ardamax | fa80356b76dad5e1ecff2b63c4e3b62da4fb8878d779db1eee4c9cff30df8ae9

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
Size

493KB
MD5

12f65bf4176aaaebb138c32e9e9d6250
SHA1

990768258a393a5a0dd4fe33062b7a66cea35d22
SHA256

fa80356b76dad5e1ecff2b63c4e3b62da4fb8878d779db1eee4c9cff30df8ae9
SHA512

fabe4a6b15e48250166c820cefb1451ec1e2ac602e2635a8fea39b6f450858f36ec66d1983f35f7f792cbdb34f1f746784f90c2081192c20bd1d000c2c9c4de2
SSDEEP

6144:L92OjqlxnzU3uraQGtzVwSNxFTkmWv+oO3OZy8ggPjXl3j0+xvdx8NDTgTAZbdQg:L981zUeraQW1jhWcXojVj0+JgND71b

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016dc9-11.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2560	LKJU.exe

Loads dropped DLL 9 IoCs

pid	Process
2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
2560	LKJU.exe
2560	LKJU.exe
2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LKJU Agent = "C:\\Windows\\SysWOW64\\28463\\LKJU.exe"	LKJU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\LKJU.001	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
File created	C:\Windows\SysWOW64\28463\LKJU.006	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
File created	C:\Windows\SysWOW64\28463\LKJU.007	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
File created	C:\Windows\SysWOW64\28463\LKJU.exe	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
File opened for modification	C:\Windows\SysWOW64\28463	LKJU.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LKJU.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B3464B01-D931-11EF-8A1D-72B582744574} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000044924152c4523f4ab2d8e62aa42621b200000000020000000000106600000001000020000000b1b0cbab5731fd798001f3272fea4b0a8df5540f1c920119d67843940a1fece7000000000e8000000002000020000000dd51470acd946fba168ba050b8b745ad89ce9b82336c78a9baebeababfe1b83f200000005ae6dc8a31f985a828de585f1125788eee726021c9ec1652bf74969b1bf13108400000002fa56abb3a5c9d7619439f6449f2b2870deff11a9945cf2d17c25593f02119991a87b573b539a1c28dd403ed7da282d4fb4dc5f6a85307bbdbc44ac0d97ca4bb	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443761163"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a05f883e6ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000044924152c4523f4ab2d8e62aa42621b2000000000200000000001066000000010000200000006bdc5506537bf230dc45e9287b9aaec279bc1df0749d4dd0daff25b1fa7db939000000000e800000000200002000000076c08bc50cb9ea986e8f9c7dc83f4a8a6a125a6087d43002044bdf0ca2adb9ac9000000063a5279d1c29230619bb32d98a72ea4822b029435deae87a022e275f951a0d60717c75de7f41d84451660e97590c775be9d0e852e192e54d92f8c56d0457b91a22f4ab17bcf214f9639a1ae9d6282871b04996066584053999df282981c3ceab7f7ac5cee0ffc9e1f3754b6911f1fb1b225882b8c6c86d29a0052232275e7d8d2dfc0811dee420d38c288b9f9c424d04400000002c5c3557fdd67fca19258a580406f5330e8b7d329a3135b1f8b9c24bea9802f9f1ad78edc2b66683ccc1576f6dfbb5164748e5fc09d5424c2fd8e294c19a0e51	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2560	LKJU.exe
Token: SeIncBasePriorityPrivilege	2560	LKJU.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2904	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2560	LKJU.exe
2560	LKJU.exe
2560	LKJU.exe
2560	LKJU.exe
2560	LKJU.exe
2904	iexplore.exe
2904	iexplore.exe
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE
2888	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2560	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	30
PID 2016 wrote to memory of 2560	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	30
PID 2016 wrote to memory of 2560	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	30
PID 2016 wrote to memory of 2560	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	30
PID 2016 wrote to memory of 2904	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	31
PID 2016 wrote to memory of 2904	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	31
PID 2016 wrote to memory of 2904	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	31
PID 2016 wrote to memory of 2904	2016	JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe	31
PID 2904 wrote to memory of 2888	2904	iexplore.exe	32
PID 2904 wrote to memory of 2888	2904	iexplore.exe	32
PID 2904 wrote to memory of 2888	2904	iexplore.exe	32
PID 2904 wrote to memory of 2888	2904	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_12f65bf4176aaaebb138c32e9e9d6250.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\SysWOW64\28463\LKJU.exe
  "C:\Windows\system32\28463\LKJU.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\123123.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2904
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2904 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c52996361de1a4d23b15d658839b815

SHA1
9eb031f56a45872d6be2d8920aeff720d26d2f91

SHA256
97f6ba9a5b36a3d14226ebf5f9c9856a9454298ffe9b7f81a2e96516414ff246

SHA512
39777a32f1e6224b2045b2326a77671215e7886ab0c6b1bb4a20dde8c5157e227f872946edbee955c34eb1cfa03a2a206feffe3be8c64f8c40a25ac0fd073ff2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b46beb9db6ca278550bc485a5ea36a1

SHA1
6c5173cb997110819959744f538c4cf6ee3cec5f

SHA256
9b1ad13b3a9a23259e909b97c46da76a44cfa90ff90c4d5c60c71191f325ddbb

SHA512
c6315820a5d553bdb351d06b2d7c5b41c9481703049304766e40df7981b602430e555d17cdd98517d57fa5355755eb1c8d4ea374e0e92418c5d3d990925d3d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bd35653c7a5d0a433dbf32f95d035d9

SHA1
18e5aab9ef1e5129244d5d45d8ed7e37614f869d

SHA256
e1343e80903c2baff5b897cd94817906adca072e0d46f58ab81ec237acf9bcad

SHA512
572a14bcd73f3ac5c4ca61fe892e22c431dd7d876907c828f0251e3a2d2bc834eee8b00a8f432f6c6750efdf7dae9d7412a3a530dfbb818ab3b5ec7deb161e76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2460857fdacbac3a14f0b08a95a1a26c

SHA1
60835a14d86ad29a53afc0a7c66dabc8bb2b2092

SHA256
63039c2377714ef49adffc81af2a8f8a720961b75fd140f16f625ddd0e10ba92

SHA512
320e7b4302bf8559f81f6760cb7555a19716939140b23009f8f5957dceb73acc700bfacc83f75b7011320d39b5d5acba6c47eb90af2d97ddf675c442c4fed516

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15fc09d8693dad4155aa815cab3ec274

SHA1
54c0fa7a2faebd37bd4b2877ac63a8b70dd35165

SHA256
b8c8928b211f50f06c6f2ffc80e768ade41f79434aacd6d609814a1130cdb4ff

SHA512
f8ace590efffc4569b7f8d7e0039ef61cd28367fcba9a62d0945a6a16717a1fc3072471a63551ab5cfad70e7a49f9a6372ec513c9d4f86fa2676ec14c2b5d992

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ab6fb800e859090aa161bb550eb7096

SHA1
630730ef9147d6af7f12630a006f9e4188f4f509

SHA256
fa36b8a0ee529740611be3b656bc0660450c722949f66d98efed73a7066766ec

SHA512
0b151f17227f9cfd2a753fd04ea523d2acb419791dee8e4773274a0cf9ca381e37e155cceca248c8a2f7725c56c83d734c55c5c4abf4198aae38254300a98f0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed858afb6ddf6b73050ad8ed57d0c7e

SHA1
d929ca8c04e1c0bb12d560fbce1688315917ba40

SHA256
5954214d750002f6299b272f7b5b8d97522d0228a0c156c23b7bdd44ba509ed9

SHA512
1ebd5d5b64317129ae0ebe1100d279ef434cb6564397e7b9aeac4f2d5bc27971b51e1e083516b2da50dd06d59c520038d6f56d9a678d62490bb45f228f4ca051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3aacd11d339c6de7e95bea57558823e5

SHA1
0bd40b2a6b20230f319cb9aa8ba7c143372f0434

SHA256
09ee1232e80cfc7733a7ce2c1381f7ff8141e30e83c7a3acb336edfe022eb4a7

SHA512
f8c861a9e8d67afb9bc95c579e29b7e99bd6e5e98e6130faca6f052790115bebbf96b8e5ffb3d4703a8abdb52d360aea73fb8bb9c8c382c8717fae1a3cd4b0e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d4bc0f2075a072da877e8b842bde216

SHA1
3037d1fa949a27799c61be755d8f6876160f6c31

SHA256
0e34f13141fc90664ab03fc79d151e20eb22a88726d8f4bc0855fcc4a018953f

SHA512
44b51b3ca97b1fa843979b97c39f83b9e3b3dfb696ff48d9a741de26925c7cbd13b2876765d4348f36021b77e7db2014ad2fb59d83fa86082d2a79316fd0e88c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deea21a2fa12807681fd1d6c548fe350

SHA1
735ff421ff0a01e091ed5979716ec0d366ca21b8

SHA256
b34f4a61d9aa815296ed9c4415b546fc5b78c299f75e8165f1d7b226e5184dcd

SHA512
0537c36c6d692fabc14aec5a5f8e625e7cb827be55b96a0bbd2f028833f3486ab978aaf2fa83c9fdc672f5709d30e98613fb75dff529e1988ef6198b698cbacc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aebd677d5ce8f5d75478d0b9daf48d61

SHA1
4782998d78ecf2b9c96b623502e685e2545c488f

SHA256
71a6775b8b6f68cc67b2eb1a7a290831df76fdd9637b3f8ca7e1fe428fa7a8d8

SHA512
1e3a9384387231b460663f1b2ccac2ce34b4b24e62244a8f97d71bd614254f7eb6c8c35588b1bd7bf15e43a622b8373e8a2b72da8f51964e54869324362142e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd0b2fa8757245cc6c1da66be3b2f2ed

SHA1
d6646d6278ace035f91f2c5e8304edeca82c36d3

SHA256
1d4c5ce8d31d84fa1b20d80d6f5b1f14e0794050794e2cd3bb9fb7ebfddbff7d

SHA512
c4886df48bdc330d00605bab04098b177a1bb7eeb8a98ee37ee2faa121bec69cc648e1b857dfb97f022103f63c3a017527404ea2e3e04538830f331e570a13df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd3f6fdab2b36342c60e1fc744c94e0e

SHA1
a1f8641a5c0005befffddb508eebaaaee18446c5

SHA256
e3d7685717adb1cb2ca3f96efac6cf4d3c2ae974ce5d06d460b0f8d1fafdb4b3

SHA512
8cbd95e141fad288ca94361f7a70ed039d56465642ab822c1fef9de74eee30f9ee81090026021a155da2ca96e7a5d6ec73bfa83498deecf0c91c2ef97d03c478

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea71deb06f74de13aad4b65a53598bcf

SHA1
eeeb096e4eae568a183eb6506dce0d77c1084870

SHA256
9a891a28a0e1fbacc701247ba4288bb15b1f65a92ce307799c0653b90ddc7261

SHA512
11d2e7ef42f4086ff5ba8c58c1aafa4444be436784381343a324571c97db008c92ff331626f2e78007d858107c862832740f014c88b62b166c266dcd8092ed47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
415d4c399e1351cf22322039b437a333

SHA1
3b95ccf0864842ab6074272884f29b16837e4f57

SHA256
3de53bcb9feb48ff667d1187047c627d4ab91f6d323c08de3f8c642dadae9e66

SHA512
ec178b6c273cf69df18cd9a357e0ab052561b096ea271b9d2f84bc535b75180fa26902254803f583ff9575dac8032feb797232f74c46366dfeeea728340e9b22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4d538425f1827fcb5b135f00744aac2

SHA1
3cad117e1de5a8dcd36a5c6d775614461b8ccb76

SHA256
5f37abd1fff8b0a96da526b64ba8f0348aee9d3062fd2de0bf7f0642ba05c34f

SHA512
5148cef03dde6e4631af91623d7b3b0c379153cedd2c148fc2952a0441a9dbeb9d3c76fd7dd75e7e96e5866bae58ef573c3588937e22ca0bcbaab465e6659cc4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
007260b0e2fa67153956a6669c5af652

SHA1
ab7a457ce6754637c64ba57bc766a0a1f1c3fddb

SHA256
da1bca9b1721532833c2a6e920c22a8a58c84d2aed25ec14c3e165b49c35e39b

SHA512
b7828b2ce176265454cd26996788d4c3dd22aa72b42f73b83f7ab1be7222608726dc7dd3a33749e97f6dd5ecca95307f010eacd304a01c14539efaf2d29f3d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b20d7c156c944d3f6598351420201cb

SHA1
c9103881b074c32f4cd8cc290deba7c57f87b9ac

SHA256
de23cb8307cedc6310bae1ddcdaa7b6b3a79ceb9743996c016afec5450741224

SHA512
96a2ccb26bc5e0832ed297e0344991c1324cc77ad235d6e0f50b639b2365b781d7612ac685c3e6fd6a408b3ce7137f4b343f0dbe623742a50a2772725ada869c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d479f2bfccea5ace34a492b3c5f4bc84

SHA1
18323ca98e2ca26d26b5133514a2da04ce68a14c

SHA256
d57c4945a3fb14bbfe1cbea43e13a0c9c2842cb57b56e77db36abaef853b9497

SHA512
4d51539a273e4dca656b32e1373216931e6c2100aa933842956684505a274c7b6234c8eaceaeed1c412c3f3c543d3876b7242ab56695cb0e6da5a79c28dc0f42

Download Submit
C:\Users\Admin\AppData\Local\Temp\123123.gif

Filesize
5KB

MD5
f341639d411f1a51d552c0036034a504

SHA1
cb211ca0313f50a12f24095d845c103b1b4b960e

SHA256
4fb4c3519ca37265062e74df92cef849f73d8c9a2fe8d0dab3b16e48cb1c2fd7

SHA512
bbef380ae304ba9cf33642bd20b306e4027eb2175a5e363e2d18918dd857257e657f40ee8dd02c2e14721b2479cbe75a6ed822a9cadd97dbc959c1d80e84d662

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE6D8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE788.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
393KB

MD5
b0b09699ea39c0107af1c0833f07c054

SHA1
b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1

SHA256
be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1

SHA512
55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Download Submit
C:\Windows\SysWOW64\28463\LKJU.001

Filesize
376B

MD5
736f7118cb8d1fc54be7c74ba9454197

SHA1
997321229c43e7742006e6417bac27c4ee8986e5

SHA256
be95c78fa4fac0e4ef88f54a6e9d231b3861d7ebe1c8992317ead1695f25a129

SHA512
19216dd2367bb4073012544ab403d6e6f93dc13cf34ca73a6836f5c8647b50c0e43c31275eeb4487c4146b6df0943c1b265e0b1befacc7dd1ffec44236148a17

Download Submit
C:\Windows\SysWOW64\28463\LKJU.006

Filesize
7KB

MD5
e0fcfa7cad88d1a8a462cee6b06cf668

SHA1
a7e49078517abc929a6da261df06556c8f5a8cf0

SHA256
340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4

SHA512
430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

Download Submit
C:\Windows\SysWOW64\28463\LKJU.007

Filesize
5KB

MD5
ca72cd485d116033f1b776903ce7ee0a

SHA1
85b0b73a75b0498f56200dd1a5cf0de5371e42a3

SHA256
e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4

SHA512
8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

Download Submit
\Users\Admin\AppData\Local\Temp\@C19A.tmp

Filesize
4KB

MD5
908f7f4b0cf93759447afca95cd84aa6

SHA1
d1903a49b211bcb4a460904019ee7441420aa961

SHA256
3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23

SHA512
958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

Download Submit
\Windows\SysWOW64\28463\LKJU.exe

Filesize
472KB

MD5
d7bd4739313a8e2fc9e080b7d0ba13b2

SHA1
808fcbe663bc02780b1d9962873a1e3066d55f05

SHA256
c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b

SHA512
d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

Download Submit
memory/2016-30-0x0000000077D2F000-0x0000000077D30000-memory.dmp

Filesize
4KB

Download
memory/2560-23-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads