ardamax | a8deb7b2ee86f8afc6dba0071c10d512145fb5d276c0e0188bb32338b047a33f

Analysis

max time kernel
144s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe
Size

1.5MB
MD5

8a357461a77deec8407c5128d0a92a75
SHA1

187c9875637849f4742feab5d0810146402b6f4a
SHA256

a8deb7b2ee86f8afc6dba0071c10d512145fb5d276c0e0188bb32338b047a33f
SHA512

e4348c621171d1bf43466dee69766017bccb66efddadf011b5ff497af801ff0660d2ee29aeed2cd76c7a900450fbdc1eb3c9a4c73e88e4d1b03ec0335020f235
SSDEEP

24576:IvgGV005SUW+WyB6oz+egVvJBabrSYFvXA14pSnzk/R5xya7oB:I7V0097CeOYFvwuIzk/RnyaC

Score

10^/10

ardamax defense_evasion discovery keylogger persistence spyware stealer upx

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000024266-55.dat	family_ardamax

ACProtect 1.3x - 1.4x DLL software 7 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002426a-74.dat	acprotect
behavioral2/memory/4816-87-0x0000000060220000-0x0000000060229000-memory.dmp	acprotect
behavioral2/memory/4816-79-0x0000000060220000-0x0000000060229000-memory.dmp	acprotect
behavioral2/files/0x0007000000024269-72.dat	acprotect
behavioral2/files/0x0007000000024268-70.dat	acprotect
behavioral2/files/0x0008000000024261-68.dat	acprotect
behavioral2/files/0x0007000000024267-66.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Control Panel\International\Geo\Nation	Install.exe

Executes dropped EXE 5 IoCs

pid	Process
1716	Install.exe
4156	rslite.exe
4816	FireFox.exe
5504	WQQB.exe
1236	WQQB.exe

Loads dropped DLL 12 IoCs

pid	Process
1716	Install.exe
4816	FireFox.exe
4816	FireFox.exe
4816	FireFox.exe
4816	FireFox.exe
4816	FireFox.exe
5504	WQQB.exe
5504	WQQB.exe
5504	WQQB.exe
1236	WQQB.exe
1236	WQQB.exe
1236	WQQB.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WQQB Agent = "C:\\Windows\\SysWOW64\\28463\\WQQB.exe"	WQQB.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	WQQB.exe
File created	C:\Windows\SysWOW64\28463\WQQB.001	Install.exe
File created	C:\Windows\SysWOW64\28463\WQQB.006	Install.exe
File created	C:\Windows\SysWOW64\28463\WQQB.007	Install.exe
File created	C:\Windows\SysWOW64\28463\WQQB.exe	Install.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002426a-74.dat	upx
behavioral2/memory/4816-86-0x0000000060210000-0x000000006021A000-memory.dmp	upx
behavioral2/memory/4816-88-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral2/memory/4816-87-0x0000000060220000-0x0000000060229000-memory.dmp	upx
behavioral2/memory/4816-85-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral2/memory/4816-80-0x0000000060260000-0x00000000602BF000-memory.dmp	upx
behavioral2/memory/4816-79-0x0000000060220000-0x0000000060229000-memory.dmp	upx
behavioral2/memory/4816-78-0x0000000060210000-0x000000006021A000-memory.dmp	upx
behavioral2/memory/4816-77-0x0000000060140000-0x000000006016D000-memory.dmp	upx
behavioral2/memory/4816-76-0x0000000060170000-0x00000000601D7000-memory.dmp	upx
behavioral2/files/0x0007000000024269-72.dat	upx
behavioral2/files/0x0007000000024268-70.dat	upx
behavioral2/files/0x0008000000024261-68.dat	upx
behavioral2/files/0x0007000000024267-66.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WQQB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WQQB.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\TypeLib\	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\TypeLib\ = "{1529DE4F-74FB-875E-8C30-561DF79F895E}"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\FLAGS\	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\HELPDIR	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\HELPDIR\	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\TypeLib	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Control\	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\ = "Microsoft Add-In Designer"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\0	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\0\	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\FLAGS	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Version\	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\InprocServer32	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\ProgID\ = "WorkspaceBrokerAx.WorkspaceBrokerAx.1"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\0\win64\ = "c:\\Program Files\\Common Files\\DESIGNER\\MSADDNDR.OLB"	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\FLAGS\ = "0"	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\HELPDIR\ = "c:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA6\\"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Version	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Version\ = "1.0"	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\VersionIndependentProgID\	WQQB.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\ = "Vezajoxre class"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\0\win64	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Programmable	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Programmable\	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1529DE4F-74FB-875E-8C30-561DF79F895E}\1.0\0\win64\	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\VersionIndependentProgID	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\VersionIndependentProgID\ = "WorkspaceBrokerAx.WorkspaceBrokerAx"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\Control	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\InprocServer32\	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\InprocServer32\ = "%SystemRoot%\\SysWow64\\wkspbrokerAx.dll"	WQQB.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\ProgID	WQQB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6113700-2C6A-43C4-BB9F-BB7F13034F4A}\ProgID\	WQQB.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5504	WQQB.exe
Token: SeIncBasePriorityPrivilege	5504	WQQB.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4864	javaw.exe
4864	javaw.exe
5504	WQQB.exe
5504	WQQB.exe
5504	WQQB.exe
5504	WQQB.exe
5504	WQQB.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 4864	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	89
PID 1536 wrote to memory of 4864	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	89
PID 1536 wrote to memory of 1716	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	90
PID 1536 wrote to memory of 1716	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	90
PID 1536 wrote to memory of 1716	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	90
PID 1536 wrote to memory of 4156	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	91
PID 1536 wrote to memory of 4156	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	91
PID 1536 wrote to memory of 4488	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	92
PID 1536 wrote to memory of 4488	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	92
PID 1536 wrote to memory of 4488	1536	JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe	92
PID 4156 wrote to memory of 4816	4156	rslite.exe	94
PID 4156 wrote to memory of 4816	4156	rslite.exe	94
PID 4156 wrote to memory of 4816	4156	rslite.exe	94
PID 1716 wrote to memory of 5504	1716	Install.exe	96
PID 1716 wrote to memory of 5504	1716	Install.exe	96
PID 1716 wrote to memory of 5504	1716	Install.exe	96
PID 3620 wrote to memory of 1236	3620	cmd.exe	100
PID 3620 wrote to memory of 1236	3620	cmd.exe	100
PID 3620 wrote to memory of 1236	3620	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a357461a77deec8407c5128d0a92a75.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\RSlite.jar"
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4864
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\28463\WQQB.exe
    "C:\Windows\system32\28463\WQQB.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5504
- C:\Users\Admin\AppData\Local\Temp\rslite.exe
  "C:\Users\Admin\AppData\Local\Temp\rslite.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Users\Admin\AppData\Local\Temp\FireFox.exe
    "C:\Users\Admin\AppData\Local\Temp\FireFox.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE >> NUL
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\28463\WQQB.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3620
- C:\Windows\SysWOW64\28463\WQQB.exe
  C:\Windows\SysWOW64\28463\WQQB.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8656.tmp

Filesize
4KB

MD5
b89311bdf4e6640cc9051e629476cbe4

SHA1
ced30235482232b045cd5d8004e8ead01b30f9ca

SHA256
db0e9d83d8a5309ae4ab4747ff6ce506a2f85b01a598caad697a69b3ddb557a1

SHA512
8e71c2238e23cd793feb061736d00f8aea0002f79e2632093529ed6242f9af2a99baa598d58c04bbc9c02715d7f18955ae88334e39caa2978e88904cf27911d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Firefox.exe

Filesize
80KB

MD5
867dc5e41ce5efcf6cb6503f9c097078

SHA1
89d08200c9f26d8435575bd3216ad3d2a1ea9ecf

SHA256
2b7e9ccc3ad34a02fe6c96ddacbf0b603c0a17f802444949a34f51baf2cad411

SHA512
ac322f9392f4677c56aee0be1864e74262e8afca8a361ccf146d4dee4283a4c0534505114f00c18d1ed5739608bfbeb746f48d8ecbabf3aa618b342c77f63da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
784KB

MD5
add8fb4285e81a9286ea724827ddb9ac

SHA1
6a22edb4d2788b8d5408fec01b9324def93508af

SHA256
d9269bb61b40e62cedb1207793cdef78d081d811f9493db42453c5a05ab63438

SHA512
ee887432ad8f8bc1f473e3f3aebb301006feda7510cc999c1839c41a5848e903f1b4e2922c06617f8580b47434a4f6f6723e62ddcb5369b0fd346341bf02c52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RSlite.jar

Filesize
3KB

MD5
1c08111b8b706b9ef3ec34a6c6850978

SHA1
b1c58d91eb79db46dbaa0e1e106276c7b7567575

SHA256
6de5b765de29e32f3a8d68c77e1651c69c43cecb66bc998ecd8dd43c6c128b2d

SHA512
9216a94a0425457ad4dbae455b19c9b981d7e2b37c96e3c33d8d59df0c67ee01bb7258ad381c533109b59e54d57a2a72bb02dcd4d75ba53234a4c8cab7e3d8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspr4.dll

Filesize
72KB

MD5
72414dfb0b112c664d2c8d1215674e09

SHA1
50a1e61309741e92fe3931d8eb606f8ada582c0a

SHA256
69e73fea2210adc2ae0837ac98b46980a09fe91c07f181a28fda195e2b9e6b71

SHA512
41428624573b4a191b33657ed9ad760b500c5640f3d62b758869a17857edc68f90bc10d7a5e720029519c0d49b5ca0fa8579743e80b200ef331e41efde1dc8c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
172KB

MD5
7ddbd64d87c94fd0b5914688093dd5c2

SHA1
d49d1f79efae8a5f58e6f713e43360117589efeb

SHA256
769703fb1ba6c95fb6c889e8a9baaea309e62d0f3ca444d01cc6b495c0f722d1

SHA512
60eaad58c3c4894f1673723eb28ddb42b681ff7aafe7a29ff8bf87a2da6595c16d1f8449096accdb89bd6cda6454eb90470e71dde7c5bd16abd0f80e115cfa2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\plc4.dll

Filesize
8KB

MD5
c73ec58b42e66443fafc03f3a84dcef9

SHA1
5e91f467fe853da2c437f887162bccc6fd9d9dbe

SHA256
2dc0171b83c406db6ec9389b438828246b282862d2b8bdf2f5b75aec932a69f7

SHA512
6318e831d8f38525e2e49b5a1661440cd8b1f3d2afc6813bb862c21d88d213c4675a8ec2a413b14fbdca896c63b65a7da6ec9595893b352ade8979e7e86a7fcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\plds4.dll

Filesize
6KB

MD5
ee44d5d780521816c906568a8798ed2f

SHA1
2da1b06d5de378cbfc7f2614a0f280f59f2b1224

SHA256
50b2735318233d6c87b6efccccc23a0e3216d2870c67f2f193cc1c83c7c879fc

SHA512
634a1cd2baaef29b4fe7c7583c04406bb2ea3a3c93294b31f621652844541e7c549da1a31619f657207327604c261976e15845571ee1efe5416f1b021d361da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rslite.exe

Filesize
512KB

MD5
e6b05ee7da021418dbac5b9613dbf4e6

SHA1
c9c8ca986cf1ba56b7dc78255fef354a0550a205

SHA256
e49376d01f073ccd67add0ab0c20b1553e57db86766217c52ebda535178725e7

SHA512
81a6b942dea4bcb5e819e6fa4167c21dbfa6f2474ce2f42c20aa1c926a2c1db0bf3adc77aeea7573b2287f8487acfb3229873432043c78f85c257db7284b9d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
155KB

MD5
e846285b19405b11c8f19c1ed0a57292

SHA1
2c20cf37394be48770cd6d396878a3ca70066fd0

SHA256
251f0094b6b6537df3d3ce7c2663726616f06cfb9b6de90efabd67de2179a477

SHA512
b622ff07ae2f77e886a93987a9a922e80032e9041ed41503f0e38abb8c344eb922d154ade29e52454d0a1ad31596c4085f4bd942e4412af9f0698183acd75db7

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
752e814c2a5d197b8065501e786683c9

SHA1
c7b5840ab79ec308d0aca9a8f07d59730b31ad99

SHA256
5b387c65f0c677d415a3ec75fc314ecf4825b85cc8316575267ece340810c3f7

SHA512
af4bad6716f4f57e776145eb68f64d31c0fb2146b02ccb3dcda1a864215b9aeaa80abd5314d999a0bef721185c62f38463da6caba1eb7eb95c86c22691c510bf

Download Submit
C:\Windows\SysWOW64\28463\WQQB.001

Filesize
576B

MD5
81dff282d1215030bc4a4bcb39ddcd6e

SHA1
2801577b9b2223357dc8af3ada8ad27a412498f3

SHA256
06c43706fc758bae4f462c5d00c1faacd064912fccebae4735c61d4abf4c79c4

SHA512
b457874006adc366b962d6891492e00198717523effb49fd57ff8f08b988f98aae6b39268cd8b9aef5194171f44814cc30cf7cbf4ef2eb65b22753bc4371230c

Download Submit
C:\Windows\SysWOW64\28463\WQQB.006

Filesize
8KB

MD5
911a5a213762001178a48b2ceefa1880

SHA1
de9b25ac58e893397ab9ad3331bd922bbd5043ae

SHA256
273375c7be87b6da793320ee25ea08967bf8cb43e6213e4af94955e565afabc9

SHA512
cc4f95dc64085033a6f5308d61bce83991a8949ec89513fa0428527b6c20f40bc4ce0b323da3020f405f29bf3fcf703722082247f591568d39e8e355543f04c9

Download Submit
C:\Windows\SysWOW64\28463\WQQB.007

Filesize
5KB

MD5
2183e6a435b000fc6e85b712513c3480

SHA1
c088b82494aaeca23a5acfaf83f55597bd0bdc6e

SHA256
9a1a58cea0b0cfe3479d29bb39b0a5af0ee75fbd94254529ad28f2e54aec30e5

SHA512
94ffbd46b10cf71ea59d3d44ceece691d7d50e8e111e330d44346f1e56e62d7a3b5c375917494fff89966d0ea5fc562d45b14b983269eba72b2831abce7a1afe

Download Submit
C:\Windows\SysWOW64\28463\WQQB.exe

Filesize
647KB

MD5
b314bd03990cf08f3ca04dd98ece3e9c

SHA1
760dca4682edbefb1bb8636bf1011207b763a7b0

SHA256
c6b1edc51c705e8f46ab7b2ddc03378e0f2bdcc4948578eff870aad6d421acd1

SHA512
b331dff33995e4e2c7e926cd4f0ea2d40da972924d05d28fe0db2f8de92d0cad5a48ce95819f7243c7efadce11d1ecf17e093c1a7bed9497520123c8715fa47a

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/1236-111-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1236-117-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4156-61-0x00007FF844F00000-0x00007FF8458A1000-memory.dmp

Filesize
9.6MB

Download
memory/4156-91-0x00007FF844F00000-0x00007FF8458A1000-memory.dmp

Filesize
9.6MB

Download
memory/4156-44-0x00007FF844F00000-0x00007FF8458A1000-memory.dmp

Filesize
9.6MB

Download
memory/4156-34-0x00007FF8451B5000-0x00007FF8451B6000-memory.dmp

Filesize
4KB

Download
memory/4816-77-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/4816-85-0x0000000060140000-0x000000006016D000-memory.dmp

Filesize
180KB

Download
memory/4816-76-0x0000000060170000-0x00000000601D7000-memory.dmp

Filesize
412KB

Download
memory/4816-78-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/4816-79-0x0000000060220000-0x0000000060229000-memory.dmp

Filesize
36KB

Download
memory/4816-86-0x0000000060210000-0x000000006021A000-memory.dmp

Filesize
40KB

Download
memory/4816-80-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download
memory/4816-88-0x0000000060260000-0x00000000602BF000-memory.dmp

Filesize
380KB

Download
memory/4816-87-0x0000000060220000-0x0000000060229000-memory.dmp

Filesize
36KB

Download
memory/4864-101-0x00000177E77E0000-0x00000177E77E1000-memory.dmp

Filesize
4KB

Download
memory/4864-26-0x00000177E9240000-0x00000177E94B0000-memory.dmp

Filesize
2.4MB

Download
memory/4864-120-0x00000177E9240000-0x00000177E94B0000-memory.dmp

Filesize
2.4MB

Download
memory/4864-124-0x00000177E77E0000-0x00000177E77E1000-memory.dmp

Filesize
4KB

Download
memory/5504-75-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5504-122-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5504-143-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads