ardamax | e69396e8e090ea654d654b21a9ba22800fa7b29fbca112ca36aa47b246c1bc8e

Analysis

max time kernel
146s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-01-2025 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe
Size

2.2MB
MD5

1d7a179a49efeca5707488626a4aec48
SHA1

a6404741e3ecd6d10f3c314151fa0d543082bdc4
SHA256

e69396e8e090ea654d654b21a9ba22800fa7b29fbca112ca36aa47b246c1bc8e
SHA512

cb929cb22450da30e9467bd22af4856f3d618cd3a5d3012e9a393575ad927d57d2706ecd5805656dfa38faea5596c1c1184db2fb3081602bfd677ad9c491aee2
SSDEEP

49152:QbsM6O4prIpki22O1hKo7CQorT7tUjTVzeOURUXRBtd1MIke:QwHNSo/4HQe16XRMe

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0008000000016d47-40.dat	family_ardamax

Executes dropped EXE 4 IoCs

pid	Process
2420	1.exe
2108	2.exe
1968	Exporer32.exe
1616	GEM.exe

Loads dropped DLL 14 IoCs

pid	Process
2420	1.exe
1968	Exporer32.exe
1968	Exporer32.exe
1968	Exporer32.exe
1968	Exporer32.exe
1968	Exporer32.exe
1968	Exporer32.exe
1968	Exporer32.exe
1616	GEM.exe
1616	GEM.exe
1616	GEM.exe
1616	GEM.exe
892	IEXPLORE.EXE
1616	GEM.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\GEM Agent = "C:\\Program Files (x86)\\GEM\\GEM.exe"	GEM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GEM\GEM.003	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.004	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.007	Exporer32.exe
File created	C:\Program Files (x86)\GEM\qs.html	Exporer32.exe
File created	C:\Program Files (x86)\GEM\tray.gif	Exporer32.exe
File opened for modification	C:\Program Files (x86)\GEM	GEM.exe
File created	C:\Program Files (x86)\GEM\GEM.exe	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.006	Exporer32.exe
File created	C:\Program Files (x86)\GEM\AKV.exe	Exporer32.exe
File created	C:\Program Files (x86)\GEM\menu.gif	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.chm	Exporer32.exe
File created	C:\Program Files (x86)\GEM\Uninstall.exe	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.001	GEM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GEM.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000016c4e-20.dat	nsis_installer_1
behavioral1/files/0x0008000000016c4e-20.dat	nsis_installer_2
behavioral1/files/0x000500000001924c-58.dat	nsis_installer_1
behavioral1/files/0x000500000001924c-58.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "443850792"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7cabe3dec11464187b28ffe74c67cba000000000200000000001066000000010000200000007dfd6c1c0cc3e2fb24e1ae81c958431deb3412d4f2b159e426007aa8149905b4000000000e8000000002000020000000bd6018177e29385949ce87df3a96797b946fa29ba07ea116e3fc319730288ce920000000468d0e780854cb6774d6233e2df422cd79764410af87218697c682abe221184240000000f30a824d9951ddf916895e4c5c8a4592d1f9924fbe6fd765db564d6844d67447cb0c0ab8cc2a3b63a738592d8f86356743d9067c240aab8afe9121db4b7e2cfa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 502305370f6edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{624186D1-DA02-11EF-81B8-46BBF83CD43C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7cabe3dec11464187b28ffe74c67cba000000000200000000001066000000010000200000003d4c71275b1d2bc64119279f2ed4ae06581b1955cf85e652e0a55e39d5a711d9000000000e800000000200002000000053ec5d0b42c832d8c4aa9c4ab1b70f639e537765773ceb2f79ad924259b8ecbb9000000009b267d1b847f621c6dafffc5da1c5e5d5da87e61bb4f1a908419bbee9263b35ba6de3ee12662f9d8fccde92b920fc8599b495937561b2a341d032e2a49ba6f9826d33c2bc7746cec0a4731cf27da2fe14d24bff204175226a7b9e3813a84158ad6f5611e3d5b471c19cb80400bb15262a17adbeac67778da7b9e3134f1ae1865ece75ba75c410d9b60cbf68331d67174000000044c40101c36ac660e0ce876c1392165eb324c29688041d499acd5a990884a686621ea357bba0fd1325da0caf343b9265cc98a752dd1fd9198d379d4f151658a6	iexplore.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\ProgID\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\ProgID\ = "SAPI.SpAudioFormat.1"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\0\win32\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\HELPDIR\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\0	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\InprocServer32	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\ProgID	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\Version	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\FLAGS	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\FLAGS\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\Version\ = "5.4"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\VersionIndependentProgID	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\VersionIndependentProgID\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\128"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\FLAGS\ = "0"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\TypeLib	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\TypeLib\ = "{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\HELPDIR	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\Version\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\ = "Nahadefa.Ijira.Itawveb object"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\0\win32	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\TypeLib\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\InprocServer32\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\ = "Groove Web Services Account Service"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B82ACE4-C2DC-288E-3D29-32B66CF5FC15}\1.0\0\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{49FB0FC0-11B3-4A05-ACA7-BDD2563FB7F6}\VersionIndependentProgID\ = "SAPI.SpAudioFormat"	GEM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe
2420	1.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	1616	GEM.exe
Token: SeIncBasePriorityPrivilege	1616	GEM.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2996	iexplore.exe
1616	GEM.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1616	GEM.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2420	1.exe
2996	iexplore.exe
2996	iexplore.exe
892	IEXPLORE.EXE
892	IEXPLORE.EXE
1616	GEM.exe
1616	GEM.exe
1616	GEM.exe
1616	GEM.exe
892	IEXPLORE.EXE
892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3020 wrote to memory of 2420	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	31
PID 3020 wrote to memory of 2420	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	31
PID 3020 wrote to memory of 2420	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	31
PID 3020 wrote to memory of 2420	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	31
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 3020 wrote to memory of 2108	3020	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	32
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 2420 wrote to memory of 1968	2420	1.exe	33
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 1616	1968	Exporer32.exe	35
PID 1968 wrote to memory of 2996	1968	Exporer32.exe	36
PID 1968 wrote to memory of 2996	1968	Exporer32.exe	36
PID 1968 wrote to memory of 2996	1968	Exporer32.exe	36
PID 1968 wrote to memory of 2996	1968	Exporer32.exe	36
PID 2996 wrote to memory of 892	2996	iexplore.exe	37
PID 2996 wrote to memory of 892	2996	iexplore.exe	37
PID 2996 wrote to memory of 892	2996	iexplore.exe	37
PID 2996 wrote to memory of 892	2996	iexplore.exe	37
PID 2996 wrote to memory of 892	2996	iexplore.exe	37
PID 2996 wrote to memory of 892	2996	iexplore.exe	37
PID 2996 wrote to memory of 892	2996	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Program Files (x86)\GEM\GEM.exe
      "C:\Program Files (x86)\GEM\GEM.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:1616
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files (x86)\GEM\qs.html
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:892
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GEM\GEM.003

Filesize
4KB

MD5
cb07753c45624238b4403480372be5db

SHA1
10af5bfbed599165d996470278f011728e866df7

SHA256
63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

SHA512
2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

Download Submit
C:\Program Files (x86)\GEM\GEM.004

Filesize
14KB

MD5
55b44502952b9ffeec6bef6a132b1791

SHA1
2b7252e7dfb55b8247da52ca7fba0b5f3c1df08f

SHA256
8776541720652554c626410fb17ffdd24ddd762632c6c5d2fc77ac5adf9432dc

SHA512
7b14c380a7b1f2fe0af15127d514754fd357c4830a00f01955d09d803523a82d659eb55b8a473ec86c8a8d109ca1f6a2ae86599e05f84c924bbed4b48a884a07

Download Submit
C:\Program Files (x86)\GEM\GEM.006

Filesize
8KB

MD5
3da3041787b72a7909d9f6184ce6bc5e

SHA1
fc7f00b8a1341b5341e2ba6f94ba85364bc90843

SHA256
18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

SHA512
150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

Download Submit
C:\Program Files (x86)\GEM\GEM.007

Filesize
5KB

MD5
50d0bcf6b5a6b11d9e274ccefba3f02e

SHA1
57acf2a1236b7534f2db661a9d95aeadcd41aa2a

SHA256
a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

SHA512
c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

Download Submit
C:\Program Files (x86)\GEM\GEM.chm

Filesize
33KB

MD5
8e4c5c3fee759991597ebc2d855ad4e4

SHA1
b3da123c6300a330b8c869b1ba807115e42c6eab

SHA256
e97a9f0dd54d6013280cbb032e63b9cfcc976886a46eeeac07a45af2fc545547

SHA512
30a126b57b538f3429a66785521ce30e8dfe4e617d84381e9f5a0feae5956576aaf00253ea41170e12813f2637edd11c5ce643c08dd4920bf30d8bf94b95208e

Download Submit
C:\Program Files (x86)\GEM\Uninstall.exe

Filesize
43KB

MD5
5cb444f74631a7ab5ae8d698f6f7a0f4

SHA1
b51431d713b868b78a38ab8f2683be5f79534caf

SHA256
421a568733507f7541bff05c9a269e712cdc8f231e0e80f74fc12581169199cd

SHA512
72db1436e9c681775af9bc18861f7eb9f33f1b6e406c4c6e17841959b8fe8ea1a13eff4a0bcedd0adee461b9ebf6b4d32cddd36e58c8d0c0b5a88538a6f98e5d

Download Submit
C:\Program Files (x86)\GEM\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\GEM\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\GEM\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
910B

MD5
e89cb69a7878a20faa6a60bcd0fcff77

SHA1
719d3b6ddb2051f220b905b9edec5989c757dc50

SHA256
2564e600a0287ed5a876898a7297eb77fff694cc0e7d36f85bbe9103491d3822

SHA512
a56d546b663f0125448f240915de6e43e6c8f02809be8e379841b3066d6faa711f9849960fe46a3c0597b66368f27fcb2854f421af73801ebc53f9206d2426bf

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
968B

MD5
15f41d37fff70998a75191f82e29d826

SHA1
0e64c6be0ad65e56def81bd273b6f9c4b660850c

SHA256
8ed796ff4d277e89301c09222fea2a633fe7f1b66e151e818a1ebe67a8e6e61b

SHA512
1c8e22fd2d8281c77adff0b917d65fb496a7e5e68e1586a2414bd2abf4b5533607bbb05e58e7951d77580b387ecad64e148ff526d821ac3c9a2347dc5d052745

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e890bbbdeae17e02c9bca594ac7687b4

SHA1
fea229340f386635c3b911b7198c1a995e2ddc11

SHA256
41de9d20781970b72ecccf87ef2cada33b37461dc197fb1062a0442e236bfae3

SHA512
26a9c4c4de39dffa1f49a4500ab8f565316665fd9a598efa56159c3e1a6c84436a38bb3d2280caca8ef1a0069a41468e99d940f8a02477029b41f695b7c06b71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
557cd4123e366fc3082071dd1e8cc5c9

SHA1
6ea173c3ad107238fdcecbf447a04fad2b941102

SHA256
f52fda16730f88e5b41c8f0d76359c233baa019ec06e723e8e391073ac3ad3cb

SHA512
f9c86be904f6441cabbc0df82babe50001339fe27683b3592a6b814afa43bde34cc7f0938d3d12f0a7bb93a43ce57b55e711cdd4a35a0284737c604a73fda4da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf7623b1fafa98bf3b8a2c2831713ba1

SHA1
43a87fb5f4ae88c1e616f3c7b2ed117343931ec9

SHA256
f8e81a3bc72c4919c8f20b6b2b87ce8fb028d99ec3af645ec815e38f2eac4ca3

SHA512
4c785122ea6abb547270a455d0d51a2d66b120103c7d7de3414810ae3340f712b86b1231864489a5a05b07fce0a88accb92735825069c81b00e2e016a0273917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3d3f66fbf6d092279e98f2b4a193848

SHA1
37b95eb82ecde8db8349621c8fc867e5a3749b77

SHA256
f3b32f9e2646beaae21be5d9c261add4cb2d22ac82f0bd15134d4e8559b010bc

SHA512
2fbadb22c51659000c5f9861b673e586868c54457b9faf91a75858029af251b49b340bd53af02f11bfa5fb37a941134ae20d31fbac5d4fa3e3c23c47408b94b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4de763f6bcf839044fb18ae8f2550b64

SHA1
fe4616d08bd04683bce90e85d2e17875076761a1

SHA256
2d8dc81b880003c133d97b16c89a4c0b3ae2d363e0d3ddda607629daa9040092

SHA512
3654ef426c0f5278fb446f30c2423e2bfa8d44ba0f6a93f96f86c998d0eda05f627fdedcea52c8b62f29408867371c0e357dd7351c8a2b5fbc376b6e7c2b598a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66dc53669b6d23ccd7455dc75b94847d

SHA1
142e8092abdf9d7b1087771b0377ade28f2e41c2

SHA256
3b6373fc76181ba1112dfe1675c5f5874459255770f8624f47797e96080f38c6

SHA512
9d53c28ba7037fb71ffca0e692c2904bd01e58051b68b8eeb3cc96e849e82f1d78cb5c08e5ade5c4019a2f59cf9177d89c70841c3c324d61a9a59a8573991137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d793f65bff2e9a440b42ddcfa4dcd0f7

SHA1
2bc57b3afc16a98ef63219433a35b3365b917b3f

SHA256
9eb45f9d14ff2c52e37bbda0103f1d4e9b6686d80c2a0ceb08a5c110dda6e36d

SHA512
66800fa8509d2a4e122fe6adcf456ddc209b974755aa488c5c9c7b24d242b185346d697dc6da93816985c39fb6c8857f14a639d80f69ff480a61a812d8ced235

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3ed5ab60f4bfd40bd1d682f602be814

SHA1
c764e83ca19442082540341b33e8f0815f8cbc67

SHA256
48a2139764a17ad547b0b2e66644bafc88f2e0da203dfa71ca6d0d51303b7928

SHA512
8b6a1b93909d2c1271d962ad5e0193a2d96f00046d2e845a7c2be5107d3736aa67e696834e7ba7180e6241571403eabe8aa35b018355dcee1b8fcf4ef3d3fc80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8f6d6c901a420af9f1a61ce068ef0f6

SHA1
61baf6146d57cd2847d9e9c6a2f82fd934f50df3

SHA256
b776cff136ab74d9fb8039a92abf818bb1864b26a3f034087c2f778146a4fbcf

SHA512
08b8c948d3845f9360e6877d89cb06364cf56c41bafebe31d155f847c5c0d9961296f04294e8c17164ebe3b75a17883ad78d143ee155c6f5cf3dc5487b74ce42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2cce86fa43b4226abf0ff35a9faf0f98

SHA1
ef429266208e4c6fb29fb1ef3d1c220b4b6b741f

SHA256
118abadf24539935fdb1e8969de2e22589c80170f5ce0d875c46cf5bcf9a2a7d

SHA512
9d2769cefa73a155d4bd2d618ded165eace10ecc9e3e247592298f1b5dda06fd597372179443ec6155607aac62b6f281ff781fb933d3806de0859ac32e86ce12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
421706af7fd2321c142b2a8bf301d051

SHA1
17c1833d604d2efd42df2d995465289f6e5f3017

SHA256
985b2ef4de02488e2769c98eef1d9934b6f697954ef71dea5f71891c22550c5b

SHA512
bd065e610769f08b5a434bd206a6f3e1ed60511940f8bc95ebc81dcfc88961bcb989086b4169328783cd8803751ec9d110b12de1608f44df9b98a96f0daaaf7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e804fc770413191eb2cb44fffd1105a

SHA1
faad431926d26a5a59cbe6228cc11436398550b6

SHA256
d55823e6f8383e2b2c7e20cb704cd3e3eb2ecaa58bb2a627d11fd5ac3a282051

SHA512
bc15afc85aebcf6d8cd53caadb7fd5f269b739a87cb4be64645e8cb9f048dad58a47ce4624a7071547ff777f73e254b5e4823833b39b737e099630b8af6413e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc05c2315fa90f08196d7556e8cbc90

SHA1
10247168b423221fbbafd0f94aabef157920c4c7

SHA256
e6230c09ab1a5a8019a03ad0f0fe634cb100bf56b01e727f53adb4b7edeb09b8

SHA512
7756fb575d9b6cceebc7f24113260c6b6368d1fb1682c2a43ea4dcdafb42250dcfea3ab155919c2860e78a1fd85d88255cdd23448298e8de8b2d84bfdab26a61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
286a576900095e32ced2791111e87c50

SHA1
65d5c3b322e49047271ca4908e3a87704a9ceb95

SHA256
622e5be0fe2f244c9b0d874a0882d9e0340422492d2ebeb65637a395a73613d1

SHA512
284fe87da90e6596885ea54cce632c9fd03462a16f726c48a93548db6f3bf8ba71edfbeb96906b95726fc0cac17d0208e9347cb68711609cf9b9c679af55adee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e58eaa9e2082a20568099c69cb797b2

SHA1
3ca707a8a44dacb826a224ca297ccacd56c39720

SHA256
ab7b6a6f6d53f90f93318791626cfd43608ff50bde06fefeed49c53bee48fe00

SHA512
080e2567d04bcb445b879abd182c2ccee703a46a2de1c3781ccc80ce82ef1a43ddaf273fe37e2a4c23e4b20764d2df300b9c272eeb6d8410e339d0d76544e80d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d80accfc93af19eba16286b9992f14c

SHA1
a089130c85a24ef7165902a0c9bf701ac31c56ac

SHA256
bb3b195b8fd506e58db662edebb446e3e40e781ea6be803dcd3f21d3edb7deba

SHA512
150d7e7dabac5626d656e48100db297d88dab7b7f9bcff20e727b80a4545f9f65f3a5da909a1bd74872d630054fc336127ade362b7d4f9d3301ea6d99b40af6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a8fac53572d984e6b518296a84b52c3

SHA1
35a9c5ac93a271b9dee8c85ddee0fa71e2aa7012

SHA256
165c2da700d4955cf2f465a23c6f99c941319e761efb4ad5cbdd45f8a2e33c82

SHA512
3b40239e37491c3f495e10b6af6ea4d617b880624e4098455aa2771ee0dd1fe736aace144983c2c73f3dfb7f276abf95fb622b3527f631573ebb1d3726bc50c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e511eab09fae072098372129cd4326f9

SHA1
a5d65c4fd9fb0a4e934e046f584173a53d93d6f8

SHA256
8a9a3cb6a052e4abcfa431463f4928e7a22ba076ad039333ccb5c5325c9fd48a

SHA512
1d27674534d0f2892c015a712b774808528cd2ec85d383066f5ccf358a44d87f65a8370cec5d9c6dad8d7387f7e46b689464bb7b31751fd163b0f287d3b87aba

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
944KB

MD5
a1f76dc6f71cc0ecceb12a6d4b853d2b

SHA1
3db1d4fcf4fad50793ccc1f383fa71dc5a7f577f

SHA256
430a0602d061bc2b36622d86ff83e1734eaba7a283c103a6ed22aba098990c4f

SHA512
04df7d1b798680e68a3dc71614ab8f837a878712039118a3b623e8c803bca0e567f5a3f85eee311bf115564ef2585774afc640a775bd43eea4fdb0c0ab3afc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.3MB

MD5
2e38f5b68304888fe0d9bf4f4b04c75d

SHA1
f97978ee88ef01f2e3cd03ca423db67510cd0ea8

SHA256
70daca199943171c9b38ae35e068c0aa4932b967c57c16c728b89e29d6f98193

SHA512
e6de8376f3abb6e70cdb34b7839336822c33a42f92aeb179072111a92a50b74ebcf8cdcf4a1e76b9f6c04ddb5373bf4d968a23e2dca0633318ec4e8dfa3bb6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29C2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A22.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAE6A.tmp\ioSpecial.ini

Filesize
719B

MD5
aa461522800d811fa8017f7d5128ae1d

SHA1
fba508284f2ff11296cd7e3fafc41321ad3def0c

SHA256
151651823b4217e0b49a42192449f4c3730085737ed754682f645f8fc8b179d0

SHA512
c50ec95c1ed36bb1949f27a29dd4cb33ffbb5322a860198772e6fd5b564246d7de672d47fdab993286767d5ac4724ba2ad735ab5282e44c8bd689fad0ce5291c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyAE6A.tmp\ioSpecial.ini

Filesize
771B

MD5
988e32dd9982bbef34c5aa84901f0afd

SHA1
ca5558822af1679949312d5ee50d594a50eadd81

SHA256
b49e8c910aabc5edd55da9f0d5e6e92b273697dea4f4d03b2f7930b2ae2712d0

SHA512
41d1b9a665b9e5d25042b0cffc33006165b59d6d93c10a7711c8e307ba4326ca20ca8d71b7fc7d75e11dc74dca6f43a62902648f1c09f3eb5a39b9d02d1269d5

Download Submit
\Program Files (x86)\GEM\AKV.exe

Filesize
457KB

MD5
42e2202ac32edb39ccf9979515018d85

SHA1
c1e07fbe2fa759e2775d4dcf7de23a66d2422a1a

SHA256
367b4028baf3df4a5f77169bd64c9ef8fd7968a4d6c852ae3f81a726f4b37222

SHA512
a97d9e968b1f63dedba74999aabe6fd150aae985c1143d29b183cc0d663a45252c57494c3457136c5e500050c6af6c819f9ba7070b7d62300ede2e9a7c792768

Download Submit
\Program Files (x86)\GEM\GEM.exe

Filesize
647KB

MD5
a7b322839cedf8d56cb0a7dcdb50ab59

SHA1
d27855e65f5d9e87666f39d2af694a0d75330a75

SHA256
ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

SHA512
86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

Download Submit
\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
860KB

MD5
5b9ffc447acf98aeb35c05dfae2c6660

SHA1
9ae17e8342df59686b52c98fcd8a9c88c1f9f445

SHA256
e17e5a49dba16ba1eb5f9ea177742bbc3042f06bd648e54ca387c7b08cf426e8

SHA512
70ce57b99184602d770298600d6dfaf1e705a0227d780fc9d1e09ae0fa1c022a352c9d21ccd40e66d04b4376305c03db87518db54748a139e8f312f771d271e8

Download Submit
\Users\Admin\AppData\Local\Temp\nsyAE6A.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
memory/1616-231-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/1616-662-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/1616-232-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/1616-230-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1616-186-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1616-219-0x0000000004950000-0x0000000004960000-memory.dmp

Filesize
64KB

Download
memory/1616-191-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/1616-195-0x00000000004E0000-0x00000000005BF000-memory.dmp

Filesize
892KB

Download
memory/1968-41-0x00000000029D0000-0x00000000029E0000-memory.dmp

Filesize
64KB

Download
memory/1968-182-0x0000000004200000-0x00000000042DF000-memory.dmp

Filesize
892KB

Download
memory/3020-16-0x000007FEF6590000-0x000007FEF6F2D000-memory.dmp

Filesize
9.6MB

Download
memory/3020-2-0x000007FEF684E000-0x000007FEF684F000-memory.dmp

Filesize
4KB

Download