ardamax | e69396e8e090ea654d654b21a9ba22800fa7b29fbca112ca36aa47b246c1bc8e

Analysis

max time kernel
144s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2025 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe
Size

2.2MB
MD5

1d7a179a49efeca5707488626a4aec48
SHA1

a6404741e3ecd6d10f3c314151fa0d543082bdc4
SHA256

e69396e8e090ea654d654b21a9ba22800fa7b29fbca112ca36aa47b246c1bc8e
SHA512

cb929cb22450da30e9467bd22af4856f3d618cd3a5d3012e9a393575ad927d57d2706ecd5805656dfa38faea5596c1c1184db2fb3081602bfd677ad9c491aee2
SSDEEP

49152:QbsM6O4prIpki22O1hKo7CQorT7tUjTVzeOURUXRBtd1MIke:QwHNSo/4HQe16XRMe

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cc1-183.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	1.exe

Executes dropped EXE 4 IoCs

pid	Process
3748	1.exe
4868	2.exe
2944	Exporer32.exe
3708	GEM.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	Exporer32.exe
3708	GEM.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GEM Agent = "C:\\Program Files (x86)\\GEM\\GEM.exe"	GEM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GEM\tray.gif	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.chm	Exporer32.exe
File created	C:\Program Files (x86)\GEM\Uninstall.exe	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.001	GEM.exe
File created	C:\Program Files (x86)\GEM\GEM.003	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.004	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.007	Exporer32.exe
File created	C:\Program Files (x86)\GEM\qs.html	Exporer32.exe
File opened for modification	C:\Program Files (x86)\GEM	GEM.exe
File created	C:\Program Files (x86)\GEM\GEM.exe	Exporer32.exe
File created	C:\Program Files (x86)\GEM\GEM.006	Exporer32.exe
File created	C:\Program Files (x86)\GEM\AKV.exe	Exporer32.exe
File created	C:\Program Files (x86)\GEM\menu.gif	Exporer32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exporer32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GEM.exe

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023caa-30.dat	nsis_installer_1
behavioral2/files/0x0007000000023caa-30.dat	nsis_installer_2
behavioral2/files/0x0007000000023ccf-230.dat	nsis_installer_1
behavioral2/files/0x0007000000023ccf-230.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\win64	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\FLAGS\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\FLAGS\ = "0"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\Version	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\Version\ = "1.0"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\Elevation\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\InprocServer32\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\TypeLib\ = "{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\win32	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\InprocServer32\ = "%SystemRoot%\\SysWow64\\AccessibilityCpl.dll"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\FLAGS	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\TypeLib	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\TypeLib\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\Elevation	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\ = "Ovoqed Digoxi Socifamwo"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\wscapi.dll"	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\InprocServer32	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\win32\	GEM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\ = "wscAPI 1.0 Type Library"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\win64\	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{443B45E5-5EFB-4112-571D-4E4E3F59D2D8}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\wscapi.dll"	GEM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{ADF61AF4-904E-44DF-B6AB-4CA22B2CC16C}\Version\	GEM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe
3748	1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	3708	GEM.exe
Token: SeIncBasePriorityPrivilege	3708	GEM.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3708	GEM.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3140	msedge.exe
3708	GEM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
3748	1.exe
3708	GEM.exe
3708	GEM.exe
3708	GEM.exe
3708	GEM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 3748	1612	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	84
PID 1612 wrote to memory of 3748	1612	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	84
PID 1612 wrote to memory of 3748	1612	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	84
PID 1612 wrote to memory of 4868	1612	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	85
PID 1612 wrote to memory of 4868	1612	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	85
PID 1612 wrote to memory of 4868	1612	JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe	85
PID 3748 wrote to memory of 2944	3748	1.exe	87
PID 3748 wrote to memory of 2944	3748	1.exe	87
PID 3748 wrote to memory of 2944	3748	1.exe	87
PID 2944 wrote to memory of 3708	2944	Exporer32.exe	104
PID 2944 wrote to memory of 3708	2944	Exporer32.exe	104
PID 2944 wrote to memory of 3708	2944	Exporer32.exe	104
PID 2944 wrote to memory of 3140	2944	Exporer32.exe	105
PID 2944 wrote to memory of 3140	2944	Exporer32.exe	105
PID 3140 wrote to memory of 2196	3140	msedge.exe	106
PID 3140 wrote to memory of 2196	3140	msedge.exe	106
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 2776	3140	msedge.exe	107
PID 3140 wrote to memory of 4880	3140	msedge.exe	108
PID 3140 wrote to memory of 4880	3140	msedge.exe	108
PID 3140 wrote to memory of 2364	3140	msedge.exe	109
PID 3140 wrote to memory of 2364	3140	msedge.exe	109
PID 3140 wrote to memory of 2364	3140	msedge.exe	109
PID 3140 wrote to memory of 2364	3140	msedge.exe	109
PID 3140 wrote to memory of 2364	3140	msedge.exe	109
PID 3140 wrote to memory of 2364	3140	msedge.exe	109

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d7a179a49efeca5707488626a4aec48.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\1.exe
  "C:\Users\Admin\AppData\Local\Temp\1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\Exporer32.exe
    "C:\Users\Admin\AppData\Local\Temp\Exporer32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\GEM\GEM.exe
      "C:\Program Files (x86)\GEM\GEM.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      PID:3708
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\GEM\qs.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe389346f8,0x7ffe38934708,0x7ffe38934718
        5⤵
        
        PID:2196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        5⤵
        
        PID:2776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        
        PID:4880
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
        5⤵
        
        PID:2364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
        5⤵
        
        PID:4984
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
        5⤵
        
        PID:4144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
        5⤵
        
        PID:2692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
        5⤵
        
        PID:212
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        5⤵
        
        PID:2056
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
        5⤵
        
        PID:3808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
        5⤵
        
        PID:1048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,16657075255461738015,2516661915619944063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
        5⤵
        
        PID:2516
- C:\Users\Admin\AppData\Local\Temp\2.exe
  "C:\Users\Admin\AppData\Local\Temp\2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\GEM\AKV.exe

Filesize
457KB

MD5
42e2202ac32edb39ccf9979515018d85

SHA1
c1e07fbe2fa759e2775d4dcf7de23a66d2422a1a

SHA256
367b4028baf3df4a5f77169bd64c9ef8fd7968a4d6c852ae3f81a726f4b37222

SHA512
a97d9e968b1f63dedba74999aabe6fd150aae985c1143d29b183cc0d663a45252c57494c3457136c5e500050c6af6c819f9ba7070b7d62300ede2e9a7c792768

Download Submit
C:\Program Files (x86)\GEM\GEM.003

Filesize
4KB

MD5
cb07753c45624238b4403480372be5db

SHA1
10af5bfbed599165d996470278f011728e866df7

SHA256
63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

SHA512
2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

Download Submit
C:\Program Files (x86)\GEM\GEM.004

Filesize
14KB

MD5
55b44502952b9ffeec6bef6a132b1791

SHA1
2b7252e7dfb55b8247da52ca7fba0b5f3c1df08f

SHA256
8776541720652554c626410fb17ffdd24ddd762632c6c5d2fc77ac5adf9432dc

SHA512
7b14c380a7b1f2fe0af15127d514754fd357c4830a00f01955d09d803523a82d659eb55b8a473ec86c8a8d109ca1f6a2ae86599e05f84c924bbed4b48a884a07

Download Submit
C:\Program Files (x86)\GEM\GEM.006

Filesize
8KB

MD5
3da3041787b72a7909d9f6184ce6bc5e

SHA1
fc7f00b8a1341b5341e2ba6f94ba85364bc90843

SHA256
18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

SHA512
150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

Download Submit
C:\Program Files (x86)\GEM\GEM.007

Filesize
5KB

MD5
50d0bcf6b5a6b11d9e274ccefba3f02e

SHA1
57acf2a1236b7534f2db661a9d95aeadcd41aa2a

SHA256
a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

SHA512
c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

Download Submit
C:\Program Files (x86)\GEM\GEM.chm

Filesize
33KB

MD5
8e4c5c3fee759991597ebc2d855ad4e4

SHA1
b3da123c6300a330b8c869b1ba807115e42c6eab

SHA256
e97a9f0dd54d6013280cbb032e63b9cfcc976886a46eeeac07a45af2fc545547

SHA512
30a126b57b538f3429a66785521ce30e8dfe4e617d84381e9f5a0feae5956576aaf00253ea41170e12813f2637edd11c5ce643c08dd4920bf30d8bf94b95208e

Download Submit
C:\Program Files (x86)\GEM\GEM.exe

Filesize
647KB

MD5
a7b322839cedf8d56cb0a7dcdb50ab59

SHA1
d27855e65f5d9e87666f39d2af694a0d75330a75

SHA256
ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

SHA512
86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

Download Submit
C:\Program Files (x86)\GEM\Uninstall.exe

Filesize
43KB

MD5
5cb444f74631a7ab5ae8d698f6f7a0f4

SHA1
b51431d713b868b78a38ab8f2683be5f79534caf

SHA256
421a568733507f7541bff05c9a269e712cdc8f231e0e80f74fc12581169199cd

SHA512
72db1436e9c681775af9bc18861f7eb9f33f1b6e406c4c6e17841959b8fe8ea1a13eff4a0bcedd0adee461b9ebf6b4d32cddd36e58c8d0c0b5a88538a6f98e5d

Download Submit
C:\Program Files (x86)\GEM\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\GEM\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\GEM\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
979B

MD5
00fad9d062f5c45ce2070f549d235ab1

SHA1
4ac7a12b0e5a96e2dd1994df6dea1fe7fba953e6

SHA256
cac12c76592d97c2ca48617bce3f088b0e5c620543485f0b990e59a8b5992aea

SHA512
c424fc3ea715be11923a917eb9baec53a21825f0714e3f7cf2ef64673b41c74a1b242716582b876b306f0aedb281d24397c7b80b499163a43a954f207f435406

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
051a8dd05ff9c697e88b54a1595f1f4d

SHA1
9c553f1fead0569d37595dc8bb5fcba31c87fcf0

SHA256
cc54f7ff99203358aaa9363b838b00b1f32f9fb347b42b9760860b5d6d1fa48a

SHA512
d91e219107e6827df738a2d56bc572244b02575713392c0d01f65ee38afe87475f37e85aba3cd749e2e95286757dad775153b091c201e0fa5a9992f36ea9a986

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b322fd182698b42cb1b273bdb2f5ddf6

SHA1
73a92bb3fcdf0d094ce585b73fa9744e1309c738

SHA256
70c83b35364bf96417eda9aded27986dab451f7606e5b024dc4fbe6b16556de4

SHA512
2302554f5f6396ffe089361da2ae5c885d7aa37e27924242beeae6b3e07c03f182f173981af5e237480b41f4c5a0908067d6bab05fa82717740e75d2fd3dd8b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec74b6a7198d95f77cc2a97b9c63a210

SHA1
ed757ea8a471f4d8e79f9dff0d57d19141e64eb8

SHA256
90b34ecb01d66569529083c576638d1626603d56b122fb6cbe74ff1fc0e3b587

SHA512
ca864ca24407fbed8ec404741a41df84fd70729354e8b74fee98c9f705f2f295ef68c4f48dfa2808473bfbca49ebd1a11dcad496ef0094c99cc0489832e5f577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5bc3647e1fe36ff74446ce5793e64fbb

SHA1
fd3b285138b720281745486ab8cf3ffaba9a03e0

SHA256
30f876da485a85dadbc30becb1c4b10b883f58b4636007f9a432dab23cc238db

SHA512
6ac7c379a19ffac67c8756d1e04653807f7085a19fec46449c355aab8a299eec76e8ece3297c6ecc20f4edf4ae9665e88f3b5e2bc24956c2868daa09edd27459

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
944KB

MD5
a1f76dc6f71cc0ecceb12a6d4b853d2b

SHA1
3db1d4fcf4fad50793ccc1f383fa71dc5a7f577f

SHA256
430a0602d061bc2b36622d86ff83e1734eaba7a283c103a6ed22aba098990c4f

SHA512
04df7d1b798680e68a3dc71614ab8f837a878712039118a3b623e8c803bca0e567f5a3f85eee311bf115564ef2585774afc640a775bd43eea4fdb0c0ab3afc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.exe

Filesize
1.3MB

MD5
2e38f5b68304888fe0d9bf4f4b04c75d

SHA1
f97978ee88ef01f2e3cd03ca423db67510cd0ea8

SHA256
70daca199943171c9b38ae35e068c0aa4932b967c57c16c728b89e29d6f98193

SHA512
e6de8376f3abb6e70cdb34b7839336822c33a42f92aeb179072111a92a50b74ebcf8cdcf4a1e76b9f6c04ddb5373bf4d968a23e2dca0633318ec4e8dfa3bb6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exporer32.exe

Filesize
860KB

MD5
5b9ffc447acf98aeb35c05dfae2c6660

SHA1
9ae17e8342df59686b52c98fcd8a9c88c1f9f445

SHA256
e17e5a49dba16ba1eb5f9ea177742bbc3042f06bd648e54ca387c7b08cf426e8

SHA512
70ce57b99184602d770298600d6dfaf1e705a0227d780fc9d1e09ae0fa1c022a352c9d21ccd40e66d04b4376305c03db87518db54748a139e8f312f771d271e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA059.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA059.tmp\ioSpecial.ini

Filesize
793B

MD5
c0492dc5888c3be984627b5756872916

SHA1
0b4f17391845187d5645bb9ec1bec2bac7989b6e

SHA256
d90d5b4dabc50ee0996944f31eba063f06ecd70956beb2b5e7fbd298cc629bca

SHA512
e480fb2b3fbdf2f4bfabb8be638fc76c758ec6235322becc3b9deda68df0c06b49ac09e1deb4fac2af3e3cf7be368fca9882487d09bf44ce4ff07aedcef3de94

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsvA059.tmp\ioSpecial.ini

Filesize
719B

MD5
63a95fa8111d40dda3677abd8888448a

SHA1
72afd8cc2f400080e553fbb19e44ff801502d969

SHA256
ca92806c66a87f205a57e30318017602583c6e4b6a00089849976d496be234f7

SHA512
40cf29a05358275e34446a23754dbe5dd6cb269254cf9947e268b8d5cd2773265de78688889e9d0b2aaff25349c98bda410fc4de1feef2892c7679ee163570fb

Download Submit
memory/1612-23-0x00007FFE39260000-0x00007FFE39C01000-memory.dmp

Filesize
9.6MB

Download
memory/1612-0-0x00007FFE39515000-0x00007FFE39516000-memory.dmp

Filesize
4KB

Download
memory/1612-4-0x00007FFE39260000-0x00007FFE39C01000-memory.dmp

Filesize
9.6MB

Download
memory/1612-3-0x00007FFE39260000-0x00007FFE39C01000-memory.dmp

Filesize
9.6MB

Download
memory/3708-255-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3708-184-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download