ardamax | 554b6a36340629ea467d107f679e87226f42435e26f49f327a2faee2fdf859dd

Analysis

max time kernel
144s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
Size

2.1MB
MD5

db85cb238e72f409ce425e6f7084c41e
SHA1

2104a6002bc2ab0b71922c6336e979f85a123265
SHA256

554b6a36340629ea467d107f679e87226f42435e26f49f327a2faee2fdf859dd
SHA512

5f967dc5b121decda46ba5d3bb6e39265f4f13ac5b34f96603874783494c5e32bc50e293c05f10948faeb11763cbe2edecf6d0ac7a8283fc58d88995ce869381
SSDEEP

49152:/XTG77pd3I7UCAVw6WPijpyhwq+VWgzuABzbreCYXIT14Eso:CFFIYHGlUAwLlnT

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
googlebr.freehostia.com
Port:
21
Username:
alafon3
Password:
2989679

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000018725-6.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2208	FNM.exe
2844	full_akl 3.7.exe

Loads dropped DLL 8 IoCs

pid	Process
2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
2208	FNM.exe
2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
2844	full_akl 3.7.exe
2844	full_akl 3.7.exe
2844	full_akl 3.7.exe
2652	IEXPLORE.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FNM Start = "C:\\Windows\\SysWOW64\\DFTIWT\\FNM.exe"	FNM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\DFTIWT\FNM.001	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFTIWT\FNM.002	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFTIWT\FNM.exe	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFTIWT\Web_Sep_12_2024__00_49_18.html	FNM.exe
File created	C:\Windows\SysWOW64\DFTIWT\FNM.004	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\DFTIWT\AKV.exe	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\DFTIWT\	FNM.exe
File created	C:\Windows\SysWOW64\DFTIWT\FNM.006	FNM.exe
File opened for modification	C:\Windows\SysWOW64\DFTIWT\FNM.006	FNM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FNM.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	full_akl 3.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000018ab4-19.dat	nsis_installer_1
behavioral1/files/0x0008000000018ab4-19.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D5968341-70A0-11EF-A7B5-EAF82BEC9AF0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0026f0aaad04db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000fd0ae79d287941b0e8b23a47d858f36c8776a27118ef5cc0ad0cdbc0f5888736000000000e8000000002000020000000f3a7ec032d27fa89071754cb7854aefe76de22175f34fc8bce6bfc8f5baa1ead900000006d3026aaa773bc6b8bb9517d25f2d1757fedd0d4340f8f4fef4aa844e12eec51da142fe96a4c7b82b6c4360581c6f3412bd0aecf66ce5f4718b20bbf53763691694365a8416e96f507eb4cbed2ac0e831ab0fb8cf8fdfc961bcd32495d05481f3a98c70683f74cd3d37634ff296c5dd5fca06cba09730f3a4a5ce3c8ce642dcd3a5b7f377dbb34833a0a979138712691400000007935387de9ae459f83fe32f888e1d0f52995050fadca3d78dbc7e0a8d01a49795a0f6764ee22b5bb646f187d697b5b473e2e99e4419b18408717ad3d66e5eba0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b0000000002000000000010660000000100002000000084f117a2c363418a2d99ad311aa8c824e2ddff0a2660aad135f061fcd1c8564f000000000e80000000020000200000001d2add06875835b3d2785ccf8b9433ecc8ec5cfd9cbe2b127e44a9e1d70b3c8a200000008407d61e02f4784a6612aa86317e03768ee909695bbdf9b4bffcc875f1a6640240000000c3b23f8ceac0ae92b893fe61833026b5688c4aaca9f0c5d3beec6ea9a8fb687c1723d1182ecf22a01f5809b4420ecf59b1d5b923950bfec303e76ec85570418c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432264025"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2208	FNM.exe
Token: SeIncBasePriorityPrivilege	2208	FNM.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2628	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2208	FNM.exe
2208	FNM.exe
2208	FNM.exe
2208	FNM.exe
2628	iexplore.exe
2628	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2208	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2208	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2208	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2208	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	30
PID 2220 wrote to memory of 2844	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2844	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2844	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	31
PID 2220 wrote to memory of 2844	2220	db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe	31
PID 2844 wrote to memory of 2628	2844	full_akl 3.7.exe	32
PID 2844 wrote to memory of 2628	2844	full_akl 3.7.exe	32
PID 2844 wrote to memory of 2628	2844	full_akl 3.7.exe	32
PID 2844 wrote to memory of 2628	2844	full_akl 3.7.exe	32
PID 2628 wrote to memory of 2652	2628	iexplore.exe	33
PID 2628 wrote to memory of 2652	2628	iexplore.exe	33
PID 2628 wrote to memory of 2652	2628	iexplore.exe	33
PID 2628 wrote to memory of 2652	2628	iexplore.exe	33

C:\Users\Admin\AppData\Local\Temp\db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db85cb238e72f409ce425e6f7084c41e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\DFTIWT\FNM.exe
  "C:\Windows\system32\DFTIWT\FNM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\full_akl 3.7.exe
  "C:\Users\Admin\AppData\Local\Temp\full_akl 3.7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ardamax.com/keylogger/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2628 CREDAT:275457 /prefetch:2
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1f76d75e3351b90de1fac2b2d016d01

SHA1
156e1835aca19952f997c3d5922298d7d0ac946b

SHA256
357740e3946a9729881e9a2882a551289489057ef4b4ea6bc9120c7dc9dc3e6f

SHA512
719663e7f51e524f4ba82a485dd404bddf5e6d0cf6af1eaec7794652c748c9404a4a1039ddfe1fcceda87a5c2e069cb2eed29ac0ecf11046e975954e12414aa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96113f3902edb74f285ca12e1a99a272

SHA1
12dead3d861ab1625ff32c64b8a0bb256f895bca

SHA256
75350e0469b28a5b20be7c408d7c8cabadd35eda00769472061592c0f7b8254c

SHA512
890842e18bb481222451f9a2efba4516284f206ef85db8a29600ed69ea83f427ea4fbc3a86ef0dc38225896ef90d93ba9bba8810e38a36a34bb2480dc468850d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc38ac9b0960cd4eb2e03eb8e6ec4637

SHA1
ba5cd0449d199c272d1a77d9333a40ddbf8e6a17

SHA256
26354b07336b5e89886b0a8ea5527e1edcc314fd05767401ab5fbf3f312649c7

SHA512
92ba8ff492e8e6ed7050d4273a172c234aed8d4860ff18b6a0b0e1add7208dba3c2e3ad5ce71fc65c5ed6e67734e3e7f24426a2da53d1d56a623441a44862216

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2636616c8b073f56cba2dbf3aaccc438

SHA1
4445a2031f990961475682ccfee0e1a28b4aea33

SHA256
a952071a64353ab8d82558b3fbcb98e4c793e19bb2799fbeb83088c4f9aad2c0

SHA512
5312dc2225ac6656ad15ede0af5b6668e644de3b9e65bbfd82e557467ad542a2fd2c33b0008bc2375c330c9ca0ec3d799939ca3b22cbe947de80a15c07088236

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b47393c8842dd0cc8235f75ef8d64ff9

SHA1
fff4ecd9494488829ab3eb526d6a3dbe301a029f

SHA256
b6dc6e6dd8fff3bb259691731dc1fa6e842b3df9e0cd7c670499f283671b630d

SHA512
42b5cf418586c01dcd51c03d3cc3a189592aae55e923a32fe3ab16769d823921fe5607c06823d9d1bfd4937f61008c63af3c6c5cd735b03fa1c56d95c36b2459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af60690e385f3f02c569f5fdcb502880

SHA1
a515e2dcdd69d1da35a316713bf99f9661efef0a

SHA256
97db19ed39f3d3465d398e983b37411b9e0f72dfd4923f6a0d0bd6c342fc0246

SHA512
9e80b460b5e264daec9db3ce1029ab0fed996e797bf77d0ae64f5087855893587e70e4635f5a89d107b389026d23b90af27340eda87b5a1167b0a93ba6d71b62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0630b43491d3d1f249c0c0fc1bfd80f

SHA1
cc10c2fb491541051d33f9384a73b2679d3e49f9

SHA256
88ce09330b039b868d69cdf95cf61e58936fc81b6723336716780a8ce1ab3d6a

SHA512
0dad9d6391cb4212813eb451281128863bbcaa38eac7f2740f3c5ffb9af3d80f34c74a79538c6e86ef3e024e4fc381c830485764f045cb8bdaf76eee5526bb81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f53cbfea24423bbb1959a2d12608c8c2

SHA1
ec11c2b22b1df9893d688ed8b920499476789ae9

SHA256
62c042cf1524ded6084a618a18a80fb9e93cd8b6ea2ca11199edde9860667e38

SHA512
58db1a80663c17ae0d0925390f33fb3240351284d5613d4e93a9f7497fee74ff1e2aaff984eb1e657ccfcd22cf9a8b7c04a98d4a7b60e354a28bac4478dee419

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c0b95242378fc9d14b902e5329639b4

SHA1
f5a65f90c67a4f9cd1a1afe480f95936390a929a

SHA256
3a9894a4dcb466ac37cfb66ef97722d1f5fd289f681a3eecd86d7ff85de17dd4

SHA512
5d1153e67bfe63d8514e234511691640a4379c35d722268ace683385a7200ae2db4746919dae9b76dbd38465b9f252d65c1db065c15cf72ee39114bb5771b731

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25e725065ef5554344f1daaa5d6d0fa2

SHA1
c671d96f3a83f7dd5c5b5b6e7ff000a273894ccc

SHA256
9f4748248ac9427de6c2df79c308826ba5a892f6c0507e9d97f813be02e19328

SHA512
c54a9166e96204f2b8cbf3cb59ad188ee2ce8c8f4fb2a9573da3db0bf60283aa93fd6d0d38beef569cdb2cbc5c76445ac9debbcbad92e0c7a09f1b65f902ecce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6943d028970fb6bda49e1db883a07d6

SHA1
1f10dc956a9ae332d821cf10ce67824c97488dab

SHA256
e5e563002673e28dac1ded3afd61c10faf3efafa6d3952f9dc23ab208bd85e27

SHA512
369c03762c513482a3625db6b0f8113b4e6a9dd957d73fe4f889b91e253eee6636e8b788337f08777495e96283ec70b2c60dc5abfc1cf754625557e8db96f607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d9db6512b42ce76cbe5e367e0565083

SHA1
c15356ccb9bc05aca98d3479d7920c2267dfe1cc

SHA256
e1239c93f7acb5e54d9f106f97adb70b3acce3c17f8cecd47b7443d51161a471

SHA512
baefa13da2c4d1f445db460e577ebe7408bc2d3f37bdd638b52c4d9341633edec8f47adb283e86cf91aeb2219e3f9c41c5b56b7ad42cdec354dd174846e2b179

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14c9fd8d2ef1ebb37ddb91a5b43c3ed2

SHA1
4d0275b3e0fcf74b8c4a82ed4acee82f0c817c8a

SHA256
e81bc35e5e493c24d07e833682d1667f20ba0f83204d0c3ba34fa7580d408393

SHA512
a17366182e210c04a0d88d26a8b35da7ffa98d78fe0c4afc9178045ef557f8dfed6874d80c8769ee5ca9563b2c1d1a5e2633ad64894be6efc5f6be90a4db4396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bb410d0382e7063a81f32adc059c317

SHA1
db788e1836177bb1615b7c9de167eaf1ddebf78f

SHA256
acea5e17284158bfd6852c37e7bc4f241d284be69f188eb6c170280f23a3d1ed

SHA512
16c44eb9582f16b490b176c2ac5eff8e644cfe231b54245cf59d90befec8d232effe5f9f30ec63231a1c7275a6950018320b5c34976d27fc2a639b483fc84bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8bbf744a77840448fae981c92a7b042

SHA1
78616ad1972e8ca16e2ab547491fdb8ae285ee7e

SHA256
f19bb78d80011ef8a6a62a02b9527b4ed96ea2e8b3e6d3065bf6ba72157e388a

SHA512
0f7f6f6a39801df8ef656136e97b68932c8f0220ec063f79bdfaef95943713642aa57160a1764bc3309a428226c3f055f660574d6a7dcb58af2bb5c74ff9b7b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2525d62b83ba4a0d9b7589566441a825

SHA1
dbd540ae1ae1fe2f48014dbe9b26a42a0dd87c23

SHA256
8e616ccc44ee35a3f4cba9389320e73c642c39e059c948ae5575cde9b0326489

SHA512
f19821741e419cbf0b3cc9d86b6fa75683f2574e7df9df522dfc1b906f2f6625f3f1167b575e0aacdfb14696c81e2b207a035d368482bdb2663e061d9dbb6819

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC8AE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC97D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\DFTIWT\AKV.exe

Filesize
456KB

MD5
1f29b1075a91b3da0ccc0b9c49eece56

SHA1
048e675f087181035aedece9e7b11d065c6355cc

SHA256
4f6825548b32329c3360ed9abb7c0a6809a2c2291cf0bcaac511a9fa32a6336e

SHA512
7e152caf055f57f599ecc1e3a404b540b721b3315d2ba16bff6eb21f03edeb3a06ae185621e3139293612d94210f500f098bd281489ca7f336efd8b5284ee060

Download Submit
C:\Windows\SysWOW64\DFTIWT\FNM.002

Filesize
43KB

MD5
093e599a1281e943ce1592f61d9591af

SHA1
6896810fe9b7efe4f5ae68bf280fec637e97adf5

SHA256
1ac0964d97b02204f4d4ae79cd5244342f1a1798f5846e9dd7f3448d4177a009

SHA512
64cb58fbf6295d15d9ee6a8a7a325e7673af7ee02e4ece8da5a95257f666566a425b348b802b78ac82e7868ba7923f85255c2c31e548618afa9706c1f88d34dc

Download Submit
C:\Windows\SysWOW64\DFTIWT\FNM.004

Filesize
1KB

MD5
a21020ced8a55263e4e6fd82a004c106

SHA1
78de3d3a9bbc88df5b10cd10822d512bc33043f2

SHA256
2e9a200005b14ecdc7ba79cfc19ba3fb1779393ca78c02a2cd6e4a6fd0f8757f

SHA512
ce7238d1afbe2aa800f6c00a95d7f26d6f49d7bbb27f14d1725c6506e8957c06f265a27d45c68354f1680e91666099732de794758653c6514b1b2288f91ad5a1

Download Submit
C:\Windows\SysWOW64\DFTIWT\FNM.006

Filesize
225B

MD5
a5e8a28cf5d783dbcd9cff82463e808a

SHA1
2d3fca96b604648825aa2fe881f33b51fa8e95f7

SHA256
8177e47db61559959460406bc0f3c07ffe2a4e9478662b3e8a38c430aadec636

SHA512
fc5dbd35c2560a75594378501f4a8fa29b1b76f48afff6e42ada92d93505a6d3b426894682eb4cd6786b64d19972e3640824cd8f3b2bcea7653bf23aea201fe2

Download Submit
\Users\Admin\AppData\Local\Temp\full_akl 3.7.exe

Filesize
1.0MB

MD5
1f4efd51cd3b9fa7e1cc7b7652a76ef0

SHA1
def71ec3350a21ecb16f487c9b39c34b3f8a821c

SHA256
006c8b3ae6baa951713f9f9c406555fcbb58a5e900d15f33f251d48c8fa3ea32

SHA512
ea1b8e592d3a04c8c582db33585d588f9c2c5095b42e13baeefeffe836632ec8f47df0024872877754e289d0564291f8117a3ab571050ed98c1d08a19aa2bad4

Download Submit
\Users\Admin\AppData\Local\Temp\nsz9648.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Windows\SysWOW64\DFTIWT\FNM.001

Filesize
61KB

MD5
31c866d8e4448c28ae63660a0521cd92

SHA1
0e4dcb44e3c8589688b8eacdd8cc463a920baab9

SHA256
dc0eaf9d62f0e40b6522d28b2e06b39ff619f9086ea7aa45fd40396a8eb61aa1

SHA512
1076da7f8137a90b5d3bbbbe2b24fd9774de6adbcdfd41fd55ae90c70b9eb4bbf441732689ad25e5b3048987bfb1d63ba59d5831a04c6d84cb05bbfd2d32f839

Download Submit
\Windows\SysWOW64\DFTIWT\FNM.exe

Filesize
1.5MB

MD5
0aaffc12ef1b416b9276bdc3fdec9dff

SHA1
9f38d7cf6241d867da58f89db9ff26544314b938

SHA256
42b33dd905c5668c2518a6a7d407fb10c303cfedeaefcd7b6e4c7cc1b891c73b

SHA512
bbde0986b298c6172e7c8e3f938db9425f54cca097e280736e1ba289afd06a0b86f7cbc91f6d46458bc8e75069c12cda1cf808acf3b6c773b0661d081136ee7c

Download Submit
memory/2208-16-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2208-46-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads