ardamax | 73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
Size

255KB
MD5

6e9fdbd85c3f5e072b9cbe6a5fe316ef
SHA1

231d7f60c403a39483731c76e1ad4f3e75dfde38
SHA256

73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63
SHA512

ad7164b14e12b822e9e784e1aaa7a0ea97e9076f321b735565f9a56cd882c6fc004c61b1297c20bd89b472718ca6ffc83577a2e79d3ce4467f4f26c2a22ff4e7
SSDEEP

6144:DMrpk9YeqVCVyMRi8D6/MynywM29rAXIHDZOS0qPyKMo/S:D0EFYQyWtSfBZrLHVoQyKz/S

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x001600000001866d-12.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
876	AKL.exe

Loads dropped DLL 9 IoCs

pid	Process
2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
876	AKL.exe
876	AKL.exe
876	AKL.exe
876	AKL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AKL = "C:\\Program Files (x86)\\AKL\\AKL.exe"	AKL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AKL\tray.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.chm	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.007	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.003	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.004	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKV.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\menu.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.006	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.004	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKV.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\qs.html	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\Uninstall.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL	AKL.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.007	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\license.txt	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\license.txt	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\qs.html	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\tray.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\menu.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.chm	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.006	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.003	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AKL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{990EF4C1-E026-11EF-8D81-C28ADB222BBA} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7034786d3374db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007972fa0308c17c4ca452432675d09323000000000200000000001066000000010000200000008d97a02a5d17b8ec31825e2df3f8f80c894c012ff5a75b4573d0253170e575e5000000000e8000000002000020000000017730ffb30896650b1e1a39f801f8a0309a8baf5c7c776bc3fc53cf4c47b2a39000000090ee6826968ea015af91ea512a337ac1e6114f1612ac6e9e33bc93e87e4c9e2ebce2ec0ee44fe35d10f929e97296902353e4bacb525a02c8b3f84d40a929c7234162e6d0e9f4b90df7dde0c0a4a056d7e5568a221831dc85248ce5aa5a5086b02cf7d5b7ccff932f2306f1298ef555634ec89326cc40057c2b85008fded5680a6d9ad708f767de0251b40907a3c600884000000064ff74f88ae86805fcdff933ca1c0bedf486cfbaabc330cc9dd803eca3095ffa4aa7f9fadd4cd0910156694219c1452af88c3ab5faf242303dc0a52045a4bc6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444526052"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007972fa0308c17c4ca452432675d0932300000000020000000000106600000001000020000000ba9fa90110c5f99e62df6f779f2c07193f58d25d1dd29c45e292faf5c84c023a000000000e8000000002000020000000da847b0fc575cac95168822a98f195a8c7de632faf0595db8ebd77da7e19f99220000000e3b822254fc6e7988cacae93f574de26ce3961cebc9ff5dc6b5a47f1c80ccf5c400000004968cecef497b0a6d3e32028b27b0d0a5aa4216337c454bca5df200ee66b780c07a951b8262830f940414913e0ceca9278546ba78ab436bf7615bf08fd93ea4c	iexplore.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	876	AKL.exe
Token: SeIncBasePriorityPrivilege	876	AKL.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
876	AKL.exe
2988	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
876	AKL.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
876	AKL.exe
876	AKL.exe
2988	iexplore.exe
2988	iexplore.exe
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE
1948	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 876	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	30
PID 2008 wrote to memory of 2988	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	31
PID 2008 wrote to memory of 2988	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	31
PID 2008 wrote to memory of 2988	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	31
PID 2008 wrote to memory of 2988	2008	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	31
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32
PID 2988 wrote to memory of 1948	2988	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Program Files (x86)\AKL\AKL.exe
  "C:\Program Files (x86)\AKL\AKL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\AKL\qs.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2988 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AKL\menu.gif

Filesize
7KB

MD5
572a4a33a8f93014f69c7f1ccaa54273

SHA1
136c0b3818b572c83c26869f0bf6cf2bd36f2036

SHA256
50245484d8606762cbba8d67b0238f7283a061d67b5e9f1f374064de695e0260

SHA512
d2582ca552b7d2f7fb576ba220ce9f122f4ecafac311b9d1c9f62062f4b0ccd707b7a77a86ba7a856f1ae68eddfe872e653a1b7246359040f3c7b92e33b7dce2

Download Submit
C:\Program Files (x86)\AKL\qs.html

Filesize
1KB

MD5
1f8a533b1761fd59231b763303647650

SHA1
8f4f75b6b7228257b501c6b3f990d27c55ee1b7f

SHA256
1a962c7395d596113445b2b7fa0efd5bde4b64a413aa528daed9b7327aa2ae07

SHA512
f04535920dba1a820b1253c61b347bde4d14307258b1ecf866b9f481045cef074307500bdb1c4bb5bfe4f9a22811ba79df42f38141df15d3ae332b445095ad1a

Download Submit
C:\Program Files (x86)\AKL\tray.gif

Filesize
1KB

MD5
7dd88dca29c7388f7423ef7cf917b202

SHA1
a16cfc0b8f08c4381dfdd3737d7610f01af54c00

SHA256
3140583f655378fbc1066339a4dd09a5a008570c77e9c6d022cd20b3d8cc9b43

SHA512
09a23c5b7b893bb8b3f988bf2e4deaf8811ed143abf560c2176abd9b638a5d1601be06abb6645568fc656739efaa13b8852cf1dd6e469140e471a37c60861b91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5f14d7afdfb82376f76fa347354f79e

SHA1
2199be3406d50b0c52c99041890ac0e0b6ab0f1b

SHA256
edc71e3cb7ea6ac3ba0433c00fb9d2d95b5bebb9d0cef778af58b5d7fb2728b0

SHA512
a7eca1139ab28abd0c656a7f3ac267335c07b09175d58a384fcd7f103ddb677212fc5d2980da4a068057351df9c19f657e4a9017064705e4f8652f6f5ade21a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a679ab328cf73f00f283b6cc771b8599

SHA1
4c4b19b6e95ddf7da8e40b247ce054422973cf99

SHA256
ee860348bf18a0dc3db483f621849b088c867e43ccff912236d452bc420be328

SHA512
6bb2bdf97a4c8919bc876bfb754c3661f75949fe6868bfdad315a9fe8ed9f7b261038bbb41bdc9260fb9d3ebdad6bb8e99a4d26bf9a9373eb8d3a351574aa871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b2013643f4681bcbf5a828425781e21

SHA1
b58c03f2974d4a2f6e92900b9a67bc1e6575e875

SHA256
5b2ad5946e756a9546fdc92de816a02f8afd10b2890979133ab8265e145bd259

SHA512
6073a0f5380484af5aa56c93d53b57fff386aab7df88f9286462fedcd4c86445536f3cf6686fdc711754ee702037c25558cf216148d5ef06f35d892b91243db4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d5af0b8397efd29063bc22b95adc505

SHA1
9c4060ef775b9810e58a4ca404fc19c08ab71544

SHA256
d4c1956ee83456b67f183af12d54f0b1de50964965eb6ecef472325816f99374

SHA512
ffc61ae45a2269824aa7730509e8a4867c2563e1996fd634d1f4a3408c1137e0ad22bd7368fce97bc8e695191c537d6cb504aefa7aa922007ed0bd02e624af4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
395a224b81558b9c9d2c3a642b8e6566

SHA1
cbabe45b0737ed1fff65aa47701ba9cf048ae5d4

SHA256
5c16939ad6df8b5ed1c8bcb486fdffd531ebf9300b735569f48d8b407af54269

SHA512
f4fb475c17e2d26b9784664e1a036071536d83e1b9811b02855a14e78c6758257ee9b7b5e21a36a8c08da5b7c77ac45085ec4f6e9e7ad344ba35a0d1a8456e21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43f36bdb4a537ff65864dcb1646ea650

SHA1
9338cee1dde61b1c71294336883d04a4aa21f522

SHA256
900d9092b487892f8a0ef6e038bc2490207c3ca7346e766755bb3542ede6cb1c

SHA512
16091d0f4f62db7ea3982fefc9915fd832be40dc312c984fb88ad74015b36bfbb643e6d78afe55e80d96e0c0d4f60bbad57463191f61668135e8dd7d0587447a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ff4965b6f112e77a30f2c48388f8a8e

SHA1
9b61b3e0a8557d753d630b368dbd86e78fccb2ea

SHA256
243134c3281bd9c41c7f670937fbd9a87367b155c0ea6bb2784ec439866d3140

SHA512
2169dda6445ce18904f9ab3540fbd58d706c263cda3f6d450aed665605b4c20101ecb0715966678e7e4c1e1537a1126dc66bdaf8f44627ca2b305383a01b7e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8fbd8415c0fe8e9f8c193db3d371442

SHA1
88612074a6dd627a75aac6d8c65faf96c2cccbe8

SHA256
02191d4f3ee7a53a05ac2a6e7fed8d98136d11373986568032deca2a3aa96e10

SHA512
336b734a806d611f7327c94385778d05ff913afb7977a1fffcf51dccff9c64b6c8b26cee9fe67a8b5f6034c40857154a6c6fcf75e4b8d23bb7348595cdf065b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d3dc3cbd34f0a31ddd3ec34badbc807

SHA1
bc18b50847bcab570efcd6c848c49dc096828866

SHA256
b3de3ec7a04a77b22028dd26c0c4e352bd11b8c6f9e182ca6089d844f699a417

SHA512
19096be0012d8674aac042d39dec9b69a3e0ab713334f26575e776b97759d9d70cabff45ce3c52fa5c1b8ab07901404d513dff33a58dfc52f711dba31889a17d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d95cdc2ed042f22cddf1f2aacf33a28

SHA1
b15e4de204a57e89229f67d03298499a3aa65d5d

SHA256
84a7ea399ae5ecf0f4b1e9b6aaf86036fc6d8c5983f6eb7e89f854336b19813f

SHA512
b039e3a53f919b96851297f2e507cceebfbf2ef7f0b0a2d93a1cdf60a389014f4c59d35988f0cd39d8e55e2d796a7e1dde5492b3517517d46e2ae58053d8a0a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8217da409ca2e6dc2cfef4eec3945b07

SHA1
b8a6250b9cdecb315caa76e2add5359c3076ddac

SHA256
e3cdeab1cd5bc5698039990d4c09f99c2b9853f7178078923b8d77717aeaf2ba

SHA512
0e60371cbe217e239c78499e1ba894b62e1371e748d322429767ee7383e841f76304e64b1af196bebca80ba969a1fb308dc3184f3d92bdc540df1361aacde6e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbcaf20a63d7e0ed3ae8b570e9687425

SHA1
c952eca35aece2e2bd5a2eb048dc1ebf472fcbda

SHA256
da778b55c1fd874e61ccedd7aef5066a2b291311063703b8beed7ba814f39b6d

SHA512
755fd5fbd3d4741153b5c11f1fa41795c609405e9aec9a6c14f7fc223b2bbd8a1c27ea8bf32665a834ea59b1a445f2ed65c0b765b432f6a72c796dcff8366dad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dde5b5ebfb4cbe7b5ef49c41bb21de72

SHA1
b3f923c9360d3c8a3abf5dfd9a96ec99dd158e43

SHA256
8decdd37e4c27590bef25c1a129775f150125ae18abc89011ce2900a74af07c7

SHA512
7bc87a93607a30a807ac0ce43c55413d0aef7222cf7eae277b0d6ae1c497739249944fee3125aaa2dacb756012489f10b8ee75b3906a59a67c7e79ebd2ac7667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9a1e34ea9e9303e0a9e40257e4eecc0

SHA1
f566a2450b5b1bbd8d9e9f7d1740d36bcfa85368

SHA256
529e30272afea237738dacf0a4bca3ae49a08419b427a5e727a30ff372197f3d

SHA512
652719a451828eaae66c6231d27e6bb3b6d36846f75b13cf165746f497df1376d40a2c3ef69940289eaf6d8f5c38c631127da55c4d33b41ee34e8b64548854ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22f0e0595e6d904c15cef717d6407b4a

SHA1
019ba9a5f2970c4f347771ff113123d60f49d375

SHA256
152a7674a81bb06e2024445d47d318134bb032308ee5b6b78e1c44fca9b9922f

SHA512
877c59386e7c7c8e5c02361cc5fc3d48b50dc94432769bca2777b6a349f0dd157a8f89a4305b71407eee6ed3e9f42db90584cf62468a4c343b74232a2b22799e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3000d93668e2ae08f21ddbc40e9ea0c

SHA1
7e0a86ab82b6a536f398674c68b0e616b0d3e6eb

SHA256
100f72211293ae69444ac1f1ec1b8b256a0729cdc701908421a8ada9ecaec7b6

SHA512
3d1c46047f9d32539c5d01950418a1172e2d545cdd3bc431c901289403e77dae6c9c544ddc7782a20ad580b72836d63329edbea50438de68a9cd6ade3f7330dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c717129ef79e2ccbe0248c13b9a683c

SHA1
d665a8df91548a87de79068f7a1ca159bee3cacb

SHA256
5b20909d84e6c5a3bc3d0ec6e9feb81fd415c2f01818e2722ebf91d7658246f6

SHA512
c1ae9c84a42baa02b87e03d8b59c8821e1a76ee0ec1b02be5ae2b215183f471847f271200eeee3dc4cef06b30a7297bf05c26a9884e39a6a1be1e95536b2cd27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b5be55c884a6998214b1b7b389cb132

SHA1
fc9bc917bd80e55f18fce63305b03a59be8c7bcb

SHA256
25385d4ff5cfc1088c4c3583b7110957ea2ba403c6a62f62949a313f39e86007

SHA512
8150cd54208ab23041d79e366cab9c31268808876130e51f7ab61845aa2d95ecc9444489479f765d5e050f73f79080d5028c75b2a0f2ce1d69633cdbe8b18ca4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83be81eb25f2a99a40210d0846065e56

SHA1
b424012af26331df101c7681158fe6ceca214104

SHA256
71269948832edc51518404e7d833e168f4dfdd22683115e308475015eade59d2

SHA512
b17cf30291bf57792e077c5a3fbb61ee1d02e8d88eb0b0bdf158b58ab5ac75fee13d7ddbb2493c5a993bc32d2ae59c35629f98faba780b79d434a32e85f96252

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c45b7e9175d47aaba63d693333b2c15

SHA1
5a805a718fa7316998b072f777b61e638c9c5fc5

SHA256
7b25cbc46d30dc01b49140f35ddc9fef29abcd9ec6400aeaaf3ed00a619d71c4

SHA512
95f7d1eb81bf8611ef7610f4cd900a58efc61067ede4e5bfe3d6dca9e37076b004845242d117c287de2401656f4dc7cf6f3f2b6eda66d9199703f17a050a0cde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a2de7545dc9b0bd6e4e4d7fd90ea84a

SHA1
db7a16291b8b4403b75ea7b90d2e20806fb7ff61

SHA256
43b10903d4af36aa52f21523f1a1dbfb91f82f3b7611fcbc3d9c43a1d4ae9922

SHA512
0092d70dc84b34ce4c2793bb08fc76fbaaaf4a49c060c740b8d5af9b652b0e1e9ecf44b354dce7c7edd8c3d66054f5546eafe0a1ca0bf28717e0a3b1557abd27

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6AE6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6B47.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF069.tmp\ioSpecial.ini

Filesize
745B

MD5
b5b17215ede952ca6b8c00501f6695a3

SHA1
63fcbdb62330bf040ed5d158ba4a201d4346ced1

SHA256
82362042b9bfbf433657900b3e3017834a57c095840b10e9b4b901afafa45bd9

SHA512
207daeb23855ba56b1dad3a9194582b7fcc09b4f08a522b0d7a088f416254a4a826fe458f7c2fae09ecf424de681cc416e7c05d69d0852bfef03256d53ba05cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nstF069.tmp\ioSpecial.ini

Filesize
736B

MD5
ec6df256761e582f23d92833e744ed8d

SHA1
0cde69eca3365535f6966782e5ae4d942aa42f99

SHA256
fd82aec0e7b3cf00d4144fe546acde4bd5511c2657ba7e5dbb083ef12c06695e

SHA512
a18d1226fc28eb980a114f354d9430d4070523a8dd398a0760cd794e1e4b974322a58ba1247bc0821ed24b1dd8112b1bf0fc1ea6fe50d9684708dbdf00b4949b

Download Submit
\Program Files (x86)\AKL\AKL.006

Filesize
4KB

MD5
626b46c466bcc63f2888dbe1bf7c07ea

SHA1
d6348cd2e7471c71940b22329057dabb6eb9b1aa

SHA256
447973833fe70c0fdfbde12b03af25c8e238b976703b3a349ce24db7bff6dbb3

SHA512
7ec431c583427b49e355299dbe7192c14fecb12b953e04e4844ced42b33618dd66d04b94dc811c21dae965801385d283572e6c164d6df89c392ee0bf045187f0

Download Submit
\Program Files (x86)\AKL\AKL.exe

Filesize
218KB

MD5
780bdf7f767d8a85f1844721cd0077fa

SHA1
1ad480226e8532edda9909030cadac61c9a22ba1

SHA256
39f0a4980627c596514e51a540d4e721c8f1bf3d0c9e69abc8b3f11f7c4b9314

SHA512
6d68ac87d611ca8dc3869438346681782df17f70128200edc35a82defc966da2597aaf4416bbd4a7f7b34b5ca424491bf4c4b7148aea02502242519b0c8e0577

Download Submit
\Program Files (x86)\AKL\AKV.exe

Filesize
162KB

MD5
b0e2e8c4f1623f666de785e7cb4c7e94

SHA1
9e7f4a47c952193645c38b815784d8431c7d6c24

SHA256
001837fcafccec8059942897e93643b4bd710ed27e286dbf95dbf6e0d7744711

SHA512
950e0c849f750ce2dc654f358fb2b5220995f97abfd200d09d5ccbdf3c20885f6d2974a2243d840ba8a733a91fffd36740c4bbf435cc0a06f5283e848ffa97ee

Download Submit
\Users\Admin\AppData\Local\Temp\nstF069.tmp\InstallOptions.dll

Filesize
12KB

MD5
9aff00ec14e6cb71a13451011c580077

SHA1
5972140e4a0addb9eac685fe6037da7479f23ecf

SHA256
cc8145683ad8fd77bd5cca193e84188e40d6d03a0a0d1d00e2bdbef91be96bb3

SHA512
311abd4e9927c1424d794ba401f3935ad3b108a2124e58e0d29aa946514c7a1d62b9b08b013699f4f90796bdfb6c07211daddbb521c1d20ccee771f6ea43b110

Download Submit
memory/876-178-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads