ardamax | 91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
18/03/2025, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe
Size

600KB
MD5

788e554c0938109f4ec5cb40af7bd228
SHA1

62709ae17f8bdc45d5afae2fee3b954aed9005a0
SHA256

91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454
SHA512

93670d12a873650f94d5d55e09f51ceab2db50e18d1a217a4a0e938cc786cbaed1b534ee55bf92c95d46c45b6a226d37608aa6d820caa814b592f88a8c1ab027
SSDEEP

12288:fRhzupXfGlLO5MKsTDqtOotOBuI9NxpyLnZg:Zhz+ulKJS2PtmuSNxULZ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024300-60.dat	family_ardamax

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	ardamax.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 3 IoCs

pid	Process
1064	ardamax.EXE
5016	Install.exe
4372	RKYT.exe

Loads dropped DLL 4 IoCs

pid	Process
5016	Install.exe
4372	RKYT.exe
4372	RKYT.exe
4372	RKYT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RKYT Agent = "C:\\Windows\\SysWOW64\\28463\\RKYT.exe"	RKYT.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\RKYT.006	Install.exe
File created	C:\Windows\SysWOW64\28463\RKYT.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	RKYT.exe
File created	C:\Windows\SysWOW64\28463\RKYT.001	Install.exe
File created	C:\Windows\SysWOW64\28463\RKYT.007	Install.exe
File created	C:\Windows\SysWOW64\28463\RKYT.009	RKYT.exe
File opened for modification	C:\Windows\SysWOW64\28463\RKYT.009	RKYT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RKYT.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\HELPDIR	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\HELPDIR\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\TypeLib\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\InprocServer32	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\0\win32\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\FLAGS\ = "2"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\InprocServer32\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\Programmable	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\FLAGS	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\FLAGS\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\TypeLib\ = "{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}"	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\Version	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\Version\ = "1.0"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\InprocServer32\ = "C:\\Windows\\SysWOW64\\Microsoft.Uev.Office2013CustomActions.dll"	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\ProgID	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\Programmable\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\ = "Kijiloce Kigedex Object"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\ProgID\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\0	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\VersionIndependentProgID	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\0\win32	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\VersionIndependentProgID\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\VersionIndependentProgID\ = "Uev.Outlook2013SignaturesProgId"	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\ = "Disk Management Snap-In Object Library"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\dmview.ocx"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\Version\	RKYT.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	firefox.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\ProgID\ = "Uev.Outlook2013SignaturesProgId.1"	RKYT.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{05EF7F9E-EBB3-BDB7-E359-9F31113E539F}\1.0\0\	RKYT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{37042B26-7D9A-46CB-638E-29C52E58BA9B}\TypeLib	RKYT.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4092	firefox.exe
Token: SeDebugPrivilege	4092	firefox.exe
Token: 33	4372	RKYT.exe
Token: SeIncBasePriorityPrivilege	4372	RKYT.exe
Token: SeDebugPrivilege	4092	firefox.exe
Token: SeDebugPrivilege	4092	firefox.exe
Token: SeDebugPrivilege	4092	firefox.exe

Suspicious use of FindShellTrayWindow 17 IoCs

pid	Process
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe
4092	firefox.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4092	firefox.exe
4372	RKYT.exe
4372	RKYT.exe
4372	RKYT.exe
4372	RKYT.exe
4372	RKYT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5444 wrote to memory of 864	5444	91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe	88
PID 5444 wrote to memory of 864	5444	91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe	88
PID 5444 wrote to memory of 1064	5444	91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe	90
PID 5444 wrote to memory of 1064	5444	91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe	90
PID 864 wrote to memory of 3984	864	cmd.exe	91
PID 864 wrote to memory of 3984	864	cmd.exe	91
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 3984 wrote to memory of 4092	3984	firefox.exe	94
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 4092 wrote to memory of 4760	4092	firefox.exe	95
PID 1064 wrote to memory of 5016	1064	ardamax.EXE	96
PID 1064 wrote to memory of 5016	1064	ardamax.EXE	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe
"C:\Users\Admin\AppData\Local\Temp\91c0ed616170401a29cd6fa0a59d0aede1d39d38ed1ce8485a6e6f5789da6454.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5444
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\run.bat" "
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      4⤵
      Drops desktop.ini file(s)
      Checks processor information in registry
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4092
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2012 -prefsLen 27099 -prefMapHandle 2032 -prefMapSize 270279 -ipcHandle 2096 -initialChannelId {41a31c87-c180-4cfc-aa85-c1d499acc057} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
        5⤵
        
        PID:4760
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2472 -prefsLen 27135 -prefMapHandle 2476 -prefMapSize 270279 -ipcHandle 2488 -initialChannelId {63f96f62-b356-4a8a-8487-1f7f43794797} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
        5⤵
        
        PID:4780
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3868 -prefsLen 27276 -prefMapHandle 3872 -prefMapSize 270279 -jsInitHandle 3876 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3884 -initialChannelId {5a40aa22-1e89-49f3-ae0e-f2c56f5ad773} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
        5⤵
        Checks processor information in registry
        
        PID:5884
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4044 -prefsLen 27276 -prefMapHandle 4048 -prefMapSize 270279 -ipcHandle 4056 -initialChannelId {531d1768-6ddd-4e2e-b360-ed5737a7671b} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
        5⤵
        
        PID:508
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2908 -prefsLen 34775 -prefMapHandle 2912 -prefMapSize 270279 -jsInitHandle 3512 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3728 -initialChannelId {fb638598-e3ca-48bf-83f9-0412a40482e2} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
        5⤵
        Checks processor information in registry
        
        PID:4116
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4836 -prefsLen 34824 -prefMapHandle 4848 -prefMapSize 270279 -ipcHandle 4860 -initialChannelId {9090fe8a-2c17-49ec-842e-cf8cee3a8c05} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
        5⤵
        Checks processor information in registry
        
        PID:2640
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5312 -prefsLen 32952 -prefMapHandle 5316 -prefMapSize 270279 -jsInitHandle 5320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2660 -initialChannelId {ba8e8e86-acdc-4267-bc87-e289db4f2e1e} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
        5⤵
        Checks processor information in registry
        
        PID:2092
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5480 -prefsLen 32952 -prefMapHandle 5484 -prefMapSize 270279 -jsInitHandle 5488 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5000 -initialChannelId {1a3503b6-a3a8-40e3-b79e-2cf376114637} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
        5⤵
        Checks processor information in registry
        
        PID:5772
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5648 -prefsLen 32952 -prefMapHandle 5652 -prefMapSize 270279 -jsInitHandle 5656 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5284 -initialChannelId {4da62c33-7579-491a-81a5-580786f3c483} -parentPid 4092 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4092" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
        5⤵
        Checks processor information in registry
        
        PID:3676
- C:\Users\Admin\AppData\Local\Temp\ardamax.EXE
  "C:\Users\Admin\AppData\Local\Temp\ardamax.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Users\Admin\AppData\Local\Temp\Install.exe
    "C:\Users\Admin\AppData\Local\Temp\Install.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    PID:5016
  - - C:\Windows\SysWOW64\28463\RKYT.exe
      "C:\Windows\system32\28463\RKYT.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\activity-stream.discovery_stream.json

Filesize
24KB

MD5
f4ec08111aacfb47ae2ccad364308f40

SHA1
33d1124274da52b8c74bd912ef0dfe18ae187c92

SHA256
98328859d491c92eb55d972eb6a9284988013ef32768e31970543af3aaafb2e5

SHA512
f59c18886174dcc45e125ab2adb1915836717604d6532d00bc9662b01a9142c6c420ba6fbd53f4f2081ebef3e9142839e33ca03d239e5551baa7dbd41558a426

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3xhpu52e.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
6d85ab30b2e88a331874c8cda24c9abb

SHA1
00c40ef5b105e1aa2fff7718f380e3019531a3d1

SHA256
7e858556e0dfe8c917a768c561d464eae2ff81909d71d6192d3e9df2eae90737

SHA512
ad707e981ef10847540199efb65b33aa0fcfd6ed1e225acb1e6452502fc358a437bff08908ef8a18163064841ee79253646585ad8b7da03e60c7bf5ea42f98f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\@9C30.tmp

Filesize
4KB

MD5
f1cf9fcbddeadabb738de497ffefdced

SHA1
7385a7c87e245da89cc5ef8f9295678c1566f25d

SHA256
086083bc73b14286f9c3c29df8b8dc6f014d8b084267fbaeee0af56344d1f779

SHA512
3a3b9d279b4c131ef3f358e0163f60ec9e60160a2cc45488adb915fea6642f3df5d35da2ccb6983d790401d237fbc808829f42c42ef958e7a0eac98fc33bb3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
566KB

MD5
41dc0fc1fff90a9d5d28f64da7f5b4f4

SHA1
03fb38cfec8e4cb088c9f2d3edb08afbf5c08f3d

SHA256
9c8ad7d35fa160b6254c62c99487e9d846c7da0e7d4900c7c6b707294aed4eaf

SHA512
29b816459333dfe4b269ee16eb6f11c622e0b10959f2431a7d14efe3861e24acf546e955736a1554404050bf1adc34abdd25ea178ae3a16c836aa8004db11377

Download Submit
C:\Users\Admin\AppData\Local\Temp\ardamax.EXE

Filesize
581KB

MD5
3a19cabf65e0f578e8bb61e2579017f6

SHA1
c12f4dfe9f4082ddd5b321a70a70e2eeeeeaa2eb

SHA256
3e26364fc5c4799e494eeab424fa632c4a7a629819e1582dd931fe08f9e43998

SHA512
6759f73b0462f6be26051dcbb4e78b8f13f5b3da74145aa0ac9fa05d85d1ae5c626ee4d06bdb99d48b26c772a32dce13cd20be15c3e712e703d47eee795d6f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff7c2ece-1725-46ad-98ce-6c6017a19518.zip

Filesize
3.6MB

MD5
8f0ac7253f77aa16992f71633fd14a81

SHA1
1d52e3fbcdeb0f224cf2d3f0713803dc31486ee2

SHA256
fe3b34e1b42d481a880f114fc6abdb6bf7bf19020f3d41bf1125ae6deb69bcf6

SHA512
426a1c0c4e4a8f4c4040af099563c369230a25325383c2a62bbe5b8598e580d05d71b29684ffce954d17c93049226ac64f077b349e12372b1815ecef1bbd3bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\run.bat

Filesize
23B

MD5
234dbc908f632fc9fed55bd63e19e1f5

SHA1
39e7adf222e3eff34d33f65bbd56399aaeede7a7

SHA256
b110b65a0722a06873690dba696b25dd321365313c6f0e2db908d6544c8c5f98

SHA512
b4d32a3da8f1e9bd245303607b59df9eea19cc8776587defbac9384783004b150f2adad49e9ca369e643a64de7b747e276fef9486dd8ee1f3e263bb4e1521493

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\AlternateServices.bin

Filesize
7KB

MD5
ec948897acae9d9e0863e6c6f365a4bc

SHA1
e86a64d542115e26f83275c681801a3bf837260e

SHA256
e79c0d556ad1459a0c94ead4cca88a79fd03020c0d2f6f900cc930e69825d347

SHA512
0867a03563939d7846386e317aa7947a11256aee04a9708a3f6e90ff84508abe9554188c6b75ceae4a576ca7ddc7cc732d2ecd5cfac146cc7cc4c381f0d43988

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e7fea42bec77771016f77659c8433c21

SHA1
67a0deb3f681ffbbd47e89d2dfbd108bcc1b9bd8

SHA256
6a701899b77e3468814a0735a14981cafa5237e29506a3fb10c68efafe89ace8

SHA512
d41e2c75ca26bb0f062dfbb3dbe67dcae96da3f83b87316109819fb47ea2b7c0f6343e06cee1636044d04bca23ce02995a611d18f7aaa372f18221cb80ab232b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
aee24cdaaff85045f5a977a1d8b499f4

SHA1
91060261c742e8413939f429cbd9cdfecb7742ca

SHA256
ba12040087a30984a8a549f5f6d84be0336691c274dc9f04159d2e221b9736bf

SHA512
f089cd575a9999f100257288a0b5cf6d8b2e866a0b1fcbbdfecea642e871ca5379cf92a9dd882c2b115f2789032c4ead1b3050901d2c293673f3e315087f39fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
64f34e2bd482136d28e1c86da66ab0e2

SHA1
4a9897c4d7d2f1f8e374de3a4f87a8c014cb0555

SHA256
78dd44fbde4a4eb469c9ae05fbf497030dae6f3421131da1527ddd10fba76736

SHA512
5932c7b1cffe2710b0507e1a73eb4fce1555b289f3e7a1a22dcfb164bd04e7d86464234a43ae865f0826350d71d010fdcaf1f447fc20994055871267b358b1fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
122fe5904bf908162651ebe4b40860d2

SHA1
f8a55824866120c9226aeef29aa7dd0142f1c270

SHA256
7a4a29fed73d90da4c83465018b48f40c022a09fbfd7f6e29eca684d5a80c178

SHA512
49fc01bb5e43e65c18d618d7dabaf37318bcd696cf0d535feb734cb74d4cf29e868f672cdfda5877bf270ec3cdc66bbc147855ed18c858267deaf8d56449a061

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
7c12ba27ab0121984135b7ea8cc3172a

SHA1
64353b27a47a2012db0fdb81150171f1b4ea06d4

SHA256
5bc359b527bee21439a34ea341b474a19c09c97cf3566d6dfc1204ef6b2bf79d

SHA512
6d683393ebbf767723a8808bc4e4ca84178e4caeccdb0e2e4cc471f879f500181eac62c2fa2e9b48e0917a1276486312cfcf8dc2077383f6895b373b0e7f58d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\611ccffc-6dfe-4a93-af94-3610bc7ca17d

Filesize
235B

MD5
064bc63e02598a364f395741ea47cfa7

SHA1
69720491054efec92aba002ddf04c177edcfb774

SHA256
9f2fa393cc7683769cf50154ce7083a4281101b6589b43126d270aa32e21a71c

SHA512
d7da49b4215da613accf8addcc7dbdf31adf1ab92d032293d9bdb684f57607caab581e80a0ba81e255034c1ea30c1cbedd8691b51ab818270314bd9d65a772d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\66a59081-5ae6-47fd-a52f-1230eb14fd11

Filesize
235B

MD5
b251a07595f5fcf8b187752ac4fec139

SHA1
fb2dc731412f5b2590e0ec1af5cf038047ca51a1

SHA256
0a8a4a14370c0262085d74e1b886eb5c13c65a4a53e042d4b6b2108eca704461

SHA512
6bd9d3bc7e64246f2b308129c3583a8ed50209bb6e42d9e932343c12f102435b517a95a245ebf0e5aef8a45492c92895ee3002030ed92e5f587fdfd9e2fa5770

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\95dfaa16-95bb-45d9-af5d-008cbef992ee

Filesize
883B

MD5
976a3a4e7c5d5fc5801600a3bd104120

SHA1
8e74a7cd3b9bcb758d269f22a9739ebbf75a9ecc

SHA256
678f810a7a3f4a51c819fa146e59d9229d2904d6443b9d698d7fef80bd1ae17f

SHA512
1e8b558a56ae474bd282735706834dfd3b7e206a777f8c6ecb3b9d2912cd90992a085ac904fad39e2629abb4bd7cb63b84e03a7b1952c882ca7b05fafee1cefc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\97b2fcfe-0309-41c1-8577-1b2a39f976bf

Filesize
16KB

MD5
4eaace681ae448ac0cc98249f4e045a1

SHA1
ea9d3ce5b0f14b4842eb39775a1ba4e54a59a103

SHA256
b0f453813116c330ad21cff0bf84608b89e5af4b9469f018e28dae683aa2da7c

SHA512
ae0bae2da3799f1f412718fb351fd6826ecfd508f2f2929d7172f40cae13d8d639a43b3e6fa3f48e81a2f411896e13f154ee28eda5b8af8678e0950ef9748d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\ba3c9c64-bcd7-4444-a0cd-0b54153f36f0

Filesize
886B

MD5
7b59154ff779a72275db9fdd64f3706c

SHA1
945e343c351425aee04963383072d0638e8d2df7

SHA256
c1ba91297de0d34fbd0c5db8d357b8d751763e4bafa7200fdeaac48f38c420f9

SHA512
e3f6dcf843c6fd8458fbb8ca5475ee1b0c90f3247d144bc5ce00134ef88ad999bc1366ad724198e04428dcfd796ccb25e9d70af5880e957e9687b9ea5ad0bf4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\datareporting\glean\pending_pings\d8584374-a8ee-4f6f-8128-7bda83a88918

Filesize
2KB

MD5
f5e8328ab3c76e153a198553944cb712

SHA1
663c60e6ce4cd9dc08d23a101cb1d77a6889bf75

SHA256
877b77e60fd901be15cff908beaf289ed8b8c85004fd0b656f5c5295dc983faf

SHA512
84ddb64de6a6a097659c4fb64cd6a9e6634054a233e439a17170bf0a8a5647ae826c81ab36a9aa75b095474cd040950fa69f52875ee4f89935684e3e695cabbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
8KB

MD5
9f514bab4368898a1fa6aaf6a689e86f

SHA1
75419489bbd948f652db227e20c2336eb9c09296

SHA256
b5727bbacbff46ea732c815bbc88c8758de4a95665fd583e81512c1a9ca49bf7

SHA512
c347f84a74d53a9611cc5f797e929c08f82bf4c0df208a2378ad994acccca2a20c332d596c23682fb9d5fe5de443ee22d6c113e8a6909f902580310c83e0fc88

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
11KB

MD5
74a5ddac666030fd540d60d0944f9bdc

SHA1
43ba11c0a755a0ce261ec73f7a7b8f3c879855c1

SHA256
7d816ba3b57d2d500a0fe5b7b65bff0036cec0d87053910ff77ed7fceb7d34c2

SHA512
de68858f21cdf8b2bc109a8b7443387c3d25fe806a9745b0305eeadc0942741166c30c824eafec7d99165a5a2b632f8afafe497a5c811aea3f095d9ef915eacb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs-1.js

Filesize
6KB

MD5
9ecb875b683aa9797befad5bc73727e2

SHA1
5020fa15c564439d369875d387f39c465ade2433

SHA256
27dbf119a4eb7f935b656c7d18473c853b23abc6c5bc6328519cc9e6f73346e1

SHA512
27739025e5538d200c5617ba33b9fe64e20c29474088bdc8397f1f5f310d4f1bfe0ba1a4508ab06619051200035607981d560c34ccae40bece90e673e6b4d80e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
9b8b425c101576f2bc9168d05687bcd1

SHA1
02444d80ef6633ed2444dff4c509da6aa8a8ad56

SHA256
c72f8f04cd3c956798351686ae0b7be9044adfa940f1c17fdf7d9c3b8292da18

SHA512
ef1ec191e305c179251f259a0052e55e618103cd99a5cdb6b2e03d767faf2e0057476c9feb380324f8aa6510174bc60bc5417ba05ffaec0cb1d9ce1a6bb69d00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\prefs.js

Filesize
6KB

MD5
02d138ecdb6f3989b99f46beb06d2b38

SHA1
8749e630f77cc4b63cd813049301817d1161cd3f

SHA256
cf7fc55bc936224ffd9f9ae5c72c41684f60397773dc9384cb93feea871e69c0

SHA512
cd4b9bbc4a0e553d64915b8091a6265a3b820ffa518b416ab08b8df465aa879696f25a2a543d2504aa407f4acc145ea1175385fd0e68a152291d8f540e3d408d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3xhpu52e.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
3ed32ce219bac076137ca4e8d15175b1

SHA1
cf730a788f495d861ff8aa0050f4c97798071a1d

SHA256
14cba79e271f89b80582491b76d798a495579d2434983f391537e4b693cc0034

SHA512
3f288a92e623abe503301a26a5b9667970ce040e1a2130b7eeeb852801de660ac6263beba0c1fa190ea8a210a7be19ec9773ffc9b32ba5e353b28722ae4ed4da

Download Submit
C:\Windows\SysWOW64\28463\RKYT.001

Filesize
374B

MD5
2e33a26777c1717ee92cc27e6f1c3979

SHA1
dbe6ecd86d9887415e7793e22cf5aefd606cfb7e

SHA256
035eff176236050769524579965c1781280b61e78278ee45bb1962737bfcab32

SHA512
76e6f99566288f4737c2122935bfaf13560406e8400cd372b4f1000d789d7834be5ae2aec0305a5436266945d9546a6dca342923ba1ffabdbe4ddc6a3f6ba342

Download Submit
C:\Windows\SysWOW64\28463\RKYT.006

Filesize
8KB

MD5
31854a50b294dd312eb7fa9eb1c99537

SHA1
e0b1682a001e15d0e0e1c1ca732cafb5c80b3160

SHA256
2fe2d55aae2deef38a37c9679d74ecf05699d6919760794f69583b43b7fe308c

SHA512
0482a4981ba242d4e931bd8b9eb5d606492cffb7609fb69fb349ed19c7a9e36a7e240e5ebe759505d253c5e72fb771612a76419c36fb035987a166569a5111c2

Download Submit
C:\Windows\SysWOW64\28463\RKYT.007

Filesize
5KB

MD5
603451f504bedb28c3a7bae4c89abf24

SHA1
cbfe12186b54663f60663c349739c7a49950c44e

SHA256
e4d6577ea390274308877284b6d0cd6672aeb0e76c9c9847ac59c0964f050d13

SHA512
136e28e288b3ce26b37c82b078a3440e3232c0f874d7d33e8e6fb6eadfd0024b9009448500c716523b81f142fa3bebf7d11f1dd3e8e6143867b06335eb5f9612

Download Submit
C:\Windows\SysWOW64\28463\RKYT.exe

Filesize
648KB

MD5
ce568bcaf7285124f764aff92f5079d4

SHA1
886f698e2239cf615f12b503853a5fa28c53aefc

SHA256
59d7d6de8a9e2d5535703d22c36888889530fd011d7f71cf034e93e36e7527af

SHA512
9f6e3496930cb5dd9c9403acc865bc94f63f64af49a27ffeedbc9d9082d50bff4a7a772bb98d4a2719f0ecae144393de9cc273ba83ae00abe347b0be0d7c9866

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/1064-25-0x000000001BF20000-0x000000001BF6C000-memory.dmp

Filesize
304KB

Download
memory/1064-20-0x000000001BDC0000-0x000000001BE5C000-memory.dmp

Filesize
624KB

Download
memory/1064-22-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download
memory/1064-23-0x0000000000C60000-0x0000000000C68000-memory.dmp

Filesize
32KB

Download
memory/1064-21-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download
memory/1064-19-0x000000001B850000-0x000000001BD1E000-memory.dmp

Filesize
4.8MB

Download
memory/1064-17-0x000000001B2D0000-0x000000001B376000-memory.dmp

Filesize
664KB

Download
memory/1064-52-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download
memory/1064-18-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download
memory/4372-417-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4372-68-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4372-6248-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5444-56-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download
memory/5444-0-0x00007FF888B05000-0x00007FF888B06000-memory.dmp

Filesize
4KB

Download
memory/5444-3-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download
memory/5444-1-0x00007FF888850000-0x00007FF8891F1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads