ardamax | 73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
Size

255KB
MD5

6e9fdbd85c3f5e072b9cbe6a5fe316ef
SHA1

231d7f60c403a39483731c76e1ad4f3e75dfde38
SHA256

73f84fd9e2c75fa1296a1b2b1c2bbc70892acb2cfb33a3c372cf047d6e650d63
SHA512

ad7164b14e12b822e9e784e1aaa7a0ea97e9076f321b735565f9a56cd882c6fc004c61b1297c20bd89b472718ca6ffc83577a2e79d3ce4467f4f26c2a22ff4e7
SSDEEP

6144:DMrpk9YeqVCVyMRi8D6/MynywM29rAXIHDZOS0qPyKMo/S:D0EFYQyWtSfBZrLHVoQyKz/S

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023c5b-145.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
3892	AKL.exe

Loads dropped DLL 2 IoCs

pid	Process
3492	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
3892	AKL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AKL = "C:\\Program Files (x86)\\AKL\\AKL.exe"	AKL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AKL\AKL.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.006	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\tray.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\menu.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\menu.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\tray.gif	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.chm	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.007	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.007	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.004	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKV.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKV.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\qs.html	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL	AKL.exe
File created	C:\Program Files (x86)\AKL\AKL.003	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\qs.html	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.chm	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\Uninstall.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.exe	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\AKL.006	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.003	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\AKL.004	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File opened for modification	C:\Program Files (x86)\AKL\license.txt	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
File created	C:\Program Files (x86)\AKL\license.txt	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AKL.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3612	identity_helper.exe
3612	identity_helper.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3892	AKL.exe
Token: SeIncBasePriorityPrivilege	3892	AKL.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3892	AKL.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3892	AKL.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe
3220	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3892	AKL.exe
3892	AKL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3492 wrote to memory of 3892	3492	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	87
PID 3492 wrote to memory of 3892	3492	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	87
PID 3492 wrote to memory of 3892	3492	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	87
PID 3492 wrote to memory of 3220	3492	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	88
PID 3492 wrote to memory of 3220	3492	JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe	88
PID 3220 wrote to memory of 4628	3220	msedge.exe	89
PID 3220 wrote to memory of 4628	3220	msedge.exe	89
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 3936	3220	msedge.exe	90
PID 3220 wrote to memory of 852	3220	msedge.exe	91
PID 3220 wrote to memory of 852	3220	msedge.exe	91
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92
PID 3220 wrote to memory of 4820	3220	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6e9fdbd85c3f5e072b9cbe6a5fe316ef.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3492
- C:\Program Files (x86)\AKL\AKL.exe
  "C:\Program Files (x86)\AKL\AKL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\AKL\qs.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffebd2846f8,0x7ffebd284708,0x7ffebd284718
    3⤵
    PID:4628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:3936
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
    3⤵
    PID:980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:1732
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    PID:456
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
    3⤵
    PID:4468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
    3⤵
    PID:1472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
    3⤵
    PID:372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:2076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,11652116441911482278,14774758173149245036,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1284 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AKL\AKL.006

Filesize
4KB

MD5
626b46c466bcc63f2888dbe1bf7c07ea

SHA1
d6348cd2e7471c71940b22329057dabb6eb9b1aa

SHA256
447973833fe70c0fdfbde12b03af25c8e238b976703b3a349ce24db7bff6dbb3

SHA512
7ec431c583427b49e355299dbe7192c14fecb12b953e04e4844ced42b33618dd66d04b94dc811c21dae965801385d283572e6c164d6df89c392ee0bf045187f0

Download Submit
C:\Program Files (x86)\AKL\AKL.exe

Filesize
218KB

MD5
780bdf7f767d8a85f1844721cd0077fa

SHA1
1ad480226e8532edda9909030cadac61c9a22ba1

SHA256
39f0a4980627c596514e51a540d4e721c8f1bf3d0c9e69abc8b3f11f7c4b9314

SHA512
6d68ac87d611ca8dc3869438346681782df17f70128200edc35a82defc966da2597aaf4416bbd4a7f7b34b5ca424491bf4c4b7148aea02502242519b0c8e0577

Download Submit
C:\Program Files (x86)\AKL\menu.gif

Filesize
7KB

MD5
572a4a33a8f93014f69c7f1ccaa54273

SHA1
136c0b3818b572c83c26869f0bf6cf2bd36f2036

SHA256
50245484d8606762cbba8d67b0238f7283a061d67b5e9f1f374064de695e0260

SHA512
d2582ca552b7d2f7fb576ba220ce9f122f4ecafac311b9d1c9f62062f4b0ccd707b7a77a86ba7a856f1ae68eddfe872e653a1b7246359040f3c7b92e33b7dce2

Download Submit
C:\Program Files (x86)\AKL\qs.html

Filesize
1KB

MD5
1f8a533b1761fd59231b763303647650

SHA1
8f4f75b6b7228257b501c6b3f990d27c55ee1b7f

SHA256
1a962c7395d596113445b2b7fa0efd5bde4b64a413aa528daed9b7327aa2ae07

SHA512
f04535920dba1a820b1253c61b347bde4d14307258b1ecf866b9f481045cef074307500bdb1c4bb5bfe4f9a22811ba79df42f38141df15d3ae332b445095ad1a

Download Submit
C:\Program Files (x86)\AKL\tray.gif

Filesize
1KB

MD5
7dd88dca29c7388f7423ef7cf917b202

SHA1
a16cfc0b8f08c4381dfdd3737d7610f01af54c00

SHA256
3140583f655378fbc1066339a4dd09a5a008570c77e9c6d022cd20b3d8cc9b43

SHA512
09a23c5b7b893bb8b3f988bf2e4deaf8811ed143abf560c2176abd9b638a5d1601be06abb6645568fc656739efaa13b8852cf1dd6e469140e471a37c60861b91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709e5bc1c62a5aa20abcf92d1a3ae51c

SHA1
71c8b6688cd83f8ba088d3d44d851c19ee9ccff6

SHA256
aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e

SHA512
b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc29044ff79dd25458f32c381dc676af

SHA1
f4657c0bee9b865607ec3686b8d4f5d4c2c61cd7

SHA256
efe711204437661603d6e59765aba1654678f2093075c1eb2340dc5e80a1140f

SHA512
3d484f755d88c0485195b247230edb79c07cc0941dedbf2f34738ae4f80ba90595f5094c449b213c0c871ade6aff0a14d4acfe843186e2421ccbad221d34bf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\53b350b9-a743-49dd-b306-91f797cdc78a.tmp

Filesize
6KB

MD5
6ec8913bf79e96128261ebf33e32e91d

SHA1
da882cda172988cb39885a09f7719487ea3cf4e3

SHA256
7af65aba2450ebd500b019519b360385ad891c07d4af3a7421efe67618679c4e

SHA512
fd4d03b814779ba1296e00d67cbf65e5808f3181ea7754f55e542a2538b7003574c50be26bfe650c4bf5c10c31e83fb0010540506f83b2b1c3cb8beeefacdd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
375c2abeeb2130ac54026ff9617048fb

SHA1
0754e9bf6902adf8f6f72e6f342236cbe7ef7679

SHA256
7328620880f63fa03ad779f18a2c310793e4545fd51152e8786b3e80c17a09a3

SHA512
a6c3fdf6c6d95ca6755129b1c7b32974ebe8eadcf48f7521e1786b0c6ff3433138a2f52b407a6cdbe6d063cad650295ca8f1ccdc455d6c351777a15e6e186504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6d6bd1e0b4c284f91aec7549d877c02b

SHA1
9e31e4180b73275c9f5e3b457398883f42f1943b

SHA256
1ef2ac7705089de84299226dfed3221fc9719795ae618b1df4b118757f66acf8

SHA512
ddcd17e04457193b62562aa5525f774d829e9b63613ff6864840492ffe256bd6b7b86cff0f1d5738c473d4616f1d299079676c8ec55400684533c27d82086860

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB0A5.tmp\InstallOptions.dll

Filesize
12KB

MD5
9aff00ec14e6cb71a13451011c580077

SHA1
5972140e4a0addb9eac685fe6037da7479f23ecf

SHA256
cc8145683ad8fd77bd5cca193e84188e40d6d03a0a0d1d00e2bdbef91be96bb3

SHA512
311abd4e9927c1424d794ba401f3935ad3b108a2124e58e0d29aa946514c7a1d62b9b08b013699f4f90796bdfb6c07211daddbb521c1d20ccee771f6ea43b110

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB0A5.tmp\ioSpecial.ini

Filesize
745B

MD5
5b6b93b07a2d2fa79d0cb3a0670c6d2f

SHA1
dfe62e4048b6d5d253565451ea4494d4c7f8f809

SHA256
d093b46544628b8cc62581a97bd11eac132f458f80c193ec7c9e1bd9aba34ec7

SHA512
c87e0581d0af09a968b998232ee211af7003d85ea511a50fede93b5a07184eb07599010ccf1f9dd52c2441dc2c9377b157b809dc62ad40b19caf4f2389ece0a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshB0A5.tmp\ioSpecial.ini

Filesize
736B

MD5
556769b6de45aa7b0d5a4adbbc802e52

SHA1
d6b27fa59f0a79d6b9ad0a4d3c732bc36722644d

SHA256
9c6ce37c9e1992a2ef2eadf9b06fcb39c491d38752acba3a2adc59c9736d3d47

SHA512
da1cfb577e66b9952d2b0db2c5dad1c28d3d6b5d8e60d36b62bca129b35b5c2e9c7afe780577da165367e199637523e4414e3729f288e50d5a6748265ae80405

Download Submit