ardamax | 6e55caedc91f3465d0594681a1abe6fd3aaffabde64a26eaed1d0e228de59db6

Analysis

max time kernel
146s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-01-2025 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_akl.exe
Size

863KB
MD5

eb9e76ce73187384507f076a7892bb79
SHA1

c4dee459ef95b75d3338ef5de17df0f4c031d869
SHA256

3bc1eacc1a9c65d1a876503cf796d93a0bf72acdd7c514db3c017b34b1bb6b43
SHA512

04e9dada33c5324ff942cc82729de1847b0f129f4e690f241db3a5b09ee1d2cc70980a11685052100e3617ad4050a035a433a25dd8f01de553a036c85ae4f403
SSDEEP

12288:JrWLayfJ9fd76616z+qUDbkVWNqoP0ndJbQ1GAC4RUNWCywPcOX5ur:ZofdN1FqF0NXPOJbIGZ4RUN5pur

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral3/files/0x0007000000016c4a-12.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
1536	POL.exe

Loads dropped DLL 10 IoCs

pid	Process
2548	setup_akl.exe
2548	setup_akl.exe
2548	setup_akl.exe
2548	setup_akl.exe
1536	POL.exe
1536	POL.exe
1536	POL.exe
2144	IEXPLORE.EXE
1536	POL.exe
1536	POL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\POL Agent = "C:\\Program Files (x86)\\POL\\POL.exe"	POL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\POL\POL.006	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.007	setup_akl.exe
File created	C:\Program Files (x86)\POL\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\POL\Uninstall.exe	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.001	POL.exe
File created	C:\Program Files (x86)\POL\POL.exe	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.003	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.004	setup_akl.exe
File created	C:\Program Files (x86)\POL\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\POL\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\POL\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.chm	setup_akl.exe
File opened for modification	C:\Program Files (x86)\POL	POL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral3/files/0x0006000000016d5e-189.dat	nsis_installer_1
behavioral3/files/0x0006000000016d5e-189.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d020e76cc96edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b09ec4acd412a42a171ed4b9ed5e45c0000000002000000000010660000000100002000000006e052c5a7ef4a9e2883e97bbd7863a78fa819293121a239132e8efc258a2671000000000e8000000002000020000000a4f09297c9f0d68779638bff14485200f9e020d834e3d5e017ff30a7c78ca6e6200000009cbaa88ed0ea2375005c780269721d4164d86151e6621149b86ffec29b368a4940000000049334819a61e303072e6905c136d0006d454d2654a8c2e3c61083f125d9eb60d30d3783887147987ec8939030daaafdd16d69401a9aab48997a215e593bee27	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001b09ec4acd412a42a171ed4b9ed5e45c000000000200000000001066000000010000200000003834e3c4bedc76cd7175052b614639062cbada2b73528172502d182b18023c69000000000e800000000200002000000013bf59a58040c10ec2e7f147118d55a0c60652aeaac1dfcdaf960165c9d8e91b90000000bdbe2c0bfefaa29a2e5b4e84508192e507247ee3d8c3d468f42fa60034601168fc718f66945beaa51344c3ca7eaa994ba9f9437d18b51713929dedfbc437720a980c7e88da0a852cd5cd50ba35067a63401b5a2b02d8c5e843f0ae24123c48077b42ecd780f9ac3eb13f7edf1694d2c00471dcace12d5371a64fb35ae43d7e5d7e0e5d946beda665d22649c44cbd2dec4000000015168290fe6c0efe8b9f1c1dd8989461e61fdcb9dfe84c80f43d20c0cc3f8743084a1cfee3ae674b2f2af5301f8889885b76f1837161d5921d970ed2bc4f450c	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9825D611-DABC-11EF-B57C-E61828AB23DD} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443930768"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 32 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\InprocServer32	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\VersionIndependentProgID\ = "OneNote.PowerPointAddinTakeNotesService"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\ProgID	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\ONPPTAddin.dll"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\Programmable	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\0\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\FLAGS\ = "4"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\TypeLib	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\VersionIndependentProgID\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\InprocServer32\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\ = "GrooveManagedObjectServicesAlpha"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\0	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\92"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\FLAGS\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\ = "Vazafet.Ibohanid object"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\VersionIndependentProgID	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\ProgID\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\FLAGS	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\HELPDIR\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\TypeLib\ = "{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\ProgID\ = "OneNote.PowerPointAddinTakeNotesService.14"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\0\win32	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\Programmable\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\0\win32\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{852BA01A-1A48-7AF3-8A64-2DCFE082EDE3}\1.0\HELPDIR	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{96EAEF1C-C699-485C-B1B2-E263F852DE34}\TypeLib\	POL.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1536	POL.exe
Token: SeIncBasePriorityPrivilege	1536	POL.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2948	iexplore.exe
1536	POL.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1536	POL.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2948	iexplore.exe
2948	iexplore.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE
1536	POL.exe
1536	POL.exe
1536	POL.exe
1536	POL.exe
2144	IEXPLORE.EXE
2144	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 1536	2548	setup_akl.exe	31
PID 2548 wrote to memory of 2948	2548	setup_akl.exe	32
PID 2548 wrote to memory of 2948	2548	setup_akl.exe	32
PID 2548 wrote to memory of 2948	2548	setup_akl.exe	32
PID 2548 wrote to memory of 2948	2548	setup_akl.exe	32
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33
PID 2948 wrote to memory of 2144	2948	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
"C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Program Files (x86)\POL\POL.exe
  "C:\Program Files (x86)\POL\POL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1536
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\POL\qs.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2948 CREDAT:275457 /prefetch:2
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\POL\POL.003

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Program Files (x86)\POL\POL.004

Filesize
14KB

MD5
4687a64503f962915cd278baada57449

SHA1
ef42ea6ac10a1eff3b8ccea7194e4bdcaf18f6bb

SHA256
2660a6af939bf1e32391c5ef13afb14ee65a6bd866d4b152e7f5db6747d7a67c

SHA512
0aa67de3ce116f2d0c4f5d43da8aceee4802272feeae5e018e0dc653eb6f609a786e2f40df4e9102ee9f1e199831aaa021fd4c50960d83568eb2f87cb8f0b7f8

Download Submit
C:\Program Files (x86)\POL\POL.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Program Files (x86)\POL\POL.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Program Files (x86)\POL\POL.chm

Filesize
33KB

MD5
8e4c5c3fee759991597ebc2d855ad4e4

SHA1
b3da123c6300a330b8c869b1ba807115e42c6eab

SHA256
e97a9f0dd54d6013280cbb032e63b9cfcc976886a46eeeac07a45af2fc545547

SHA512
30a126b57b538f3429a66785521ce30e8dfe4e617d84381e9f5a0feae5956576aaf00253ea41170e12813f2637edd11c5ce643c08dd4920bf30d8bf94b95208e

Download Submit
C:\Program Files (x86)\POL\Uninstall.exe

Filesize
43KB

MD5
4bbbf32667e8d9aca25b74536c022802

SHA1
128ce5fb0d058cc9126da94a2f9799b2275dfa22

SHA256
df3a520beb7b22566981849512cfba209d108d65505b49f38ad054aad9940c17

SHA512
5a850f7d6ef5293aba4594370eb59116d78b31f07f663dfc737bb35992e8c2fc351935f30af512f319af5f26f0538029624b442eca00a9f00409a23f263d9d72

Download Submit
C:\Program Files (x86)\POL\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\POL\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\POL\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
954B

MD5
b62ff71b0100589f3de0f2387be9600f

SHA1
36226829ca2cafa33cd4d3e7c179224e0bf1c498

SHA256
a54e6d991fdffd56c79b36e0260a34dfab8b93bfec236189e3e8d06aea192dab

SHA512
a6915fd7a6c7cd5b0bc7b72458007fb548f1500b06b0320542987b20198596a724fa1139bd06cd2f0d4719a1c1b0d6d202e4e76b5e28436505aaace777fc320c

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
910B

MD5
582d6b850a9a29affebebeec01653af1

SHA1
7d82da3d7339ec8cc93f0e22bcabab1c41448a9c

SHA256
91e3aa833dc0833ab07b6b8b0c93b6a90da24d3340418e1870c92f2284bd1128

SHA512
dba48bf1937675d5e1eab273a34010968057f10b08304852779dfa6867dea054c3753b1cfd1f4f0bacf8e6768472f26484086d6c5a7a0a8bd58f483eeebeb584

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
968B

MD5
fca161ea21bcac2abb2eff07fa20a333

SHA1
afc3e513d6226f63c21661663351dc797ed4a034

SHA256
4d02578d01e500b8437859de8461a27bb43f25d907ba0ad1959f305fd514731e

SHA512
6dc56d15db59c8724bb7acd26b5d0cf26b1bf730d2ae42e9cf949dd2ace1bb519d5fd003fedc1193739b2342dd7846e6e5b891e96de3c8c98ffb72223e40130f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dac515f6e3a14351889e53169f412fac

SHA1
649f13d4a407e6c6e22fa84d73e9657d08482eeb

SHA256
d97fcff8ed30f070fd01b2781de45639bb21cfb3087d9bd11fd8c56d42e48fba

SHA512
f54e2f7ead56c4c27d43cf01d8703a5046b6220f7686b5385efbd20345a4f957770a07436cb08b62006282186d3fc8ffea00849b863799ce73bf131219475f91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b26db5bbaa1504dfef6fb02928ebabb9

SHA1
98e18497151517406953a829e356869a76421969

SHA256
6e55cdd81e618ea8ff3ed0d50c47aaafadae7e6a1379a30e0284c7a7b58642e2

SHA512
863e17205575724b26f58b70b05e9109475aeea5bbb9361fd5b9408e653eccc781f0d7d48c3146c368ba6b7035ae1ca77196c6791d2800616ca81c949b18e661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43dc8ef4380d79e0cbb1e11d81fb09aa

SHA1
ad1c9da394124dbbeb3b9a00d47f96acd1f9d301

SHA256
df1381bfbbed7676ff41318401b149c74f01644456c84a9937e08124693e473d

SHA512
b22538f3b14cf97314765ae1899ec343674e9038b97d6f080c806a623164903b36fc8ecb866b655a396f277756940bf8bbd44aaca14336d282b50c2b7db4d150

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb4845cee392fc3a4910051160825114

SHA1
3f0cb7f76a41434c78bc8db158eeb0a21e2d1a8a

SHA256
3f90b8b1ba21b2813c12eb69fcb742615dc6cb805ef8725b26d749c84e6a2ae5

SHA512
19b7899dd432d985fa680b7453673db0a23925989810ec9a44edbf6518d8bcc5a2b7d5baf1f30404541c302e2ef92dc66ae53a4ac4c7be24c4b2ec6f51a6d84e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d799c4f3efa74216c5e0693df96f4cef

SHA1
4373bc14cf1da2b7e607f7f5e2c86d70bcad180e

SHA256
c8d5940c2943d502451eff87e78ebfdb12db4af68fee8a8d0ab040db57b098db

SHA512
233ea2250702168f8b8024ea9ccb3e398219fa4e7042cebe777ff7627a5102d768be935a07daec3db16fa6549137c42e9562c6970c8bf1bfe8924176b0436e69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df78dc4d3c256eb65db3569b2a007704

SHA1
d82b818bdc8f170a174160d3d0e5f18909a6242b

SHA256
cfc907ea8a6e1e841042fc60530d46c99a1c1c7dc6cb0b51815160036c99e5cd

SHA512
4f0ae714cc986b0f296d3c3b514c4fbf7908ba26b6f1227c12f7d086cc4f2f5d879fee0b86095101845e6fe4046b3aad36a8290aba47ce6661f368bdb86eace1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c8c933f5695ad0e549b8bd48fd2154c

SHA1
758465743ad835c7e6c6a8eba808d6a13191831f

SHA256
832be8b298d96a19cbbd70ba7a59c4caa6b542118b550bcaa6715ef370dd824b

SHA512
384ba8f4112254052446de345fb534da9847ced99d6a74244a2dccee14a79c5179a1c7943a45220d97ee1a7106c9dadcb06c2fa27a924e8223ff0a491f424667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fff9bd1b804416de4abcb51114598d96

SHA1
c2f5476fd5e37ce6585414ff0e3a83821c8871fe

SHA256
e4569c683a24d48753c09b92adc5cb7066ac3191ea9033c06463afed1f8bf082

SHA512
8eb2afc95dde76fbb5fb046d699932930e6f1a445927bb04529ec87dea679f66ca4290593999f63caaf60e1c95a53fb6bed05cd5954c0c1ab03fe83f9e4bf533

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b84a1a20a1981d5f985e50421c2bb117

SHA1
e7bd729dc5db03f14e482ae789f59df6754b1cfb

SHA256
b256aa02f84c82142fe80e64878b54f704af3f8823165864bf1e2d7cb3f8b9ba

SHA512
05c2d993c9148f25334f3026260cfc49a0b74fa1c05f76e98de04ebdacdeefad8d79fad0d7c9b8a03eb6630e9de9ee7ef98042ba425bd22303a055b3aa136d51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f26574ac0a07d4c9f83b577effe29696

SHA1
7efbc50c9d192b1ee15e377af0c11262893093d9

SHA256
2be259efda9a2b1d9d0147bbc080185d00a92a4682830c28eb0d7afb0d4e0568

SHA512
561fd2698df4aa1e4341db4b7b86f2768f56d33d31b8a802d8ca3040d0e01d6d0402e6f0a7cded03399af95b3520bf5b3c05ea1284351de99055196dc5fbcd79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b64cf655fbf5e57c4d19984f15c73e1b

SHA1
609e9df5d38665920b17b765984db41986d64559

SHA256
79a2dbbc2ab4d308eb820bfc2376f376b74febea5f37eada4144657e0b3df7d0

SHA512
63a462efa842c40176d63b32dae9200e412ff88f0794ae7c639e5003b8a809fa843f69c8b3b437ba8b9ded421a69b6faa51dc5f791ff4dfb6c445721cd8656b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba8c014be9c4e811d0e35398a05c68a3

SHA1
865c36c7171dde924557665a5d19a424f60dd8f0

SHA256
133c5e091f5a2a48f4923a15d48f5f9f2db3611d379348278de92633bbc14d9e

SHA512
f812796d121887610926801498d562119bb40b24bf437d345af1d4bbd1c5e1430e56af4764af14ae400ad822cad9782bf001e5fe6b8823ced8ce83ec527fd648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7173f0c3dc1cee1b32c45ea23d847e01

SHA1
e5fb9321cda6de6dc611519ef71c2d8db479e97d

SHA256
03c7edf35c19c8a464cc086598fc94efa332a96d50f02e436477a8c42dc640db

SHA512
70f1b8f30bb30647d206f6347c4296dd771d68b4ee99d35a33ff78282a3feaaf0919d5bcaea9e47c67634ce4e1d3303056992bbee7d8bed72cd836b88bbaa2ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75141e36991a1a5ad643d6ca42f89de2

SHA1
309ff8b88875370baca09a02ecfe39f1adb172e7

SHA256
fea88026d2f65e470bcc5a5dab21f93f137964b76c4f99fdeb4d2ae1e4063e49

SHA512
d909f25f19dc63c97c35e22f517d4b4f4babf0008d2f6dbdd521598d8163bfa99b22ba41ef4a7b5410a9a58da4867e37193838d3a0558c2989b9a949c5a4b8cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
baf5c9d2fa2fb0b8c9286256d565ba1b

SHA1
1221b265c31c23c7dd42cd60ae0f7abcf07eba0e

SHA256
5219fb9843b07e9033e764496c92dd3edee748da559981a05b3c9ef326f1019b

SHA512
7c469188b782e9fc02c4ebbcdb65770df81730b78283ece578c7458680ca4becd9eec8e075e167a154995a5afebb26e2b46215e92fcad26a63fdc8d36a85eee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f03516f1190f285e23d4bb7f74399a77

SHA1
d0972e2d809e82e3438143ccd3926964a3395397

SHA256
adef1be46b80616fc57e382fa40de79dd68018df8d54d637d048994a73f36135

SHA512
7b8e33c42e60b18bf703a2f1626f0a43788d303f26089b37ca9c1405bdb73b112910f599284b69a340e83dcc614fc748a834fc7219fd146fdb2a8446dab005cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c02a17236151d67b5e5a6e40d7d3b6cb

SHA1
ab1c11ee0e50c181a03f7ecb099d465144a5ae20

SHA256
15a2567b0541b3188c2743152169296e12efba4d93bde4174356ac56217f3c5c

SHA512
7efcdd97a20a32ea8891249138e0e8cf621e674dd884df9e71a56afdd7d02eb5967e75a9f6db502b54cc1282bd2a8915b06a2aa18149fc04ca2d5e986879162d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d45074bb52b3ce01b4ec7c92d1bc95b8

SHA1
084f627d73cbd6f6e63bb52266fb19f153181920

SHA256
453be7bbb691d184e52869d478ed23c3fa0656fe7a6cc3d5bf8d758449021c8f

SHA512
e70ba94ac6842d31cc91a5adcf8aa041a12ad171d83659dbc4938014552da2c8e32dec9d1e70d4abbe5e9541b22f3ea26151866217db79efdf719b1e39c6cc8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c362308e2f99ab35eef0df21afcfa8

SHA1
d4dd35a5170b05f8b1c35b41d0a4b86de3fea766

SHA256
98d48004ef32a5ffe38dafaefe1cb8588fb6fc16fe4cf89dc03593059abbcd55

SHA512
85891aca1512aeb7c1ff4b4e4297523ee263b2590e1e11ca2d997c9cc642c530ef667323b1a5d0aa2aea03f77182fb63ae9b4db6ef061dd28cde170e31f4dbaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eb355ce24a57347b31de35ffd6ce7fa

SHA1
1ce31c6a5d4f5ec892d2754baf2e9d402739ff5d

SHA256
c05aa2d6e4662d224b543e9167aeed1ff4d33610fcf7cb8c1105b1fbf896b915

SHA512
c45ee4ee54c97707a93a886883fbfa076214a79f6a19d010a1bdd8b406b69d18c202973273e2ac421e6317e5c4e4acee4a1d46b3928976e9e20d1b68832c43ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3FF0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4060.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB8C6.tmp\ioSpecial.ini

Filesize
719B

MD5
62f28875adef3a55d4fa0e68c1863583

SHA1
a556a10c1528cd27bbefefe4b86debc18b1cbd8e

SHA256
f92407790b057cd96efdc7f815d43ca793b897809a7e81e182665dd8e6ec111f

SHA512
70558ad4c6b7814ea93f59458bdc5d918a3f3a4d469296a31056a1ae71f8f057a02222809f273cee456811117f8f27ae1092839e0e13606668c5d9dad7953447

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyB8C6.tmp\ioSpecial.ini

Filesize
771B

MD5
6d531fcc1336404f4b468197a0e08bc1

SHA1
b4e1763d8be34109a99ca498e2d253fb5896b510

SHA256
1960900a444bea25c8588e51cf2728bc575e1efa32142c10f8f90a371b93fc91

SHA512
74acd42867336fcdda8a32588da9c0a7a9367d25d7200e6f604572bee068d2f8b88b45dcf6ed239d70597d6c12613c58f4a907ba3e4c3c39bc0253c60a8d711a

Download Submit
\Program Files (x86)\POL\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
\Program Files (x86)\POL\POL.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyB8C6.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
memory/1536-162-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/1536-206-0x0000000000320000-0x00000000003FF000-memory.dmp

Filesize
892KB

Download
memory/1536-638-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/1536-164-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1536-182-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1536-207-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/1536-208-0x0000000000320000-0x00000000003FF000-memory.dmp

Filesize
892KB

Download
memory/1536-168-0x0000000000320000-0x00000000003FF000-memory.dmp

Filesize
892KB

Download
memory/1536-205-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1536-161-0x0000000000320000-0x00000000003FF000-memory.dmp

Filesize
892KB

Download
memory/1536-178-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1536-204-0x0000000004810000-0x0000000004820000-memory.dmp

Filesize
64KB

Download
memory/2548-14-0x0000000000590000-0x00000000005A0000-memory.dmp

Filesize
64KB

Download
memory/2548-154-0x0000000004240000-0x000000000431F000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads