ardamax | 1e48e0a89ad24b9273a92b3bb707e07ecf0635b609f14768e59c8ca9249c5a70

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2024 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
Size

1.3MB
MD5

69d723338b992ee153027b1b159d9ec1
SHA1

febc1a6fdb5b81e73f15a68f4bee2b3e058e65a5
SHA256

1e48e0a89ad24b9273a92b3bb707e07ecf0635b609f14768e59c8ca9249c5a70
SHA512

1089c03af40963a23a79bf3d4711b96d5ac94e84f8db59a522f3efe7b689266af6b4cab6815f9bdeebb35778b90d76e9d41f5fc76010e7f76e69e2ad354f0681
SSDEEP

24576:elTV5nFNJ4fmEST3LfeS5I8t/bY+I1ynqvB/L6tt1R8oc+I1C1+v5ZR69tFRva:edzzpDLV5i+8ynpt18+8C1ntFY

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023c6c-29.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	INSTALL.EXE

Executes dropped EXE 5 IoCs

pid	Process
4584	INSTALL.EXE
1324	SETUP_AKL.EXE
1420	YXFG.exe
1600	setup_akl.exe
4016	HTV.exe

Loads dropped DLL 15 IoCs

pid	Process
4584	INSTALL.EXE
1420	YXFG.exe
1600	setup_akl.exe
1420	YXFG.exe
1420	YXFG.exe
1600	setup_akl.exe
1600	setup_akl.exe
1324	SETUP_AKL.EXE
1324	SETUP_AKL.EXE
1324	SETUP_AKL.EXE
1324	SETUP_AKL.EXE
1324	SETUP_AKL.EXE
4016	HTV.exe
4016	HTV.exe
4016	HTV.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\YXFG Agent = "C:\\Windows\\SysWOW64\\28463\\YXFG.exe"	YXFG.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463	YXFG.exe
File created	C:\Windows\SysWOW64\28463\YXFG.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\YXFG.006	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\YXFG.007	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\YXFG.exe	INSTALL.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	INSTALL.EXE

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HTV\HTV.007	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.004	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\AKV.exe	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\tray.gif	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\menu.gif	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.exe	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.006	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.003	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\qs.html	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\HTV.chm	SETUP_AKL.EXE
File created	C:\Program Files (x86)\HTV\Uninstall.exe	SETUP_AKL.EXE

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_AKL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YXFG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HTV.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023c62-12.dat	nsis_installer_1

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4116	msedge.exe
4116	msedge.exe
3852	msedge.exe
3852	msedge.exe
920	identity_helper.exe
920	identity_helper.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe
1920	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1420	YXFG.exe
Token: SeIncBasePriorityPrivilege	1420	YXFG.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1420	YXFG.exe
1420	YXFG.exe
1420	YXFG.exe
1420	YXFG.exe
1420	YXFG.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4584	3636	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	85
PID 3636 wrote to memory of 4584	3636	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	85
PID 3636 wrote to memory of 4584	3636	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	85
PID 3636 wrote to memory of 1324	3636	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	86
PID 3636 wrote to memory of 1324	3636	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	86
PID 3636 wrote to memory of 1324	3636	69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe	86
PID 4584 wrote to memory of 1420	4584	INSTALL.EXE	87
PID 4584 wrote to memory of 1420	4584	INSTALL.EXE	87
PID 4584 wrote to memory of 1420	4584	INSTALL.EXE	87
PID 4584 wrote to memory of 1600	4584	INSTALL.EXE	88
PID 4584 wrote to memory of 1600	4584	INSTALL.EXE	88
PID 4584 wrote to memory of 1600	4584	INSTALL.EXE	88
PID 1324 wrote to memory of 4016	1324	SETUP_AKL.EXE	106
PID 1324 wrote to memory of 4016	1324	SETUP_AKL.EXE	106
PID 1324 wrote to memory of 4016	1324	SETUP_AKL.EXE	106
PID 1324 wrote to memory of 3852	1324	SETUP_AKL.EXE	107
PID 1324 wrote to memory of 3852	1324	SETUP_AKL.EXE	107
PID 3852 wrote to memory of 1144	3852	msedge.exe	108
PID 3852 wrote to memory of 1144	3852	msedge.exe	108
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 1728	3852	msedge.exe	109
PID 3852 wrote to memory of 4116	3852	msedge.exe	110
PID 3852 wrote to memory of 4116	3852	msedge.exe	110
PID 3852 wrote to memory of 3580	3852	msedge.exe	111
PID 3852 wrote to memory of 3580	3852	msedge.exe	111
PID 3852 wrote to memory of 3580	3852	msedge.exe	111

C:\Users\Admin\AppData\Local\Temp\69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\69d723338b992ee153027b1b159d9ec1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
  "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\28463\YXFG.exe
    "C:\Windows\system32\28463\YXFG.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Users\Admin\AppData\Local\Temp\SETUP_AKL.EXE
  "C:\Users\Admin\AppData\Local\Temp\SETUP_AKL.EXE"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Program Files (x86)\HTV\HTV.exe
    "C:\Program Files (x86)\HTV\HTV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\HTV\qs.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0xe0,0xe4,0xd8,0x108,0x7ffd8ccb46f8,0x7ffd8ccb4708,0x7ffd8ccb4718
      4⤵
      PID:1144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
      4⤵
      PID:1728
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
      4⤵
      PID:3580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:2628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:1124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
      4⤵
      PID:3592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:920
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
      4⤵
      PID:3824
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
      4⤵
      PID:3660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      PID:1432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
      4⤵
      PID:1892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,9763875033823238723,7811778664201383821,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\HTV\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\HTV\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\HTV\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e4f702b36b3d8d969a3abf2842046f3

SHA1
6f0e9bb43182076951e4fd50cd56ef9e9a1de048

SHA256
ff8243987c74cedcc7c5fee627238f22373648b53aded4b3863f471eb2a85b6b

SHA512
8d1ff1c26014cb297c2186b82f1197ab57ed39d46b3fe430352d1fb336636b15cbf1c2662169c09260a859fcbed9cf216a5f302a7407f7d9aead41f76f3ea4cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4464a63b3ef99730673a5abbdba689a7

SHA1
208c686af67216b3a70b79cecb01db7f4aa5599a

SHA256
1cf7eedbc4341c2b591f82ca6650e57ad99f3ce6e76ac4d9725bd64457590994

SHA512
e38385bcd9a5e98b9b82540d0738ceda72307a68962ea54397bd0e2957096358aba03f64674e66d6f0029c97bcdf56b572b68837486bb9923d6bcc6b0d00fee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8c0e4c06cc74bf4fb076517a11f31ea2

SHA1
c8ec964b6f10e8cb3ec55d4bb330fdf11670b6f9

SHA256
3008ea556708ed937aa7194bdc2f01c55c6c1298290a9eb3fe735b871beef675

SHA512
9ed703dcb447caed1dab8182cb19447b7d1adc9263eb76b06c03e9a10fa35047e45e2aad833bfcd73522b55098b71951457b3cb62ce0a30b5b7726ab3c64344a

Download Submit
C:\Users\Admin\AppData\Local\Temp\@9172.tmp

Filesize
4KB

MD5
13e10cd76f11d6cb43182dcba7370171

SHA1
e6b8ce329e49ff09f1cb529c60fc466cb9a579c8

SHA256
f1265c88f0077009eaa18db413f156cc7ad8d41dc9d797dd1032b0e0ae9c40d5

SHA512
ee32ef3f50838936417e51dfd365b166456900e327dbe51902700bb3d562dea22e6fbd9009c822ba0562687001802a2e61d38123f81ae19f7b3d05bb1fd5cda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
907KB

MD5
27844d86bbb80d1ec89adfb288259b80

SHA1
a15ec161b39f04a4c817ab60f6977624a491df2d

SHA256
ba24bf9749aa2c37c2109a43406e01f4a9d8a3455b88b39816743351e2761a71

SHA512
7bed01dcfb93396e6d19ef008d0cbca2be9d6845a53b19988ad63fb3de449d82207458915cf72f7c5edbb95e5d5c122b48c5e5c50a84e9a2e0adbc9a11e7513c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SETUP_AKL.EXE

Filesize
418KB

MD5
15c01ad46f1143036a3cc727549b305e

SHA1
263b6fdfb4ac98e60fcdfe570e31143d3b502b31

SHA256
b4ba83d0ebb2540014dfcf8e51192296f62880639ad1d4204a898d03a60715f4

SHA512
6236f0af354dcf890528b14ba4c63d6980bdd8d1a7d460618bfe4f046dfeb26fc91420dc3d8c3253d84faf8cfd0157338ce44b9781fbd0e379fa844844a66a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp924F.tmp\InstallOptions.dll

Filesize
14KB

MD5
296a5f3179fa8d7a7a855eaf696ede44

SHA1
57aa5b71553ed282dd22c768e039a187f5c13f63

SHA256
ee0ad77e681c4d0fdf1d67df5f4ca03e6bdd8e3b05dfb47a83ad5c733ed62960

SHA512
bc527d1485f468e8d098057e0e38e8cb7aa6eb64d4ca30927b99b1552a3177b132b989015ff95bdf2ca046bf11a54b4b456f51e024fbc734fbb548c3499e53f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp924F.tmp\ioSpecial.ini

Filesize
793B

MD5
cc3a4ac604a5df94c59e48955e4f8439

SHA1
ba948874bc9b198db9da2faab3dfdb39f2e130d7

SHA256
7b76d0e44ba8aa3172bba8813eb7e9c7902edf048ceb91d19ce24494b4039e07

SHA512
4b9f25f96a0c36332b1e4037cec36cc1ff92d8789feb938705e91d2355d576179eae3e8ff9eec294dbc7b3e54f3748786f537abf34f6c37cc970c00731074046

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp924F.tmp\ioSpecial.ini

Filesize
719B

MD5
3a6e761c1676e9bdadfc23ab06a61a32

SHA1
40cb7a39d825f8f788eb112634533108d74cd0cd

SHA256
12f7b990cfcfdb9f93d0d9880a57b252c4204ade68d41ef28ad5626d6a63380c

SHA512
b0e7e4fe0f226929d50139eb760350f0613b00bcb04b280d96cd87769be5f1060f9f90a2c2fba73572f2d0e7fd5e22f3a1ebb5c38ed6c32297e97175ce7c2bd5

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
adbec81b510dcfe49835f95940ef961d

SHA1
77940f6e46fbd5f53de23bd49afe9172470769d0

SHA256
466efb4b00255f21075b340fc2d2444f182947ab90270840543658c5fd3a9b95

SHA512
ef4324a06fbe960933f5551ea6ac587cd87cb6025bc6879a2b81a4d1033cfe87e244b6a87fb5db5ad065321ccbe8035cf24a668452d5b0c6a4063a355a12b2a7

Download Submit
C:\Windows\SysWOW64\28463\YXFG.001

Filesize
408B

MD5
9ddf8eddb967987e43e178ea731a13e6

SHA1
112c08c25188b785f6317d374e64d45a9d2b14c7

SHA256
6033734f4772db3b3d4e908f3e2ae2989cfb6cbadbe85875860e46daa3a78651

SHA512
8160599d4a57b2a62ac156855885c6b864abda0947e5cf1e9400eeac432ea34bc9e349ba5746d43dbb90cf591327ac6e8a59f55e30bc7a31cf89c69624866137

Download Submit
C:\Windows\SysWOW64\28463\YXFG.006

Filesize
8KB

MD5
f5eff4f716427529b003207d5c953df5

SHA1
79696d6c8d67669ea690d240ef8978672e3d151c

SHA256
ac54ebb9eec3212f294462ce012fdc42f4b0896d785d776a5a2cc3599dc5bcde

SHA512
5a48599a5855f06c3e7d6f89c4e06bab1f4381b9d30cf3824c465b8fd6c142b316e6bd6aaad73d1f9b3e84d96113fb5e7374831bf503744013c9e1a0632a0caf

Download Submit
C:\Windows\SysWOW64\28463\YXFG.007

Filesize
5KB

MD5
bc75eddaa64823014fef0fe70bd34ffc

SHA1
15cd2ace3b68257faed33c78b794b2333eab7c0a

SHA256
9eada36d17635bedb85ce96a62cb019dbfee696b9986f69de7d5b5bc1f44df5d

SHA512
20db25f32f9cfdbffa4f30c0065125052c6e20b7dcc147fa7ebff38e37b51f6a43e48e486f148d7ee11671479b9fb0bbe1c6df151101af3b50c65fd334d13baa

Download Submit
C:\Windows\SysWOW64\28463\YXFG.exe

Filesize
473KB

MD5
3c90d45b1c004e86a7f7a7a340f1abc8

SHA1
10602c450bcbda2735dc036f2e399646f0c64f4c

SHA256
f6d9c3bba7fc4dfa681cadf68f41093e3c431501c6789e891e599719e5d2781c

SHA512
85457be4c2aa76ede288cd185131d46e5f0b37187313f3a54fe789e28929ec6e44282f4ba0981f46354705cd5da83990586c8846f52fcdb807908254c8719cc1

Download Submit
memory/3636-25-0x0000000010000000-0x0000000010154000-memory.dmp

Filesize
1.3MB

Download