File name:

Ardamax Keylogger v4.4.2 FINAL Crack [TechTools].zip

Full analysis: https://app.any.run/tasks/cc76826d-59a6-4cf1-815a-ea1b8fd66226
Verdict: Malicious activity
Analysis date: August 04, 2018, 10:55:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

8681DCB953C6957860A848C2589C281F

SHA1:

E25675A93D7350E149B62FA1BB26700AE18016BF

SHA256:

5A659B86D1FB5A9AACD3890407DABF005654E26FABAD5679F6F06B3312AEB2DE

SSDEEP:

49152:QlMni7u+B7WXrKPGZDvMmnBVE0rs3XgtnHI9X3PBLIN9zSG:QlMi7u+B/PevNj/iXgtHIpsVSG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • setup_akl .exe (PID: 3528)
      • setup_akl .exe (PID: 2536)

    • Application was dropped or rewritten from another process

      • lzma.exe (PID: 980)
      • lzma.exe (PID: 1516)
      • lzma.exe (PID: 2188)
      • ns229A.tmp (PID: 2348)
      • lzma.exe (PID: 4024)
      • ns2395.tmp (PID: 3876)
      • ns21AE.tmp (PID: 3768)
      • CCP.exe (PID: 1972)
      • ns250D.tmp (PID: 3952)
      • CCP.exe (PID: 2076)
      • CCP.exe (PID: 2800)
      • Viewer.exe (PID: 3756)
      • CCP.exe (PID: 2648)
      • setup_akl .exe (PID: 3528)
      • setup_akl .exe (PID: 2536)
      • setup_akl .exe (PID: 3760)
      • setup_akl .exe (PID: 2820)
      • Viewer.exe (PID: 336)

  • SUSPICIOUS

    • Application launched itself

      • setup_akl .exe (PID: 3760)
      • setup_akl .exe (PID: 3528)

    • Executable content was dropped or overwritten

      • setup_akl .exe (PID: 2536)
      • setup_akl .exe (PID: 3760)
      • lzma.exe (PID: 980)
      • setup_akl .exe (PID: 2820)
      • lzma.exe (PID: 1516)
      • lzma.exe (PID: 4024)
      • lzma.exe (PID: 2188)
      • setup_akl .exe (PID: 3528)

    • Starts Internet Explorer

      • setup_akl .exe (PID: 2536)

    • Starts application with an unusual extension

      • setup_akl .exe (PID: 2820)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 2756)

    • Changes internet zones settings

      • iexplore.exe (PID: 3400)

    • Creates files in the user directory

      • iexplore.exe (PID: 2756)

    • Dropped object may contain URL's

      • iexplore.exe (PID: 2756)
      • iexplore.exe (PID: 3400)
      • setup_akl .exe (PID: 2820)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2756)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2756)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: 0x0800
ZipCompression: None
ZipModifyDate: 2018:08:04 10:54:26
ZipCRC: 0x4e3b6d87
ZipCompressedSize: 1825165
ZipUncompressedSize: 1825165
ZipFileName: Ardamax Keylogger v4.4.2 FINAL Crack [TechTools]/www.TechTools.NET - www.ThumperDC.COM.jpg
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
30
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs PhotoViewer.dll no specs notepad.exe no specs winrar.exe no specs notepad.exe no specs setup_akl .exe setup_akl .exe iexplore.exe iexplore.exe rundll32.exe no specs timedate.cpl no specs viewer.exe no specs lzma.exe lzma.exe explorer.exe no specs ccp.exe no specs notepad.exe no specs ccp.exe no specs lzma.exe ns229a.tmp no specs ccp.exe no specs ccp.exe no specs setup_akl .exe viewer.exe no specs setup_akl .exe ns21ae.tmp no specs ns2395.tmp no specs notepad.exe no specs ns250d.tmp no specs lzma.exe

Process information

PID
CMD
Path
Indicators
Parent process
336"C:\ProgramData\CCP\Viewer.exe" C:\ProgramData\CCP\Viewer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
1
980"lzma.exe" "d" "1.lz" "CCP.exe"C:\ProgramData\CCP\lzma.exe
ns21AE.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\programdata\ccp\lzma.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
1044"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Ardamax Keylogger v4.4.2 FINAL Crack [TechTools]\Ardamax Keylogger v4.4.2 FINAL Crack [TechTools.NET].zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1148C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1516"lzma.exe" "d" "2.lz" "CCP.01"C:\ProgramData\CCP\lzma.exe
ns229A.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\systemroot\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\imm32.dll
c:\windows\system32\msctf.dll
1592"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1972"C:\ProgramData\CCP\CCP.exe" C:\ProgramData\CCP\CCP.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
2032"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Ardamax Keylogger v4.4.2 FINAL Crack [TechTools]\_ReadMe.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2076"C:\ProgramData\CCP\CCP.exe" C:\ProgramData\CCP\CCP.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\programdata\ccp\ccp.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
2172"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Ardamax Keylogger v4.4.2 FINAL Crack [TechTools]\_ReadMe.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 320
Read events
1 206
Write events
113
Delete events
1

Modification events

(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3832) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Ardamax Keylogger v4.4.2 FINAL Crack [TechTools].zip
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2C0000002C000000EC03000021020000
(PID) Process:(3832) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\General
Operation:writeName:LastFolder
Value:
C:\Users\admin\AppData\Local\Temp
Executable files
25
Suspicious files
22
Text files
20
Unknown types
10

Dropped files

PID
Process
Filename
Type
2820setup_akl .exeC:\ProgramData\CCP\1.dat
MD5:
SHA256:
2820setup_akl .exeC:\Users\admin\AppData\Local\Temp\nsu423.tmp\ns21AE.tmp
MD5:
SHA256:
2820setup_akl .exeC:\ProgramData\CCP\datatext
MD5:
SHA256:
2820setup_akl .exeC:\ProgramData\CCP\3.lz
MD5:
SHA256:
2820setup_akl .exeC:\Users\admin\AppData\Local\Temp\nsu423.tmp\ns2395.tmp
MD5:
SHA256:
2820setup_akl .exeC:\ProgramData\CCP\2.datbinary
MD5:
SHA256:
2820setup_akl .exeC:\ProgramData\CCP\3.datbinary
MD5:
SHA256:
3760setup_akl .exeC:\Users\admin\AppData\Local\Temp\nsd1F0.tmp\UAC.dllexecutable
MD5:431E5B960AA15AF5D153BAE6BA6B7E87
SHA256:A6D956F28C32E8AA2AB2DF13EF52637E23113FAB41225031E7A3D47390A6CF13
2820setup_akl .exeC:\ProgramData\CCP\1.lzlzma
MD5:
SHA256:
2820setup_akl .exeC:\Users\admin\AppData\Local\Temp\nsu423.tmp\modern-header.bmpimage
MD5:173391C2C5228607D99CA65F29C8FB3E
SHA256:6F178942B4130DD4C59215F1CE59CD47226F1AC4149F481486E9A652EA9CD1D8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2756
iexplore.exe
GET
301
69.162.154.237:80
http://www.ardamax.com/keylogger/
US
html
242 b
malicious
3400
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2756
iexplore.exe
69.162.154.237:80
www.ardamax.com
Steadfast
US
unknown
2756
iexplore.exe
69.162.154.237:443
www.ardamax.com
Steadfast
US
unknown
2756
iexplore.exe
216.58.215.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2756
iexplore.exe
216.58.215.232:443
www.googletagmanager.com
Google Inc.
US
whitelisted
2756
iexplore.exe
216.58.215.238:443
www.google-analytics.com
Google Inc.
US
whitelisted
2756
iexplore.exe
157.240.20.19:443
connect.facebook.net
Facebook, Inc.
US
whitelisted
2756
iexplore.exe
74.125.143.156:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
2756
iexplore.exe
157.240.20.38:443
www.facebook.com
Facebook, Inc.
US
whitelisted
2756
iexplore.exe
216.58.210.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.ardamax.com
  • 69.162.154.237
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 216.58.215.234
whitelisted
www.googletagmanager.com
  • 216.58.215.232
whitelisted
www.google-analytics.com
  • 216.58.215.238
whitelisted
fonts.gstatic.com
  • 216.58.210.3
whitelisted
connect.facebook.net
  • 157.240.20.19
whitelisted
www.facebook.com
  • 157.240.20.38
whitelisted
stats.g.doubleclick.net
  • 74.125.143.156
  • 74.125.143.154
  • 74.125.143.155
  • 74.125.143.157
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Ardamax Keylogger v4.4.2 FINAL Crack [TechTools].zip