ardamax | e5a5eab17254f73bf67dc40f2bbc6189606744197b2ddbf8766693b75f83dfd8

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-02-2025 14:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
Size

4.6MB
MD5

e711980669f27529ed94e995a435ddfe
SHA1

232cbaa9758262d250a222f03b8cb50756b0eb3f
SHA256

e5a5eab17254f73bf67dc40f2bbc6189606744197b2ddbf8766693b75f83dfd8
SHA512

245c0ecb0ed4e963073194e00c294152ce2f9ac777643966e9e219a7ffba5b7c36bea8f25d60a35298bee6ac9021dfdd657f767563c63548f19e7e8a282d4846
SSDEEP

98304:9Y8rAMMeV0KlkqdzKBHIYzRujOZ8cI9gXbEvNqHxdhKGCb4umX20k5Ed1M8rRVeJ:GjMMeV0+KBH/QjOZLICgvNIPrCNYk2zs

Score

10^/10

ardamax defense_evasion discovery keylogger stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000191d2-9.dat	family_ardamax

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001c88f-555.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
2632	TIQB.exe
2692	mirc_club[4].exe
540	Mircas.exe

Loads dropped DLL 28 IoCs

pid	Process
1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
2632	TIQB.exe
2632	TIQB.exe
1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
2692	mirc_club[4].exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Sys\TIQB.001	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
File created	C:\Windows\SysWOW64\Sys\TIQB.006	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
File created	C:\Windows\SysWOW64\Sys\TIQB.007	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
File created	C:\Windows\SysWOW64\Sys\TIQB.exe	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
File created	C:\Windows\SysWOW64\Sys\AKV.exe	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
File opened for modification	C:\Windows\SysWOW64\Sys	TIQB.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/540-575-0x0000000004190000-0x00000000041A0000-memory.dmp	upx
behavioral1/files/0x000500000001c88f-555.dat	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\connsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\netpsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\10\1.$$A	mirc_club[4].exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\system\aliases.ini	Mircas.exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\system\dll\swamp.dll	Mircas.exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\11\1.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\script2.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\Skins\Thumbs.$$A	mirc_club[4].exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\mirc.ini	Mircas.exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\system\script3.dll	Mircas.exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\Lolssound\lol 07.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\notesound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\nicklistas.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\VIEWS.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\8.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\Settings.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\Mircas.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\bnmesound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\Lolssound\lol 01.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\Lolssound\lol 04.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\Lolssound\lol 09.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\23.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\deopsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\kicksound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\Mircustom.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\Skins\mirc_club2.$$A	mirc_club[4].exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\servers.ini	Mircas.exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\4\1.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\script4.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\ignrsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\Lolssound\lol 06.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\Ctcps.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\Diff\Autoident.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\Diff\Autojoin.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\WA_Link.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\22.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\egg.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\popups.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\Skins\mirc_club.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\clonsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\inchsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\kkedsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\BARS.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\2\1.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\script1.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\Lolssound\lol 11.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\01\icons.$$A	mirc_club[4].exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\system\icons\1\1.icl	Mircas.exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\colors.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\Skins\mc1.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\backsound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\13.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\17.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\18.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\baloon.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\dll\ColorCombo.$$A	mirc_club[4].exe
File opened for modification	C:\PROGRA~2\MIRCCL~1\system\popups.ini	Mircas.exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\cursors\14.$$A	mirc_club[4].exe
File opened for modification	C:\Program Files (x86)\Mirc Club[4] Script\Uninstal.exe	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\flsesound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\sounds\unnosound.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\data\shitlist.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\icons\6\1.$$A	mirc_club[4].exe
File created	C:\Program Files (x86)\Mirc Club[4] Script\system\Skins\mirc_club1.$$A	mirc_club[4].exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TIQB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc_club[4].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mircas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	Mircas.exe
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Mircas.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Mircas.exe

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\irc	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	Mircas.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\PROGRA~2\\MIRCCL~1\\Mircas.exe\""	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\PROGRA~2\\MIRCCL~1\\Mircas.exe\" -noconnect"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	Mircas.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	Mircas.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\PROGRA~2\\MIRCCL~1\\Mircas.exe\""	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\PROGRA~2\\MIRCCL~1\\Mircas.exe\" -noconnect"	Mircas.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	Mircas.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	Mircas.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	Mircas.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	Mircas.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	Mircas.exe
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	Mircas.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	2632	TIQB.exe
Token: SeIncBasePriorityPrivilege	2632	TIQB.exe
Token: SeIncBasePriorityPrivilege	2632	TIQB.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2632	TIQB.exe
2632	TIQB.exe
2632	TIQB.exe
2632	TIQB.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe
540	Mircas.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2632	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	31
PID 1756 wrote to memory of 2632	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	31
PID 1756 wrote to memory of 2632	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	31
PID 1756 wrote to memory of 2632	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	31
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 1756 wrote to memory of 2692	1756	JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe	32
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2692 wrote to memory of 540	2692	mirc_club[4].exe	33
PID 2632 wrote to memory of 2412	2632	TIQB.exe	36
PID 2632 wrote to memory of 2412	2632	TIQB.exe	36
PID 2632 wrote to memory of 2412	2632	TIQB.exe	36
PID 2632 wrote to memory of 2412	2632	TIQB.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e711980669f27529ed94e995a435ddfe.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\Sys\TIQB.exe
  "C:\Windows\system32\Sys\TIQB.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\Sys\TIQB.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\mirc_club[4].exe
  "C:\Users\Admin\AppData\Local\Temp\mirc_club[4].exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\PROGRA~2\MIRCCL~1\Mircas.exe
    "C:\PROGRA~2\MIRCCL~1\Mircas.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MIRCCL~1\mirc.ini

Filesize
7KB

MD5
2b5e4fc27a43a13c97a7a6edb8e9837c

SHA1
63416a15fc60baf202195a094bbc820a4f1beb05

SHA256
5affd4caed1f829140ce4248bf2b482362f6d938f0d0b6d98a348ce4cb84220d

SHA512
1f46328f2ff984b2475faeed025ef9eace9a123402942e66d44799075ccfe27c7af6b63c8f89b8ac6a304ceabe194b91030cfaef07dd955c1c99990590a2e1b9

Download Submit
C:\PROGRA~2\MIRCCL~1\mirc.ini

Filesize
7KB

MD5
e78c1dd4a3a0c89af5db817ebf4eb36b

SHA1
cfc72d4c349b73f4689cf8addd2d67b6d31905a1

SHA256
f2f7af6722fefb0e5617e4ca822c4cde5fc7df9aff1fa394c089d5dae2855adc

SHA512
0bac5f9739ae66906fb20e29b0a92aec60250f4b4d053d6adeb3d3bc652b1341b03634ddcc62faaaa23e9af15cd400c80b8f7b1628e156a127e32d357c52be07

Download Submit
C:\PROGRA~2\MIRCCL~1\servers.ini

Filesize
524B

MD5
b546721ff08491c37271476fe00e591c

SHA1
ec0996a0997fb971da00c24dddedc32d79d3482d

SHA256
9f7c25d413f4bb984edd18db90d01d1d94c0568547700e7b4c4075dacbefd6b5

SHA512
d82331d9ef32f7c1d28dc412f52e8c6e77a60e631b5cff9d5a3f693d25e14f664c73e642508b599c3a24ea5382b53986c78690ca54462aee959714ff6293e4c5

Download Submit
C:\PROGRA~2\MIRCCL~1\system\Data\Settings.pdr

Filesize
231B

MD5
66c9af94ad8f23c3da5e6a85c7c2ee59

SHA1
383da3ce77e063cc6afc190320b5046c557532c6

SHA256
f56a21ce377ae1ea9d262989ad9f37da7800a2d8b06781cf9d6173801e397457

SHA512
32cdd95ed181fde6d404b176a1fd6cbc704803d04ce9292ba41123ec5d08958485cf40e5a113cf31110e386074e51c45ae7e98cb9c6c244e3897b8a4773e2859

Download Submit
C:\PROGRA~2\MIRCCL~1\system\Skins\mc1.jpg

Filesize
122KB

MD5
adc9bac1ab2874d2783a8bd0bb22aff4

SHA1
048d4ea303f4b481b86248518e7a825ff8088e23

SHA256
b14ea84f6ccf0a11f0e978fdc44f9b0e3bf3a1d654d085501f93a357ca150f29

SHA512
5d301272e71f6d2e298e4e3f1639c4777710dbe5e07fd9065d8deac1c6388ad8c947d448754543b27f8d6904eafda8cd74dbfb335efdf12ea7f65ac3a4f79fea

Download Submit
C:\PROGRA~2\MIRCCL~1\system\aliases.ini

Filesize
17KB

MD5
0567c7c952ec85532dd0ad315cb26a8c

SHA1
2b1d03af3cbbbc7e22bf3664a996a774d2413c23

SHA256
e67f09b07190884f734242bff185fc82ad797d170102c7ddd8462363bb1459ad

SHA512
a3ac0adbdcde3ecb0e1a6209a41e6010adae3fce3600a26b59ab335e1e4d9bb35f5b5bef829390d487c7ad58e9cf5bdad888ac55a257b2901f33e537d99dce2b

Download Submit
C:\PROGRA~2\MIRCCL~1\system\data\Sounds.txt

Filesize
1KB

MD5
8983778f9f47dcc213b76fe5a752b42b

SHA1
9dce5509deacac4389716fc4372f0c5b410a672a

SHA256
ca049b8c03ecb95ea4ff0c1cb133eabce097474551249734c9aade5d7ba42a32

SHA512
8bdf1b36ffbe4451b1209523e3e6198d29a63d39d0fb70c4283c263fa0e62265a4f5ca694ca92b244958a339dc7eab3e0842b03e8bed3d94e06ba363dae48416

Download Submit
C:\PROGRA~2\MIRCCL~1\system\dll\CTL_GEN.MDX

Filesize
33KB

MD5
b1dd704e30c3d40cbc10ca122815f852

SHA1
976584979bec7d15d725603cc5fbe34c8e02d58c

SHA256
b1755f336dc45ca0489a3bc6528f0f167e1b7bb4334ef2185cfe295a7786c6e6

SHA512
7f2133771bec56f9032746aa79b3996b66d4c0393a08105b0ab1d6dbc3f6fdac72dc2048b354c34d845b2e90c2dd8a88888de50932671e29f3bcafbb5f1d9058

Download Submit
C:\PROGRA~2\MIRCCL~1\system\dll\FKey.hsh

Filesize
354B

MD5
70592e626acf954bd118885ffcd59cb3

SHA1
08b0bd1c6506f60b50bf31c3990ce7b4de25be8c

SHA256
18e215d6a6ae688ae7c72221e908817da1abfd0746b6c6f2dd37f5daaad4e263

SHA512
dcb547fbc430b8ee61fc4d21498d5417f1b130a708575ec976dc35775e2fbcaec7fbdb41b825dfc4c577f1e1e44308be661650a29c355d7c63664b0798a21c4a

Download Submit
C:\PROGRA~2\MIRCCL~1\system\dll\hos.dll

Filesize
109KB

MD5
b4e148ebe4463ea8b4edc192388a91b2

SHA1
720f7f2ca739fc286c002eb9417c1cb0fc66dbc7

SHA256
f0fa4e6b528af7b97567bd500f819cd974afe123c9d8b37a32dff0ef3cc65ff4

SHA512
5387a6839dc6a0eae6c171c93874a988d3206ebb5e4ecbed015373ee71592b70a1b949aad4c329412f0a3dc2d79d20448732696ad8d0ad4b40193856f6c2681b

Download Submit
C:\PROGRA~2\MIRCCL~1\system\dll\swamp.dll

Filesize
48KB

MD5
09e01450c15c2e602daf9fe3262da4b5

SHA1
6161c7c028780b8f6df2ef2a5f0308ca5612a764

SHA256
121b402316261df1a2828e7c2d4111e06092716bba840b779cf7a2c01a59a941

SHA512
c0c7e76ebadafba4dd53aaa8a690b966fce3674925e1902460f44b5e6d14f77499b317cdf13469937a99756c34794b82a0a7503dc4e2f499844edab9e7acc9f4

Download Submit
C:\PROGRA~2\MIRCCL~1\system\icons\01\icons.icl

Filesize
1.1MB

MD5
b2851c609a64f00ca94b316e4620ca58

SHA1
658ac6d474836cbcb5fa83a3887f0e75dfc4ab6f

SHA256
82d0113346845aa03bbfcedafe1316e52cc0e4f807e1bf55e1794ee0a4d64b28

SHA512
f8a16d28e00665db1441f4380ac3b74a9633ec17385f2f8c35ec60601403f2b95b86a40496c3aec283b370618d76b38bf7190c92cf79125393b9d0f94be2c748

Download Submit
C:\PROGRA~2\MIRCCL~1\system\icons\1\1.icl

Filesize
26KB

MD5
021691c5969c406be6768e9ee508429c

SHA1
98bceda393daabb496b6986ec111faa87462f3a2

SHA256
78ae16d0a2c13731bd030ba2f56358d1ea7e3c26a5905fe6f80fd7066b2c1a98

SHA512
02cc3581500b289b9ecf060fa49773432cf862d920260080fdd2f00fc0faedeba712ea1aaf0061882912117e889515e051810adca3bb465cdcb9be088047beed

Download Submit
C:\PROGRA~2\MIRCCL~1\system\popups.ini

Filesize
41KB

MD5
a4c043b88e7e2eaada872fcb314df5c0

SHA1
46b9a8a58cda113f5929381599bf91e22a408d25

SHA256
8de0cc5d4f962aad81a0a76fbe211e6e57f10abcce813429012f10417ef52569

SHA512
cdcd0ea2c0d32d3644a1c15a732ae8461122c1f6b689a3bbea73d9f5a24f4ea5325fe1ea0a2bd4b9e17bab4384e57e1623c4ef3598c22bbd2aed84521c6eaab5

Download Submit
C:\PROGRA~2\MIRCCL~1\system\remote.ini

Filesize
3KB

MD5
87fd350ee23f4a08d10b78647b9b16a1

SHA1
0be3850aa1d5c10feda27467f90f4d220e4c4ae1

SHA256
c96aeb5921c1ec382ca7c965cd9de719c39407af64b946a1d37bf4192a6f104b

SHA512
81af62315600ec44027604e2298e0d3c94e9897840b226f097f21f537d3e903bcdc680c4b0d939d17cee5f3969ccea1e26852ba3b4d6718810f29c46fb750ddb

Download Submit
C:\PROGRA~2\MIRCCL~1\system\script1.dll

Filesize
3KB

MD5
2a0a6c730333dacad3b8077bf861cf88

SHA1
0d0b4bc4e624b882b533a924e46b074a8bc49033

SHA256
ba477dcdf1dcb34d9e18b76edcb60cfc7203e65ca44a863a0009d0f83ffb8f0e

SHA512
5f66a7f8026d4bc42e9534fa82106f39d4f9e1b1778fc88624dad8656b3f7f90518f2974d2a265571844125b9a94e12fc679680c379d5405d23a3f5acf77d655

Download Submit
C:\PROGRA~2\MIRCCL~1\system\script2.dll

Filesize
3KB

MD5
786d1d2ad5fbaa1ed30a728028f3539f

SHA1
0e0a407d20475fe4aa7c802d4ad5efe8c35077b9

SHA256
10f82933efbfcb7c9e53fdcb2c0b5c010b693a1561aa8d9325ff12148f39f1fb

SHA512
82ea2fa4bcfd0fc8160adbe69f5cf645850f0bd99dfc3a3e87083924569d0d928f62601a15c9a4ec897ef4bfea75f6e6528ea178db02baee9805fe7cf20ef50c

Download Submit
C:\PROGRA~2\MIRCCL~1\system\script3.dll

Filesize
35KB

MD5
8f1eb2bdc57dc4deb04171801e775389

SHA1
185f301040328793769df47adb090695a70689a6

SHA256
e4fa69f7dcef29a556f54808f0a6aad4481c61f76bccd3972848e4e4c2503ffc

SHA512
75a693d1270d15a859d13c56a14d882b670edce75a6f00674582a730532c00422bcc9e4f0dd855358c371f47ac561ab6ad1cac39beed9d7c7675ceb011340939

Download Submit
C:\PROGRA~2\MIRCCL~1\system\script4.dll

Filesize
56KB

MD5
413f1e910e1f6a734a7f83299d75c0a5

SHA1
6cd3d2af2331ef40c4b8cca0dd54f474d8e4a625

SHA256
491bf20ba5091de58d034c3cf1e843659bf32d97f32f6e10abe1a43495f697d6

SHA512
017ea098a57368b9aa2b36075807c660eb8ad843813bc66f261105f68714b8362a1090af2093fddd644e9093b86b4587958561120e05ea935d89dcd6794c142f

Download Submit
C:\Windows\SysWOW64\Sys\AKV.exe

Filesize
387KB

MD5
81f6a58eb4c46ebf68ac1dbcdeef7901

SHA1
1732b02862a98c039055e1fd5b817b07af76659e

SHA256
72fc82a07b19ffb5f2c8e2f292db1b0ab42c96b12ef10110562eddcc2297d3aa

SHA512
b0d1325bdf8dcd2683e46f8dfb984fbf87b7d92d8ec3f2a0d8330a313d6ae26847ca5e4a0ec9bd65d8ef09344f2d489af9a2866b3b2a67377c14fccdca63f6cb

Download Submit
C:\Windows\SysWOW64\Sys\TIQB.001

Filesize
3KB

MD5
80aae576b96c44559230d21d87e01717

SHA1
edf5487df8c5b9326f1dc2400b319fb81e81d7b5

SHA256
4620647763dc5862f75ba9983c781e6638dd136790e3ef2427abe6b82b7e11fe

SHA512
e1ad89e97cc877f7d309f7b33fe2b7014d1424cdd2bf1bcdbf9063af47c1cc4fc7ffb87a2919c3fd8e9073cf953e5116b1004f0e87937df0edf0989c602273a4

Download Submit
C:\Windows\SysWOW64\Sys\TIQB.006

Filesize
5KB

MD5
271bbf07cc8006c3335db6fc21622be4

SHA1
cb0caf39bc1cab16ec8a39d6a11160865703c329

SHA256
5d6e4701d424e8e095b95c98f87bb1946ac0254bd089d128c4a4c3e5b13ed5d7

SHA512
65dd41d4bb119d1f3801dc3097254e967d747661c83bfe0cd3c061441b63e1dd4928a0476fbd4a015631ecf1d511d2f66ec87f2bd078b6bce0b86fdb659392c8

Download Submit
C:\Windows\SysWOW64\Sys\TIQB.007

Filesize
4KB

MD5
2d8ec35eb48bf5cbc8c38a7a8d6cfa51

SHA1
4f43dc1a30731acba6d33b52c3970c9815f5be34

SHA256
7b6d9330aba21844b6f267489d29f0e10b4beea3a749b72d5dec9e8761c98d3e

SHA512
0a2f41f3e88132e56f7ce3c83e24753c80c9344011b0dcd943def8733b79d197e10ad5fba82be08f0054ec5d4c9af731f1a1eb4e041a93cd81c25b364087176e

Download Submit
\PROGRA~2\MIRCCL~1\system\dll\BARS.MDX

Filesize
25KB

MD5
16967b88e1699ff881999b423a916fb9

SHA1
c614f8077e7ec04311077158b3800fe42f92d759

SHA256
b6dcb56cc9bcbfabb0a5b725ccf396c52e8e320dc1e71b5915cedb8f83cec2e6

SHA512
b63dbaa521d15480d971acc78287392fcf317e3ebb748e8bd199ba8509fb99f623428c4a23216034e466dda987b29cd9799389b4e7c6741d58f1e0fb080b71b2

Download Submit
\PROGRA~2\MIRCCL~1\system\dll\MDX.DLL

Filesize
41KB

MD5
901479fce8b78f9030c20a8f7a236e25

SHA1
4bfc1c28fecbe899035a0d3d66b72a0f7e709cd8

SHA256
50f52db4ded447793b13aeeaf26f41f6547c2784443fafd7e4d43758614c33bc

SHA512
dda26bf97cc75609bb95d087164cbaca1976b133871899bf974bda2975550719501a8ea9c093d8591a5c87819ec081c2fdf30a10c4305a230fb9de134154bd42

Download Submit
\PROGRA~2\MIRCCL~1\system\dll\Mircustom.dll

Filesize
4KB

MD5
bfe2cf7876a8d40e43557694ec1d3f6e

SHA1
784634fb52be39de93c363626823c28a88bad56e

SHA256
c1602aa533fb2a4261fa6174ef32d66e91e325bf8b6ee8d7487e74e2982d1183

SHA512
65dad85242b2fa6fc720062ab4ae8c6539bad779326f264aa841b3941abd471f9720a6b0a1c59a1824214b783eefbb7bbb3cbe3b9fd0aa731287af5d87cf57ea

Download Submit
\PROGRA~2\MIRCCL~1\system\dll\UltraDock.dll

Filesize
20KB

MD5
ce12dac874d384a564029773f62139a6

SHA1
87fe79519b6bc6c2b4c894482fd181721d0b5028

SHA256
14ee2dac3dc97e3fa52f5987a119fda8763370a4ef2303f28930c89ebbf54450

SHA512
444f7e24318c1abc486863d01eaea371e17f1c340933fba8a3e11c7f5585ccd4394005a0264a7f1b851d3744bcc5cbf790eca6be56e8ffda85b52be166469711

Download Submit
\PROGRA~2\MIRCCL~1\system\dll\WA_Link.dll

Filesize
83KB

MD5
67e5683ec625bdf69ba7bba108b14f97

SHA1
bdc302f1c64e351801b351a91199d54d1a84a907

SHA256
f3294d0c0a54266f88ed7b684a29f5b8a2e2049e43bd4b1524593fa479f6e751

SHA512
5b342a9367b33de4bc12829e635ee4a34b898854408bb15aa5781396ce1a47e8c6a52045ebe2e7f9e4689fef7bf757e094c31afe4e36ecce5d8c7bc51379595b

Download Submit
\PROGRA~2\MIRCCL~1\system\dll\nHTMLn.dll

Filesize
10KB

MD5
2dab60cb578b939391a660ec413de806

SHA1
eb417123ce7756badb27b154620a9ee3d78f55b9

SHA256
6cc53af7fb844b8707b52fbdcd0c4479ffb58cfd51d07f4c0a885033879ae19e

SHA512
768eb205f5975dcf76a63b1cd54e24d5115288b539aa810b435427222a98e6eb79cd16f3f614ef2051d1e059b97a5f8819d4098dde067f20955016779c746fd4

Download Submit
\Program Files (x86)\Mirc Club[4] Script\Mircas.exe

Filesize
1.9MB

MD5
71c1fc782db8fbc48c36615a43ff615a

SHA1
a0993c8fa95c1c5a39ff8c82f117ef61fc4a40ad

SHA256
4f130ec5a628bdb7f4e7328cd30a8af6a7b3f0d19bf8e0a4c174b207d108925b

SHA512
6c89bcfb954d37d5598b0f709f481986e09033e42eb6c9e54d0356ab91be103a163a993d611fe9369905bf0e3770b8d9d5178ce870c00f5dace99110594dd863

Download Submit
\Users\Admin\AppData\Local\Temp\@D884.tmp

Filesize
4KB

MD5
b8416a532c8e995dfb2789ff77fa5618

SHA1
b5421c4f4ae3f27a9278b60d6ef683deb3111251

SHA256
f93ff177d9d79a04d8a35a57689e9977babf939de260f27fbc832c0be981ca89

SHA512
30dcc35db52f723490ea03df3abe5efc9374035a339f060a7468cae79bf8ba379538a87ad5217f0f0e06b741fe6497917b4226e65ac9c0e3026900244c3094b3

Download Submit
\Users\Admin\AppData\Local\Temp\mirc_club[4].exe

Filesize
4.2MB

MD5
f6fed64f0f41dd7962a63345e7193626

SHA1
c6e9fbcb5ef1ee10bd430e5111985a697d4ee628

SHA256
0c9f66d5b3dceb5478eb24d9bf770508bd5f1b45f2a876f5a3b2ab0e3550c81b

SHA512
bbecad7b97fbaa9d6a876cf544b76820a5eae02f95887aa0d2c316dd96b7fb119079e5e3ae2c74ca67a57bf3b828e9865deb7ee71eade685fe266d95c8ff3393

Download Submit
\Windows\SysWOW64\Sys\TIQB.exe

Filesize
468KB

MD5
62401443a0feeb13a9940fcc78558090

SHA1
6200cf99b3a6a1bebde29378a6260ddf92d13370

SHA256
69761c67078239fa4e05676e0974f7d7410de0f6f00d19f8f69c9a180c0d5de7

SHA512
2001aa6875728c2ba75b1f8ee44fbb87a508598194f5ed6e5945292c2eb67874c3bc619da84a107ac0e5bc83748625eadcae0ccbd9f1f5414575db3fc3e92ce0

Download Submit
memory/540-539-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/540-536-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/540-575-0x0000000004190000-0x00000000041A0000-memory.dmp

Filesize
64KB

Download
memory/1756-35-0x000000007706F000-0x0000000077070000-memory.dmp

Filesize
4KB

Download
memory/2632-41-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download
memory/2632-26-0x000000007706F000-0x0000000077070000-memory.dmp

Filesize
4KB

Download
memory/2632-23-0x0000000000290000-0x0000000000291000-memory.dmp

Filesize
4KB

Download