ardamax | 91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454

Analysis

max time kernel
145s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe
Size

600KB
MD5

788e554c0938109f4ec5cb40af7bd228
SHA1

62709ae17f8bdc45d5afae2fee3b954aed9005a0
SHA256

91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454
SHA512

93670d12a873650f94d5d55e09f51ceab2db50e18d1a217a4a0e938cc786cbaed1b534ee55bf92c95d46c45b6a226d37608aa6d820caa814b592f88a8c1ab027
SSDEEP

12288:fRhzupXfGlLO5MKsTDqtOotOBuI9NxpyLnZg:Zhz+ulKJS2PtmuSNxULZ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.drivehq.com
Port:
21
Username:
cet90

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000024054-60.dat	family_ardamax

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	ardamax.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
2836	ardamax.EXE
1800	Install.exe
3560	RKYT.exe

Loads dropped DLL 4 IoCs

pid	Process
1800	Install.exe
3560	RKYT.exe
3560	RKYT.exe
3560	RKYT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RKYT Agent = "C:\\Windows\\SysWOW64\\28463\\RKYT.exe"	RKYT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\RKYT.006	Install.exe
File created	C:\Windows\SysWOW64\28463\RKYT.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463\RKYT.009	RKYT.exe
File created	C:\Windows\SysWOW64\28463\RKYT.001	Install.exe
File created	C:\Windows\SysWOW64\28463\RKYT.007	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	RKYT.exe
File created	C:\Windows\SysWOW64\28463\RKYT.009	RKYT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKYT.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\OLEScript	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\TypeLib\ = "{74EFFBED-7401-2254-28B3-5BCB299126FD}"	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\Version	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\HELPDIR\	RKYT.exe
Key created	\REGISTRY\USER\S-1-5-21-805952410-2104024357-1716932545-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\ProgID	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\ = "SHGINA_USERS 1.0 Type Library"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\0\win32\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\InprocServer32	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\OLEScript\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\FLAGS	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\TypeLib	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\Version\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\Version\ = "5.5"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\TypeLib\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\usercpl.dll"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\FLAGS\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\FLAGS\ = "0"	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\HELPDIR	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\ProgID\ = "VBScript.RegExp"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\0\win32	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\InprocServer32\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\ProgID\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\HELPDIR\ = "%SystemRoot%\\system32"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\ = "Haketiq Ecoxaqa Class"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5FEF5D17-A8B3-4B94-2895-41D01A85B62B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\vbscript.dll"	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\0	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{74EFFBED-7401-2254-28B3-5BCB299126FD}\1.0\0\	RKYT.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	firefox.exe
Token: SeDebugPrivilege	516	firefox.exe
Token: 33	3560	RKYT.exe
Token: SeIncBasePriorityPrivilege	3560	RKYT.exe
Token: SeDebugPrivilege	516	firefox.exe
Token: SeDebugPrivilege	516	firefox.exe
Token: SeDebugPrivilege	516	firefox.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe
516	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
516	firefox.exe
3560	RKYT.exe
3560	RKYT.exe
3560	RKYT.exe
3560	RKYT.exe
3560	RKYT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 980 wrote to memory of 4824	980	JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe	86
PID 980 wrote to memory of 4824	980	JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe	86
PID 980 wrote to memory of 2836	980	JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe	88
PID 980 wrote to memory of 2836	980	JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe	88
PID 4824 wrote to memory of 3784	4824	cmd.exe	89
PID 4824 wrote to memory of 3784	4824	cmd.exe	89
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 3784 wrote to memory of 516	3784	firefox.exe	91
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4092	516	firefox.exe	93
PID 516 wrote to memory of 4496	516	firefox.exe	94
PID 516 wrote to memory of 4496	516	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_788e554c0938109f4ec5cb40af7bd228.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:980
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Drops desktop.ini file(s)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:516
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2032 -prefsLen 27021 -prefMapHandle 2036 -prefMapSize 270249 -ipcHandle 2112 -initialChannelId {9ab2d211-1098-4e57-9756-bb000321a4e6} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        5⤵
        
        PID:4092
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2492 -prefsLen 27057 -prefMapHandle 2496 -prefMapSize 270249 -ipcHandle 2512 -initialChannelId {066be7a7-98ee-4257-8904-e6ed3ae50686} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        5⤵
        
        PID:4496
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3864 -prefsLen 27198 -prefMapHandle 3868 -prefMapSize 270249 -jsInitHandle 3872 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3880 -initialChannelId {3ac61961-5748-489c-8e15-81eabff48c70} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        5⤵
        Checks processor information in registry
        
        PID:3452
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4028 -prefsLen 27198 -prefMapHandle 4032 -prefMapSize 270249 -ipcHandle 4112 -initialChannelId {24904ceb-b57e-4857-8ea2-98eaff257141} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        5⤵
        
        PID:4024
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2804 -prefsLen 34697 -prefMapHandle 3236 -prefMapSize 270249 -jsInitHandle 3240 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2936 -initialChannelId {0343ace3-91b2-4732-8a96-3cd58f31ee5f} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        5⤵
        Checks processor information in registry
        
        PID:3364
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4832 -prefsLen 34853 -prefMapHandle 4836 -prefMapSize 270249 -ipcHandle 4844 -initialChannelId {0bc1a19d-20f9-487c-88e9-56a53b8bdbea} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        5⤵
        Checks processor information in registry
        
        PID:5124
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5428 -prefsLen 32809 -prefMapHandle 5432 -prefMapSize 270249 -jsInitHandle 5436 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2908 -initialChannelId {62768018-d10b-4eb8-97e0-784952300922} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        5⤵
        Checks processor information in registry
        
        PID:5440
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5596 -prefsLen 32809 -prefMapHandle 5600 -prefMapSize 270249 -jsInitHandle 5604 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5612 -initialChannelId {d44a355f-e7d6-4f17-8565-522201c1e8fa} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        5⤵
        Checks processor information in registry
        
        PID:5480
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5728 -prefsLen 32809 -prefMapHandle 5732 -prefMapSize 270249 -jsInitHandle 5792 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5800 -initialChannelId {fc39dc03-f8b1-4ab4-8afc-f06edac093a9} -parentPid 516 -crashReporter "\\.\pipe\gecko-crash-server-pipe.516" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        5⤵
        Checks processor information in registry
        
        PID:5492
- C:\Users\Admin\AppData\Local\Temp\ardamax.EXE
  "C:\Users\Admin\AppData\Local\Temp\ardamax.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:1800
  - - C:\Windows\SysWOW64\28463\RKYT.exe
      "C:\Windows\system32\28463\RKYT.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\clr2s0gc.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
2448b30d29696438b60dc48d0cecb835

SHA1
1c5665eaeb6f38019e0d5dcfc5b4c176fbf12420

SHA256
6966b83ba7c23007cefce85511a50cd8004c511c9d929449a878286fe9a745a0

SHA512
c7236ee89105aba7850f7eb06c755affb259aaa1c3a6b8613e8cc8029b19b71bb3bd6eb4ffd6ed6580396fa58c677806c1e575b443f3e7eaec302707868763fe

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\clr2s0gc.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
649902631a544dd0f6b0d3ceb7734dc0

SHA1
0f926fa5ab97fd4c509822e78bc9d40826bbb763

SHA256
2146a7123e41671b1d867cde55649c7755367c4328801135e687cb121ea3ef85

SHA512
9fe73cc73df7ffc90c4fcfb04b52e3a1d9f12b0943efed5dcf3195ab1b3f97b3474917d1d4b0a9f772e0ce660ece1cce18d2c4c32fd16370a58e750c7bd40ced

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\clr2s0gc.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\@7148.tmp

Filesize
4KB

MD5
f1cf9fcbddeadabb738de497ffefdced

SHA1
7385a7c87e245da89cc5ef8f9295678c1566f25d

SHA256
086083bc73b14286f9c3c29df8b8dc6f014d8b084267fbaeee0af56344d1f779

SHA512
3a3b9d279b4c131ef3f358e0163f60ec9e60160a2cc45488adb915fea6642f3df5d35da2ccb6983d790401d237fbc808829f42c42ef958e7a0eac98fc33bb3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
566KB

MD5
41dc0fc1fff90a9d5d28f64da7f5b4f4

SHA1
03fb38cfec8e4cb088c9f2d3edb08afbf5c08f3d

SHA256
9c8ad7d35fa160b6254c62c99487e9d846c7da0e7d4900c7c6b707294aed4eaf

SHA512
29b816459333dfe4b269ee16eb6f11c622e0b10959f2431a7d14efe3861e24acf546e955736a1554404050bf1adc34abdd25ea178ae3a16c836aa8004db11377

Download Submit
C:\Users\Admin\AppData\Local\Temp\ardamax.EXE

Filesize
581KB

MD5
3a19cabf65e0f578e8bb61e2579017f6

SHA1
c12f4dfe9f4082ddd5b321a70a70e2eeeeeaa2eb

SHA256
3e26364fc5c4799e494eeab424fa632c4a7a629819e1582dd931fe08f9e43998

SHA512
6759f73b0462f6be26051dcbb4e78b8f13f5b3da74145aa0ac9fa05d85d1ae5c626ee4d06bdb99d48b26c772a32dce13cd20be15c3e712e703d47eee795d6f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1971075-64e2-4f7a-9058-12ca8ddca48f.zip

Filesize
3.6MB

MD5
8f0ac7253f77aa16992f71633fd14a81

SHA1
1d52e3fbcdeb0f224cf2d3f0713803dc31486ee2

SHA256
fe3b34e1b42d481a880f114fc6abdb6bf7bf19020f3d41bf1125ae6deb69bcf6

SHA512
426a1c0c4e4a8f4c4040af099563c369230a25325383c2a62bbe5b8598e580d05d71b29684ffce954d17c93049226ac64f077b349e12372b1815ecef1bbd3bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
23B

MD5
234dbc908f632fc9fed55bd63e19e1f5

SHA1
39e7adf222e3eff34d33f65bbd56399aaeede7a7

SHA256
b110b65a0722a06873690dba696b25dd321365313c6f0e2db908d6544c8c5f98

SHA512
b4d32a3da8f1e9bd245303607b59df9eea19cc8776587defbac9384783004b150f2adad49e9ca369e643a64de7b747e276fef9486dd8ee1f3e263bb4e1521493

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\AlternateServices.bin

Filesize
7KB

MD5
2afeac961ece2200de53fd74a999f580

SHA1
64efa42b79ea4124ed439bb4f27aeb5348453a49

SHA256
c99231cb145f22708448610f11b6ca5730c4efbc62aa236ea6cfe4b90198489f

SHA512
407868b3e68afa8b2de20e9d46e2a050c4d09f061cba2d7e5955f0df1d6f4f68803f8c8232a9901c5e8e0f30fda9f00b570987d7d337554adb7987d4609cba4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
81cc75e2e13faf993eead6a95d2b1439

SHA1
c5ceefa9fb531373e5e60ec4e401c3e3b0936149

SHA256
027b446a13ec692ea137676c2daeacdf0904a00e685a5ad21a6a64c99b2ce64f

SHA512
2ad271f7f78db7e275333dee896b435a823f0f072bd2ea5352a7a4cb92d0117a786152945f1f09fe03821d898eee32ee8ae17329f704812eab0f1c24a40ad892

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
3fc6a93db8b43cb2a1966202cfea41bf

SHA1
7f2fd48c700434db1deae23d4a4ad29775ccbef8

SHA256
cd11de75ac1f2d3e1cb298c7aea84f0e39389362daa498facfeae069881b12ff

SHA512
6a1d2a8d565e69c0b5f2399ca65a6af3bff12594ce0bbbc74a0b2be787e25625365178a31da44b072d98c93ae0203895186c6f43bcaa31973556be2c0eba8f2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
a5e39d7ffeff8496f9eaa491acc089f2

SHA1
ac35e27f68f58bdce1d74aa3ecf7fc30a8b6bb6f

SHA256
3da9ddda3d29e688d30b99695762639211fa3f839cccb3c2297c75fd62395231

SHA512
05e8ee6477393d016b4edb08709156fc1524bab7ebc2e1dac6e7ad105a85b53de3412effa334ffe2e08214679492b312910e2177f63b0c95319f6c1641960a86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
32KB

MD5
54280ca121b0500e6ad72524ddc11466

SHA1
f5517a9e0f335f5eddac0153a4340370b0936fc7

SHA256
d9bf6e6ada2da907f6d2067ebc12e1f740584d5bbc9b019afd8fae83188ae6ee

SHA512
e9c6db47a03a6b9e76da0581066cc0e9632588b6a440023f75d70dbe42ee791e0b02eb2e5860d896b590bc550cda2ab3159825db3cc1287c164f4a9233d1f64a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
51290a853d43abdc2ea8e954f2ebc822

SHA1
4d6dac7383543d5f31f1be5014197753b7a5d8a3

SHA256
841c4413da3c046fa14dd9c9de7848229ce3cffc61d02f51a4e1ef9f6b9e5565

SHA512
8f0b3dd9c95a2d007a9b0a12ccad8f3821cda3b018a18fe038ccf52e6f99d5c40b149b019b0e6b4f1a0ac68bd2290f75d799b1167c806b4202e755892daf6e36

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\0db23b80-21fa-41c1-8400-a15fbbd213cc

Filesize
235B

MD5
f6d0494a3f26954953c397725d519265

SHA1
a9edd533b5d80ada3f761d471b4e787082bbfc5e

SHA256
5d1c54434c11817f80562a878ec11d44aa6b12428e42079d92730a0c599822c8

SHA512
f8497d39dc9d726278c7232801886d582c6767cb294722880f846f6d1645916ca6a40c016840a84e15622d5ae2f176768c8c41fd2854fd0de0287e4daab02fdf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\3b011b43-c751-4359-a3c4-44634b15b44e

Filesize
871B

MD5
c1b3292d0a31eea522dcca4e881519c6

SHA1
8884fa716f40ba0815b9fb0abed24b059c4d86cc

SHA256
8e615a5b6d1d8f050e948a03ef034fa056c1c68e4f2018708621b1446300a7d7

SHA512
98ed21e7ec610ca1ae693b587177e65527e59d3a0788c71a407ae6dcc3e445e00c5c3b4367500bd36a033682523b8f76b94350425470be973ee08473ecb0eac5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\ad808e92-3b2e-491f-9bbd-985bef6bbd4b

Filesize
886B

MD5
89c2faf48d7d6a3c00bfe6dde6fb62af

SHA1
9ecd7c6d8e71f6804f55644d701705b0477e1a28

SHA256
59c9c7cb25a1023119bb5fb091b22fe10df69cc0e0b89a8fb69b479132917d45

SHA512
548bcccb969461d2b9878d2dee845061e9588528ed3c8014bac9ec590994aed0122f48ffbbad66143e2e1d3219a9307e14cc9e10c3f7c7386d7f9e9ff6860d8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\d8a8541b-3e13-4aba-a083-408b21cbbb6c

Filesize
2KB

MD5
dbaad79bb2cdba366229da6373229bd6

SHA1
4c9de3a94abcdce13d37f724de471f1974d6231c

SHA256
c77ecbe697c80b91ce3c5d8333f4a776bcdf86de5b16c1629a9f844cc37f2ef8

SHA512
b15e676ed3d979a457b65f23cef8a8359faf98d2ff0065b13e53e86be7d5b7a108a8ca56c7bbb9174a8d8bc8b36b7f15bc57c1d0f105cdf673e23eb476808678

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\datareporting\glean\pending_pings\f372f97a-c8b0-4674-b6e8-8613e9090eb4

Filesize
235B

MD5
29e0420ba80c992b4ef45b2034686679

SHA1
b2c91e9f6dc70ddbe3d44e3e7de3d110fd845560

SHA256
c14be9db07f90b0cfb5383167aaf5732b05844e95c535830d8823bf7cc895628

SHA512
fe6115fbf68dbaf166d74a055dcaf3f37e5855288fc34490f5ecae3481f1b54c52dee60e24318094e9b4d149df9ce89e9f68e4a3232d553ef4d8bc195cce0b7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs-1.js

Filesize
8KB

MD5
5aaa4cc5e94e35770556001f55a15247

SHA1
b5f0ab6bf10a684f9ad55712b11f17aceaa93460

SHA256
abafae8b192727d59a4c4a5ac34fee1e9791b5e1862554602d55763297d03342

SHA512
aa68c3afa1a0cec37843304b625400842429c3d3b9b347a5dbdcbb8c7680f82672e71983976ef60d5dee76b61328e1b1dcc3f62bbe7a0888b10533070b29eaf9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs-1.js

Filesize
11KB

MD5
5958016397025f0d709d0da97f473d64

SHA1
0bea436f9a52fd29a81fadaeadb02bbc0eced53e

SHA256
b0b52ca5dab4aacf4e20e7b4762fd6e3462f477babf80d4f81e93100279a8244

SHA512
893c4cd40e467091515231d928b91d731ac08d8639882ed8451395baf70ee0ab758be3279f862cb631cf862c31cefdda432d42551b573ff44cdf31d1f44f7a9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs.js

Filesize
6KB

MD5
d345f446a1d5f72dd8367cb2b15aa0f7

SHA1
d46dfea59ff8e9fbc17bab73b0083203f2293db9

SHA256
73b0a7cffbfd2f87a55f94378a7d21732bed4df091b342375168052d491c3f36

SHA512
58c143595a394f7c3d09a52580008a85d70d723752162b8ac6b94fc0e89a6e09f546f4eca55bfc5a27216438d76c041145afc0a3fc259e14f4719f30c01239a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\prefs.js

Filesize
6KB

MD5
041ae15ecb8ee3acfa26271a96a41645

SHA1
75993133ca4e9ff007fac38d9fdafea37e55db71

SHA256
b14965dcb0ae48d4340214d185ad8d1016173f577235880220790baf0238cc43

SHA512
3f0c912e31f5a107e99ced7a78f24e9a2c2cf026bda6477200a5029e4920bb4c445619688d2ea3d19ed1792511a075852186841662a387ae16831838d89348e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\clr2s0gc.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
37fc2f14be00e831d832b54fe894aedd

SHA1
485b810c4188c7e007f9e62483c4c466443b920d

SHA256
98060dcf0f61d01ca865f829cce194607fc9009bf8a1ad8fa32c52526426be5c

SHA512
28d08e56a0e06b8ee2e33be5a0937529dbf47969173db34bc3d8465959ae4eec95d6f4e8dbbbf8aff016a0a02938a3bf98e511236b78617dda248b8bd28049a5

Download Submit
C:\Windows\SysWOW64\28463\RKYT.001

Filesize
374B

MD5
2e33a26777c1717ee92cc27e6f1c3979

SHA1
dbe6ecd86d9887415e7793e22cf5aefd606cfb7e

SHA256
035eff176236050769524579965c1781280b61e78278ee45bb1962737bfcab32

SHA512
76e6f99566288f4737c2122935bfaf13560406e8400cd372b4f1000d789d7834be5ae2aec0305a5436266945d9546a6dca342923ba1ffabdbe4ddc6a3f6ba342

Download Submit
C:\Windows\SysWOW64\28463\RKYT.006

Filesize
8KB

MD5
31854a50b294dd312eb7fa9eb1c99537

SHA1
e0b1682a001e15d0e0e1c1ca732cafb5c80b3160

SHA256
2fe2d55aae2deef38a37c9679d74ecf05699d6919760794f69583b43b7fe308c

SHA512
0482a4981ba242d4e931bd8b9eb5d606492cffb7609fb69fb349ed19c7a9e36a7e240e5ebe759505d253c5e72fb771612a76419c36fb035987a166569a5111c2

Download Submit
C:\Windows\SysWOW64\28463\RKYT.007

Filesize
5KB

MD5
603451f504bedb28c3a7bae4c89abf24

SHA1
cbfe12186b54663f60663c349739c7a49950c44e

SHA256
e4d6577ea390274308877284b6d0cd6672aeb0e76c9c9847ac59c0964f050d13

SHA512
136e28e288b3ce26b37c82b078a3440e3232c0f874d7d33e8e6fb6eadfd0024b9009448500c716523b81f142fa3bebf7d11f1dd3e8e6143867b06335eb5f9612

Download Submit
C:\Windows\SysWOW64\28463\RKYT.009

Filesize
463KB

MD5
5aaeeefc69950fadd734e4e8db4e09ab

SHA1
d6c02c3d49636954fda9912c1838a640a5d30fba

SHA256
234d18344fa258b4546aa5546b1f89a4a80b56ed59b6b0dad64c2b56bb5fb891

SHA512
966a0ac739b222bb8a415827c693b194cd80f5244e02d783a286cd2acfa786d37c261d069b7b97ea12ea3eb89f482ddc417d106f6fdbafd204b279769e13b8f5

Download Submit
C:\Windows\SysWOW64\28463\RKYT.exe

Filesize
648KB

MD5
ce568bcaf7285124f764aff92f5079d4

SHA1
886f698e2239cf615f12b503853a5fa28c53aefc

SHA256
59d7d6de8a9e2d5535703d22c36888889530fd011d7f71cf034e93e36e7527af

SHA512
9f6e3496930cb5dd9c9403acc865bc94f63f64af49a27ffeedbc9d9082d50bff4a7a772bb98d4a2719f0ecae144393de9cc273ba83ae00abe347b0be0d7c9866

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/980-3-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/980-2-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/980-0-0x00007FF9D63A5000-0x00007FF9D63A6000-memory.dmp

Filesize
4KB

Download
memory/980-56-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/2836-25-0x000000001C1D0000-0x000000001C21C000-memory.dmp

Filesize
304KB

Download
memory/2836-20-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/2836-18-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/2836-19-0x000000001BB00000-0x000000001BFCE000-memory.dmp

Filesize
4.8MB

Download
memory/2836-21-0x000000001C070000-0x000000001C10C000-memory.dmp

Filesize
624KB

Download
memory/2836-17-0x000000001B580000-0x000000001B626000-memory.dmp

Filesize
664KB

Download
memory/2836-22-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/2836-23-0x0000000000F10000-0x0000000000F18000-memory.dmp

Filesize
32KB

Download
memory/2836-50-0x00007FF9D60F0000-0x00007FF9D6A91000-memory.dmp

Filesize
9.6MB

Download
memory/3560-446-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3560-5396-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3560-6448-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3560-66-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads