ardamax | e19c57cc7422b89c8e46a340280ba77f843e157d3b92e07d323e54a6b530ab3e

Analysis

max time kernel
141s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
03-02-2025 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
Size

802KB
MD5

8b47a5ee24e37deb41a54b0f6a7e90b4
SHA1

3695492b3dd4fb60771c99babac34c0c2e043f4f
SHA256

e19c57cc7422b89c8e46a340280ba77f843e157d3b92e07d323e54a6b530ab3e
SHA512

4933c2eb99ccd1d9a593b298148b1e4ddd4f5eb5c895910381f2ede497c7c7372c27670afdbbf7e7abb72af1f0b49a505f8046125c702ffd837d8af8fdeb9872
SSDEEP

24576:qXYMJtez+cSYtDbrrfrMwll8QjbxC6CRP7h:qXYWI+t4PrWQjb9CP7h

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c77-46.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation	INSTALL.EXE

Executes dropped EXE 2 IoCs

pid	Process
552	INSTALL.EXE
4068	DEQE.exe

Loads dropped DLL 4 IoCs

pid	Process
552	INSTALL.EXE
4068	DEQE.exe
4068	DEQE.exe
4068	DEQE.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DEQE Agent = "C:\\Windows\\SysWOW64\\28463\\DEQE.exe"	DEQE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\DEQE.007	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\DEQE.exe	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\key.bin	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\28463	DEQE.exe
File created	C:\Windows\SysWOW64\28463\DEQE.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\DEQE.006	INSTALL.EXE

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\CARTA2.RTF	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
File created	C:\Windows\CINSTALL.EXE	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
File created	C:\Windows\INSTALL.EXE	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
File opened for modification	C:\Windows\CARTA2.RTF	WINWORD.EXE
File created	C:\Windows\~$CARTA2.RTF	WINWORD.EXE
File created	C:\Windows\CCARTA2.RTF	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DEQE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALL.EXE

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies registry class 44 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Programmable	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\ = "VideoLAN VLC ActiveX Plugin"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\0\win64\ = "C:\\Program Files\\VideoLAN\\VLC\\axvlc.dll"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\TypeLib	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ = "Oteno"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\MiscStatus	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ToolboxBitmap32\ = "cic.dll, 1"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\0\win64	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Version\	DEQE.exe
Key created	\REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000_Classes\Local Settings	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Programmable\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Control\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\FLAGS\ = "0"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\HELPDIR	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\HELPDIR\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Version\ = "1.0"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\InprocServer32\ = "%SystemRoot%\\SysWow64\\cic.dll"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\InprocServer32\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ToolboxBitmap32\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\0	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\TypeLib\ = "{E48A7F70-9834-BA7C-7565-E33105E3F2A0}"	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\VersionIndependentProgID\ = "ListPad.ListPad"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\InprocServer32	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ProgID\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Version	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\MiscStatus\ = "0"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ToolboxBitmap32	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\0\win64\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\TypeLib\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\VersionIndependentProgID\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\Control	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ProgID	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\ProgID\ = "ListPad.ListPad.1"	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\0\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\FLAGS	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\FLAGS\	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\MiscStatus\	DEQE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C492DDDC-6FD3-4014-23A6-97EFDB02EF90}\VersionIndependentProgID	DEQE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E48A7F70-9834-BA7C-7565-E33105E3F2A0}\1.0\HELPDIR\ = "C:\\Program Files\\VideoLAN\\VLC"	DEQE.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
3564	WINWORD.EXE
3564	WINWORD.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4068	DEQE.exe
Token: SeIncBasePriorityPrivilege	4068	DEQE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
3564	WINWORD.EXE
4068	DEQE.exe
4068	DEQE.exe
4068	DEQE.exe
4068	DEQE.exe
4068	DEQE.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 3564	4280	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	86
PID 4280 wrote to memory of 3564	4280	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	86
PID 4280 wrote to memory of 552	4280	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	87
PID 4280 wrote to memory of 552	4280	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	87
PID 4280 wrote to memory of 552	4280	JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe	87
PID 552 wrote to memory of 4068	552	INSTALL.EXE	88
PID 552 wrote to memory of 4068	552	INSTALL.EXE	88
PID 552 wrote to memory of 4068	552	INSTALL.EXE	88

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8b47a5ee24e37deb41a54b0f6a7e90b4.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\CARTA2.RTF" /o ""
  2⤵
  - Drops file in Windows directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3564
- C:\Windows\INSTALL.EXE
  "C:\Windows\INSTALL.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\SysWOW64\28463\DEQE.exe
    "C:\Windows\system32\28463\DEQE.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@DC46.tmp

Filesize
4KB

MD5
6c399234a0f298b0ba4b77446425fa28

SHA1
ff086167b29f98bf3bd043ca0d397409ce714083

SHA256
40fcae632679e1d7cc4d4f5133758362dc3b08676bd2c631e9831226c10d5036

SHA512
0409551aa3165020dd03df2e882cdcc9247456e4e392b802a15baedc2d0b407817dbe6e1e671fa4e9834da07bbdfb35cc276ba0f9dda826c153af616ee5cc558

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD205B.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
452B

MD5
22419ba229b1a2364fb2a8ef10b41cd9

SHA1
283fb5d2c841349da545331695fbe07893ae0849

SHA256
6c6d6924cf4196a675295591271b9f1376abb8dbb8059732d498d56074c43ece

SHA512
571ea38da6579118235f9e8ee6d3456f0977ae4e9c3dfa100fe114aa9f1ceab5261fb4d8b22f481f03f7f7e806df52d6b42b41a7717cb7330ab492f58ee0fcb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
718bd6cff7055f313a4d915f72c77508

SHA1
269913048d9a6d44a6592df5430924921868ab7d

SHA256
dfa8dd9af4242c849949e2d60b31906c559121359a810076977a048a0522341f

SHA512
1f1380b2b675034fe85182eb2374e54b348e713dbf8f06ebd7c8c6469d797d58c7c2a09d120993291b324fcb0cd63afe586a8863ca01254f79a7b7eec2c90f49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
94de518958f3e3dea12216ba8eb202bd

SHA1
62cc31e025245bc77cc43e24dbb73fe59837f3b2

SHA256
bf9f59c63b11100e1fd6f2d83a01c77a881301c9a254be2236fb6abe15484919

SHA512
dcc5afe23ddc10bc410e01e6f11ee957f04de8879fe0c882b8d7ec8670ea351e6bc8b50e9ca9cc7bf2201bbc1697e78ab9edaacf0b316cb9018d0def5a742eed

Download Submit
C:\Windows\CARTA2.RTF

Filesize
162B

MD5
1bde52580d0b49e07694d397ca7b9728

SHA1
09f96c681b6276b2ffe2e6a31e62626ffcbdbe00

SHA256
325b9acdb7af6bd166a0c98a4124a97cf9869ee5f2dd73e6ba024d4fac82eb68

SHA512
3b5d130c419a29146d1ffdc57d9ff83d9fff9c813c0361742de548d22c9aab9eaf6982bec4c8ad686d2f51d666fac1e26de8013085dbd8b6bfbe98d087e999d6

Download Submit
C:\Windows\INSTALL.EXE

Filesize
785KB

MD5
c5c715bc41dd8863bee9d4054c18a776

SHA1
4a46d82a1d74d2fb89041361b09d0ff616be40e6

SHA256
770af96ad2c77b3dfbbeb639277d01487e1cba3310ef953436f4d03fd2f0d955

SHA512
502a9b58fb41f6a39a79c59d762308e85c8492ae4ba0db17008c1591b98d9b5493641e5ff75f41d2ca54a4c4ba7b7f244712f6ec0498c0386627f9a7e178b7ee

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
a43e1122468a435c6ae6a60cd30e3de9

SHA1
d1ffe6b5531828527fd08a66be790e8d898d049f

SHA256
403e10c426a22957a5bd10ca44af3de1d30d06531f36455e4b154a0cdbb934df

SHA512
b7b0f04cbff71f46a7525b80a02a3b1c0830bb7539ccefc854cb88e404e651cb483b4e1e77feb118c15d4fac6082be3c0802d5e0156a78d3d3bf1b90a68d34e1

Download Submit
C:\Windows\SysWOW64\28463\DEQE.001

Filesize
490B

MD5
82a5c42efd4caabc1ba5e3e5433dde54

SHA1
01eba9744f62ce0bd24c9a85559069698b437b80

SHA256
e98349d01775d5f93d6e7700470751a08bcbccc0912a21b33ae97a11271fd6a1

SHA512
02f6d5a86ac3f92c33b157e7f82912dadf79163222d4895925877ba58291007f6412eb39969628d050dd26d7e23bd9ca0fe54b010566059b770a81cccba9c9a3

Download Submit
C:\Windows\SysWOW64\28463\DEQE.006

Filesize
8KB

MD5
46a1750fd57f2a74c12136324fd040bf

SHA1
cf6f9fa1975bd4748fd4c2f49a7251c0f34ca38e

SHA256
c1fb8c544b603f93868941a480a2e75732181697e1563b026ac440acb10747f7

SHA512
62c60a2b7724542973a633d4b7e3d65d94024b7b36dbc04ab990634b7c2be9f45ee1375e48171463b919f9e335830ba2434c95154e7dbfcf2608502ef868af22

Download Submit
C:\Windows\SysWOW64\28463\DEQE.007

Filesize
5KB

MD5
8c3f1e556193e7171d15ebaf2ef3dd39

SHA1
a395f873258af8f0b127f9fea07190ac562c9fbb

SHA256
8dda8e9d04b81e67d444dae44570941f31eb6f32fbdd9ad61047316f13ba2586

SHA512
c275050fe29567d083a66fd70adb48be0aa3d78c7ef19cea1e5c8c165a9000df0fb8917b49365c8265a80f1167d3fcad0e27696245de79e4bb31d805c6c62165

Download Submit
C:\Windows\SysWOW64\28463\DEQE.exe

Filesize
647KB

MD5
5ef8b4e9a6c2679b5940244b226d06d2

SHA1
ed775e618a237ddb8ca32769f7fceb10bd4536b0

SHA256
e3289a040cf84bce45def733a231d82c9ced3dc95d24cbcf624018563feeade9

SHA512
62a1ce5c0431479ef3945d6391a51779430511a2272b3be27d79a374e8c3c7f38b70d8c6c891d013f6fe629ddb0375a17b5f318a2e8dfbc37217fce8eb68638d

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/3564-25-0x00007FFDD0BB0000-0x00007FFDD0BC0000-memory.dmp

Filesize
64KB

Download
memory/3564-38-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-33-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-24-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-34-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-55-0x00007FFDCEA60000-0x00007FFDCEA70000-memory.dmp

Filesize
64KB

Download
memory/3564-14-0x00007FFDD0BB0000-0x00007FFDD0BC0000-memory.dmp

Filesize
64KB

Download
memory/3564-18-0x00007FFDD0BB0000-0x00007FFDD0BC0000-memory.dmp

Filesize
64KB

Download
memory/3564-19-0x00007FFDD0BB0000-0x00007FFDD0BC0000-memory.dmp

Filesize
64KB

Download
memory/3564-15-0x00007FFE10BCD000-0x00007FFE10BCE000-memory.dmp

Filesize
4KB

Download
memory/3564-41-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-40-0x00007FFDCEA60000-0x00007FFDCEA70000-memory.dmp

Filesize
64KB

Download
memory/3564-21-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-42-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-39-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-36-0x00007FFDD0BB0000-0x00007FFDD0BC0000-memory.dmp

Filesize
64KB

Download
memory/3564-88-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-89-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-90-0x00007FFE10BCD000-0x00007FFE10BCE000-memory.dmp

Filesize
4KB

Download
memory/3564-91-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-92-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/3564-93-0x00007FFE10B30000-0x00007FFE10D25000-memory.dmp

Filesize
2.0MB

Download
memory/4068-95-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4068-54-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4068-230-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4280-37-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4280-0-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads