x86)\\MT\\MT.exe"	MT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MT\menu.gif	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\menu.gif	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\MT.chm	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT	MT.exe
File opened for modification	C:\Program Files (x86)\MT\MT.006	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\MT.007	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\MT.004	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\license.txt	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\Uninstall.exe	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\MT.exe	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\MT.007	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\MT.004	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\license.txt	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\qs.html	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\qs.html	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\MT.exe	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\MT.006	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\AKV.exe	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\AKV.exe	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\tray.gif	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\tray.gif	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\MT.chm	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MT\MT.003	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
File created	C:\Program Files (x86)\MT\MT.003	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abc86716d39be3499ad8734989895fce00000000020000000000106600000001000020000000f10759399506ca578f1b6a96ada05f8757dcd3ef1bb6c01603f54fb204f6b295000000000e8000000002000020000000429d665818b25f6ee8807734b0b4df1bc3b4c15d6f5d89c5d6c52a04a95947f620000000deac93095b604b976d06aef7c1e305dcb25bc5d298090059cecd3a89ab1d043d400000008559dab90c2ce5ae4702e1b84de74d195de109f3d853b59b4d559507cfe24dc2cc8f6222162fe856a4df3860feb286b0370cdc3debc8cbd4358e1c6cff42cae1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 402e3fb95d4fdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440476025"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abc86716d39be3499ad8734989895fce00000000020000000000106600000001000020000000607f4ee7ad2cdd376135125c9f6003a6c211cbdd5984e2bca0ee1204f8239635000000000e8000000002000020000000ed92f9aa13d06acdb220166324d81975d39be2e6271c7e6272b25ec6f978128b9000000027eafb16d45ae3ef409fae70704b1edef8d1e421e482e4f178b682be71fc08d45f2a1e0c2d73b025a8b7edf9a80a6e475d41f29e5e55492cadc1c32f43df4e579faea3f023f9fe97c153fff3f498103702c0e1700457e8ff5fc88fbc61be37f771fe4a1bd3128a55b2a8ac45bd3e188e02128989b4e9edc1c900676a762a9009020d58317014c577fbb7639e52b9a9ce40000000bedb79e0c08814730fca735177db59cdb84a74049ca54c406baacb28c2e47c392bb722b6011c131d759f893f7c980cc56e4958576251cab9f5674594661ec24b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4D38561-BB50-11EF-9D9F-E67A421F41DB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1040	MT.exe
Token: SeIncBasePriorityPrivilege	1040	MT.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1040	MT.exe
1688	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1040	MT.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1040	MT.exe
1040	MT.exe
1688	iexplore.exe
1688	iexplore.exe
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE
2268	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1040	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	31
PID 2512 wrote to memory of 1688	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	32
PID 2512 wrote to memory of 1688	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	32
PID 2512 wrote to memory of 1688	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	32
PID 2512 wrote to memory of 1688	2512	f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe	32
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33
PID 1688 wrote to memory of 2268	1688	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6c0e59d2bf4e3a26bffbc4f534c8398_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Program Files (x86)\MT\MT.exe
  "C:\Program Files (x86)\MT\MT.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1040
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\MT\qs.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1688 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\MT\MT.006

Filesize
4KB

MD5
1153fe5fbe61266713539cae72d87ad3

SHA1
245047d3d158f4eda34290ed22e4bb13a28f9539

SHA256
3b2700a8033916afd0e89ab5519702720f35b94a570ebe865df113f2aacda16c

SHA512
24058cdebaf8ccfc00622301927b221116b846c2a8acf8f0935ba30e0d716bfecd6ab07aaf8d93030ec2149ee98eec5f6d2395ee8a1a62ad00e07124447c107c

Download Submit
C:\Program Files (x86)\MT\menu.gif

Filesize
7KB

MD5
572a4a33a8f93014f69c7f1ccaa54273

SHA1
136c0b3818b572c83c26869f0bf6cf2bd36f2036

SHA256
50245484d8606762cbba8d67b0238f7283a061d67b5e9f1f374064de695e0260

SHA512
d2582ca552b7d2f7fb576ba220ce9f122f4ecafac311b9d1c9f62062f4b0ccd707b7a77a86ba7a856f1ae68eddfe872e653a1b7246359040f3c7b92e33b7dce2

Download Submit
C:\Program Files (x86)\MT\qs.html

Filesize
1KB

MD5
1f8a533b1761fd59231b763303647650

SHA1
8f4f75b6b7228257b501c6b3f990d27c55ee1b7f

SHA256
1a962c7395d596113445b2b7fa0efd5bde4b64a413aa528daed9b7327aa2ae07

SHA512
f04535920dba1a820b1253c61b347bde4d14307258b1ecf866b9f481045cef074307500bdb1c4bb5bfe4f9a22811ba79df42f38141df15d3ae332b445095ad1a

Download Submit
C:\Program Files (x86)\MT\tray.gif

Filesize
1KB

MD5
7dd88dca29c7388f7423ef7cf917b202

SHA1
a16cfc0b8f08c4381dfdd3737d7610f01af54c00

SHA256
3140583f655378fbc1066339a4dd09a5a008570c77e9c6d022cd20b3d8cc9b43

SHA512
09a23c5b7b893bb8b3f988bf2e4deaf8811ed143abf560c2176abd9b638a5d1601be06abb6645568fc656739efaa13b8852cf1dd6e469140e471a37c60861b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d612eba71a656298fad9d61f5383e73

SHA1
3e502cb140665234bd095e14b9b891544097c1c1

SHA256
9bf17126192da0c7941674b4e86cd2c051e04df113ebcf82531d064b8b0db81e

SHA512
7cfafbf629ee7c20433a011384efd259d4c619c30ea82414f9939e3a21767b2a2a6aa4cfd02bf359d21eb1f39367ed973f03c9d1aa64d79ecc7d6a9fb2b89fe1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a9b985c3d9ad7ae4c1c189d369be9af

SHA1
bf5fb1fa9100b919b779b525768fd3a3b327a510

SHA256
791684119c1ed2a7cd1cb1432f17b398f13a888d9de52e780110ce31e382a6e3

SHA512
4088e8f04e2154f1af8501fa5de6eddcedbeb61df7e2c910083d2a4007cfbacae0a33be50888beceb15af62486933d5aa07ba503dabdc9fe0fa40a2a8643c474

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
016c6cfb1927f4c6de853a12a0ba9ff7

SHA1
9957427ecbbf8a444c38e613c9587c8a6baddec2

SHA256
1b45935f48e038bf9e6d7159e2f2c09b5fa9ac39a0274085f47940bd891446b4

SHA512
1718714dc5853a9983cf726e66362f9204bc115e692d24eadbbf0ddb21e3b3b94f1dfaf9a7cdbcd488341fbf42635b2cab5c396c7348b66b0f98ec29cf4f5802

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09c2ec96e4fb7103a15c7a17c0b3192

SHA1
a5c47e889e9d22a266da6e959550bbc479657633

SHA256
7e7536c4a3e6d87f2ac60e2a8cab1e87cb3ceeba056ed4dbbea5d32384a584fd

SHA512
a4c8fc2e53bbcf2cdc66b72f39c1e20da70c0f7871b57c00ea9cbe2d27575a8433d2d58f708b46890eb213928eb40192364073dbc5c256ac20562898f1eb595f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ce439c92d456406aa97169d127877f8

SHA1
96ccc32dd28aa77769b0e5665549ea7baa59a313

SHA256
6530d9552f3662dc87579c516aa691b0ee1611a23149fb6f61b3f33511867d03

SHA512
fa0f0ce479d2505e7f4458b0099eddd1695249351753d73ff982729b7870b7dc5c27ff020dd2d142b8439393638087c0c7a8a924aad4315ddcd428e2dd6f5cff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36ec1eef7490897b4f935ffac01047e7

SHA1
eea3ba7b442f6f43ae618bb03fe0e7c1ecf72dd8

SHA256
945d2c1e1f3751751ef352b687b201042946637d5ef63eb53b80cb9ad5772640

SHA512
b9558e8297ed5d6754ffaf7a8c874aefbe5570d54bc0f763bce9f74e21a916787d6cc27fadd3f833533ca0d3d96c47b0261bc4dde2c6026ec6325ec12c57a919

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c53053a4eb41e7aac9c3dd50c10e781

SHA1
f6c5d0d3e359bc2db282e2859132a42ab0d7ec8d

SHA256
0f9299d8860615d027465396c46e186726579a8e3c312e4b8405e984abf91dde

SHA512
566e3cc70e095d753e48717e9af39e4989b38bbd4b187a5a284b20a3dc725c81e160b4ecbb0b014026d5464075100bae2ab44caa9a4873ef21136661b675df42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f85df8747ee7d8489ffbf5864fcc98a

SHA1
5470c91f4342064b2a024f8adf8a7c042338a67f

SHA256
c0a6853d1219e8a22496606e51bd048930d251eb7bfb9745b9818b2212dee032

SHA512
0d448a2e6e155d32f5b7ece5bb5563d4ee7bf994a5e78fe7e85611cb1aa805a4baf1365ce5a08d33c48c42997a8eaf3281546023ba6c7423973d20bddebb643d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
709d30b28192210b71ea8a007ab4a7ee

SHA1
cfc229a0b2392dc2c304f522ea57f569c799a89c

SHA256
dc6d31a8fc1f1062bb39e9afc72706ef137bec47f9344f6d70d2c5d6da633499

SHA512
b9b373a007b9b6df7b089c938eda6e4c24fff0176d1a4293fc39d8c4368ef62e8e9419c1e36f7696a5e871c044c391275635f7723cb7b11e5cb313948780096d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81eee39d5d95bbe373ed2f9e07fb471a

SHA1
98b8379a1f3118566381b4df9511522b449f82e2

SHA256
241e97c1c51d0c05ad849602f8a9c3604032cf67d385bf245f1a71300257b9b3

SHA512
f515b85ad224e9f7c5ec6b2840c647348ac304341c5f44659de93f3d78ce7989270830c4ec3ec9551e7c6db76301588eacd132eea15828ab67a3d5540e87fc62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c163e006ca113b9a1efab9844c56a9f1

SHA1
2686e321bf397da214ebbf87b4c81372b18b10a6

SHA256
3552699d366775e61df3ee55f78b06e8dc5144eab68a4d031447119b1027086a

SHA512
edb96fc8aea459647ed9cc31da6f29237df25cee9ed7d004aa69fb30e29493851955bd769dcd4ce3aa55dcf61661569978faf3cb34668f88d54cb9bfd3486784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adf56f3630de98a94d1dacab6ba71390

SHA1
2d2dcb209db8f723f1c20076ae0493a0de9c87af

SHA256
d9f801752f990bb39f3827cdb6472773ce8032fea2001da7e28b8939b3b60ab9

SHA512
5afde61a95dd99a3b8aeb869a8a8ec1c0921a78b4905de52898177bfffdd41f094052f0c219512ce91d34bc7ef491ac84b0cba8c310c3e490c8b91b15fa8724a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c71b721e1e056dbe09458a2b5d50ebe

SHA1
a12b6b0c4f831fa1184d74feda04152e4b2d4109

SHA256
acde0dfd2ed4c12d8df45acb1971a891e939a8804d04eed548d5d6ac3d7bf52d

SHA512
9e76b8b46a99d0972cfe6ea723e3402768185bd674f612477d9b1b532a89607c2632eea6448c7f68ce18c6f30b72d1469d3f7255a9164afc4470f0bca9d0aca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
545209930adcb5dfad483a2c40fad298

SHA1
fe3f7524395f6f228a2a9a0bc2b33913cd185905

SHA256
6f878adf381c475a20f5b9b3c2067e529fc9aecd2a8e540ecc922fc21111c4df

SHA512
a0e9fb943908e45a0869060d1e0b821174425f0f602442984714a892d06d5b20af61115f934a089b1eb4122ac4bf2ed14f69675e4b3e596ed38e4023d8b3f70f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6172fd9fbbbada0dfd6f6e4d0c9fcdb1

SHA1
155371d591d55ea8502a3897703318f594291cd8

SHA256
9d3a3260b8a0d1fbc26ad0d48b51c58e4dd240f82c994bf6c2c31cdf02a4ed6d

SHA512
3ce0802f034d7307167d1226068e42ab6b3a1ed6276e809cdf4854c1f93d078a243c06851e39e771813d6d706800b22c8f644f4806c6f5f5ee85c072396187ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ed3923a71e62c412d255334bd4a9ed0

SHA1
f60b41300706e1477c785413fa4e1378cdd9170f

SHA256
7ca524a27dd7ae243a2c34c30d5539c5244bc5d63295bd00d220544c2008afcc

SHA512
febed4001f5d9f115fd7000603baf5be51c038d362aef2b2c9ca24e53e14084296168535030f058269faa6b82ce25d3646c18a63351acea0d8d51f43d8ba6ad1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8dce448f603754d4baa06740a13c64e

SHA1
980f461c652859e014c105c3b82b0416414ce203

SHA256
46143cf32226b17e71c2ba5b0666ba7e5789133e99cb3fb5c9f1e29e5ca4843f

SHA512
d824cab04f0021feb2488a39b9566a5bbb0b7274118ab78dccc8c62f28ce237a5d1f048c7309256470c587c00da3ae1065ad3a2b62fde2265b07559accdb83fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6536d1d862322ecc37a2060275d56354

SHA1
b931eb85a498fbfff280c4fd1edb2cd57290c793

SHA256
5f3b608393b73b9c2bea96420f2af802f69a360e490823dfe50a321cb6335ca8

SHA512
f92bcd2dd710a3f09771ee2684e0e9c10c9e355de8c7f32f136def95e9311dd378305edbefa3a661763afd086495825a0910f14a76fe3b5017d72c8022c527c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2805a203607a062d8746ab1dbad2a12a

SHA1
156d492c7af2ff6e5a028d61f1b2cd0b50fa42be

SHA256
a9e0487389b6705c14764b65b137633282560e47fa2d7ec6bc9343dcadbfa4a6

SHA512
e0ce56e5439f38376db137fc620ba2e20de5da844ea138550ea5689043a270892dfe8ee65e74d70f83c92a8ed0b98fdeee93d2d4d042fa2754c8d1541bf7afee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2DC7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E95.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\ioSpecial.ini

Filesize
736B

MD5
3ac74546bae2d22ed32120c062b41327

SHA1
610b632e6ab58734677a90c6f27dc9ad5ea509df

SHA256
fef27cd9c87beb7caa822cf10b00d0beb9b61e15a4bf0a8e19316c12556fdf28

SHA512
eecde60f121a84a62fd00556c45d4be08fda7d3248bf39d153a3ce54775d38b5d245c2b5f0c1bf8d7b95a73e41fd838aef100fc042865d8d7865602052230987

Download Submit
\Program Files (x86)\MT\AKV.exe

Filesize
164KB

MD5
8d203326b01bd2727e59f3c0c067af79

SHA1
77c12f3a6c379fb240c123381b85021b3f0e2b73

SHA256
830081bb73acd2068fa34ae5d65c5fecaac8772e264e7dc6e5ff6401f073d97a

SHA512
a655234055c9f053ee50f6e8b01d3ff9ce7ccd00596b172c1087a5ab4b99e8ac3b51588442944694bc0de776e5a4da22e2a3adde060db74508d535fd1a9d3e5d

Download Submit
\Program Files (x86)\MT\MT.exe

Filesize
231KB

MD5
79c6903c4794af027053331946137b26

SHA1
b688916709014fc874c5b7870553105a9961c652

SHA256
f3cbf3dd3f229f6119a8be5357959b77af1a43f9d568a7febe9a06f7593b20ed

SHA512
ac28813dcdc38ff1b0736b1673ced7e35d7da5667b0224b88952908564373ae61aff1b0f03d27e40b613559c8d4e37c402269791db2ed1311f62d069a2e5111e

Download Submit
\Users\Admin\AppData\Local\Temp\nstA8CF.tmp\InstallOptions.dll

Filesize
12KB

MD5
9aff00ec14e6cb71a13451011c580077

SHA1
5972140e4a0addb9eac685fe6037da7479f23ecf

SHA256
cc8145683ad8fd77bd5cca193e84188e40d6d03a0a0d1d00e2bdbef91be96bb3

SHA512
311abd4e9927c1424d794ba401f3935ad3b108a2124e58e0d29aa946514c7a1d62b9b08b013699f4f90796bdfb6c07211daddbb521c1d20ccee771f6ea43b110

Download Submit
memory/1040-178-0x0000000000A70000-0x0000000000A72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads