ardamax | 6e55caedc91f3465d0594681a1abe6fd3aaffabde64a26eaed1d0e228de59db6

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2025, 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_akl.exe
Size

863KB
MD5

eb9e76ce73187384507f076a7892bb79
SHA1

c4dee459ef95b75d3338ef5de17df0f4c031d869
SHA256

3bc1eacc1a9c65d1a876503cf796d93a0bf72acdd7c514db3c017b34b1bb6b43
SHA512

04e9dada33c5324ff942cc82729de1847b0f129f4e690f241db3a5b09ee1d2cc70980a11685052100e3617ad4050a035a433a25dd8f01de553a036c85ae4f403
SSDEEP

12288:JrWLayfJ9fd76616z+qUDbkVWNqoP0ndJbQ1GAC4RUNWCywPcOX5ur:ZofdN1FqF0NXPOJbIGZ4RUN5pur

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral4/files/0x000a000000023b72-147.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
4328	POL.exe

Loads dropped DLL 2 IoCs

pid	Process
1832	setup_akl.exe
4328	POL.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\POL Agent = "C:\\Program Files (x86)\\POL\\POL.exe"	POL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\POL\AKV.exe	setup_akl.exe
File created	C:\Program Files (x86)\POL\menu.gif	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.chm	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.001	POL.exe
File opened for modification	C:\Program Files (x86)\POL	POL.exe
File created	C:\Program Files (x86)\POL\POL.exe	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.003	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.007	setup_akl.exe
File created	C:\Program Files (x86)\POL\qs.html	setup_akl.exe
File created	C:\Program Files (x86)\POL\tray.gif	setup_akl.exe
File created	C:\Program Files (x86)\POL\Uninstall.exe	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.004	setup_akl.exe
File created	C:\Program Files (x86)\POL\POL.006	setup_akl.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_akl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POL.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral4/files/0x000a000000023b80-200.dat	nsis_installer_1
behavioral4/files/0x000a000000023b80-200.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\LocationApi.dll"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\Version\ = "3.0"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\InProcServer32\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\ProgID\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\Version\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\VersionIndependentProgID	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\ProgID	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\ProgID\ = "Msxml2.SAXXMLReader.3.0"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\InProcServer32	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\ = "LocationApi 1.0 Type Library"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\LocationApi.dll"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\win64	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\FLAGS\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\TypeLib\ = "{FDB406C2-11B2-DBBC-CA45-201335CECAA2}"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\TypeLib	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\win32	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\InProcServer32\ = "%SystemRoot%\\SysWow64\\msxml3.dll"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\FLAGS\ = "0"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\TypeLib\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\Version	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\ = "Safekake Omotesi class"	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\win32\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\0\win64\	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0\FLAGS	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\VersionIndependentProgID\	POL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0AAD4536-CBA3-4F15-509C-0B70EC9B88FA}\VersionIndependentProgID\ = "Msxml2.SAXXMLReader"	POL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FDB406C2-11B2-DBBC-CA45-201335CECAA2}\1.0	POL.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4616	msedge.exe
4616	msedge.exe
2204	msedge.exe
2204	msedge.exe
4372	identity_helper.exe
4372	identity_helper.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4328	POL.exe
Token: SeIncBasePriorityPrivilege	4328	POL.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
4328	POL.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
4328	POL.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4328	POL.exe
4328	POL.exe
4328	POL.exe
4328	POL.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 4328	1832	setup_akl.exe	97
PID 1832 wrote to memory of 4328	1832	setup_akl.exe	97
PID 1832 wrote to memory of 4328	1832	setup_akl.exe	97
PID 1832 wrote to memory of 2204	1832	setup_akl.exe	98
PID 1832 wrote to memory of 2204	1832	setup_akl.exe	98
PID 2204 wrote to memory of 1504	2204	msedge.exe	99
PID 2204 wrote to memory of 1504	2204	msedge.exe	99
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 2548	2204	msedge.exe	100
PID 2204 wrote to memory of 4616	2204	msedge.exe	101
PID 2204 wrote to memory of 4616	2204	msedge.exe	101
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102
PID 2204 wrote to memory of 2368	2204	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\setup_akl.exe
"C:\Users\Admin\AppData\Local\Temp\setup_akl.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Program Files (x86)\POL\POL.exe
  "C:\Program Files (x86)\POL\POL.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Program Files (x86)\POL\qs.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdd2e146f8,0x7ffdd2e14708,0x7ffdd2e14718
    3⤵
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:2548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
    3⤵
    PID:2368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
    3⤵
    PID:924
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    PID:1276
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
    3⤵
    PID:3300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
    3⤵
    PID:2000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:1932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
    3⤵
    PID:1808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,3165303914892407016,16361095635029960367,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4064 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\POL\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Program Files (x86)\POL\POL.003

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Program Files (x86)\POL\POL.004

Filesize
14KB

MD5
4687a64503f962915cd278baada57449

SHA1
ef42ea6ac10a1eff3b8ccea7194e4bdcaf18f6bb

SHA256
2660a6af939bf1e32391c5ef13afb14ee65a6bd866d4b152e7f5db6747d7a67c

SHA512
0aa67de3ce116f2d0c4f5d43da8aceee4802272feeae5e018e0dc653eb6f609a786e2f40df4e9102ee9f1e199831aaa021fd4c50960d83568eb2f87cb8f0b7f8

Download Submit
C:\Program Files (x86)\POL\POL.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Program Files (x86)\POL\POL.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Program Files (x86)\POL\POL.chm

Filesize
33KB

MD5
8e4c5c3fee759991597ebc2d855ad4e4

SHA1
b3da123c6300a330b8c869b1ba807115e42c6eab

SHA256
e97a9f0dd54d6013280cbb032e63b9cfcc976886a46eeeac07a45af2fc545547

SHA512
30a126b57b538f3429a66785521ce30e8dfe4e617d84381e9f5a0feae5956576aaf00253ea41170e12813f2637edd11c5ce643c08dd4920bf30d8bf94b95208e

Download Submit
C:\Program Files (x86)\POL\POL.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Program Files (x86)\POL\Uninstall.exe

Filesize
43KB

MD5
4bbbf32667e8d9aca25b74536c022802

SHA1
128ce5fb0d058cc9126da94a2f9799b2275dfa22

SHA256
df3a520beb7b22566981849512cfba209d108d65505b49f38ad054aad9940c17

SHA512
5a850f7d6ef5293aba4594370eb59116d78b31f07f663dfc737bb35992e8c2fc351935f30af512f319af5f26f0538029624b442eca00a9f00409a23f263d9d72

Download Submit
C:\Program Files (x86)\POL\menu.gif

Filesize
22KB

MD5
20fe009bce33b78dd40b48bc5f8accc6

SHA1
cd614d9b9e088eecb7e63722f61a39a0cf0ec196

SHA256
979c4b395172a53794b18d996df95c75c68d70ec3573aba66cdfe28c8d1cf0eb

SHA512
f6be54be78bfdf770c7c131c5d108b0b33376886b9b4a66598e2c92543a2e83ffafdaea36b9d749784a978d4327cdf52ce0ac6feb9a28d683162b0b3f2f40a37

Download Submit
C:\Program Files (x86)\POL\qs.html

Filesize
1KB

MD5
40d00fa24b9cc44fbf2d724842808473

SHA1
c0852aa2fb916c051652a8b2142ffb9d8c7ac87a

SHA256
35b0f1bb808e1623ad534fbc1e72cea25ac28f71340e9c543f01d1bfdd094035

SHA512
9eb750e08ca9750988290626ae8ed32a2ecfa7c8ca021b3e26b3da0a94de952b991a9a6a0ad5729d7d5ccf7b3b36fb36fd24047f705d0468ad04908ba8a7154c

Download Submit
C:\Program Files (x86)\POL\tray.gif

Filesize
7KB

MD5
0ac69330c3b9181b8a109fddb91fa128

SHA1
ef9698ccce041ce8ba3f4af37d0c2b577f19b375

SHA256
e675fecb791ed568aae7f1c24b159f7c0f7e23fe8a7ce76f72b3dd1a4ac00e9d

SHA512
3a74c04baf3e1e842c0a2568a6480e4ece05baef31171397763de638c6e5b0d26255cf1d7802ea53c355563b8e4b600d24d04afb5168fbc54f66414445327749

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Ardamax Keylogger.lnk

Filesize
1019B

MD5
26ce9ae3bdaa4c80e798a953a3dfdeef

SHA1
6b2a11b2c961d00691215e5472fe4c07b44b3c7b

SHA256
c679f0b59dc4eda0ed8d351bdcab194eba757fda510133a04a83d974baff7849

SHA512
3204532b2ad0ea1fed97c3b391e42e8c70941f237bf8549b2c42f1d625e0c3a703d65e9b146199067329ae029c7a3267db7368302b6897288257fd59f36252d7

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Help.lnk

Filesize
975B

MD5
e5cc2b0dc3deee308ff61b24af5e7ab4

SHA1
fc030f39a0eb114d36efa4065d40aebd1d2e83a5

SHA256
3497a1ed160b11688a68e58d9950b179bea7df0e12e3e4ae7179624f96b7cbe4

SHA512
d85de718b12ad4a6cb51829ccfd13165cefecb7a2acb3ced415462bdf293c8099b213dcc1f820d75cd75a355b54fbc8c0b5b1e4cf1c84e3f011aa4a5631e51ea

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ardamax Keylogger\Log Viewer.lnk

Filesize
1KB

MD5
63e85c0291e1d586e810a9cbe8c17a11

SHA1
ea1a83a72a2c38a70dab28d07ee8ccfcddd1805d

SHA256
1fdd0ad77ea39d69563c1a78f02ba9607780706e74df445cf56647b83cd784f5

SHA512
f379575247c94a61495fa4446ddea5ae145082533d7f988226869cd23f279cdca0387937893414801616a93a4ef3cd07970ba19a8fd0a227d32fd63db231653b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8713dbad7fa3d2a514143c659864749a

SHA1
099a8f3be9396699e84356d437610b8ba0c34bcb

SHA256
407f01b3569f6b049fba6c84b7ea5e51d11f7e0a1386e4a0ccb9e15719c73ff3

SHA512
a734175640b4db529023490eb480f99f8cb8cb26c9f375d6ef1554aa45a7616a77ddd736b87071e141b62cd6925f7e927912f0d0a57b84835e2c5d8f6cb994fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c40dc7bf05fa906f83128f25ca6609ad

SHA1
9bc3f186f0a60fa4209107f4ed751462d2a45401

SHA256
faa31a5f50edf38954358529404fa60c0acc94911e7a90ef669a39082d29eafe

SHA512
1f74095758d35c23d6ec00c6d072a995d06e66607375c00435760d4acf00c55cfcaaf1f43d70f5e0ab48798dbb248c617bccd336c7f8e602cca87f8003847d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
711a9c764de2205ca503a8098bc6ab59

SHA1
f7ab1c00d41f5ac12f226781bdbdd2fd8a16dee8

SHA256
5c35102fef7ff3dcf22b5863af2449efaab7301dea4caa6d9c1f4686c891b6c9

SHA512
c143c7a03fddd66a77b2f177b12c1f5c8975189c4e30b0fa8175d30533a0aa89df7d500fbe7f9af24160bfdb1510b66095f55f6d01730c5b22714778422cefe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7457.tmp\InstallOptions.dll

Filesize
14KB

MD5
3809b1424d53ccb427c88cabab8b5f94

SHA1
bc74d911216f32a9ca05c0d9b61a2aecfc0d1c0e

SHA256
426efd56da4014f12ec8ee2e268f86b848bbca776333d55482cb3eb71c744088

SHA512
626a1c5edd86a71579e42bac8df479184515e6796fa21cb4fad6731bb775641d25f8eb8e86b939b9db9099453e85c572c9ea7897339a3879a1b672bc9226fcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7457.tmp\ioSpecial.ini

Filesize
795B

MD5
46900393fe57736e3aa09da27f89af9c

SHA1
53b76ab4be6d66a0bce4bb152888b0d484efe58d

SHA256
ec4183f37dacc1526ba838918f08e047781676a1ac48b87d32d712cb2e0e1d53

SHA512
f9b018e0165ca3de77489f6157c1c8e41092e0e58538da80787bcd70390540172709c6a1e31b35ea645fdc4fa52a379b81167a1942c01dc5d69094a2576c499a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7457.tmp\ioSpecial.ini

Filesize
595B

MD5
c00e66175449e6aae50111eaae04ccaa

SHA1
fb11a56ff0e178ae3c64f377aaae23a6349903c7

SHA256
ce19005da1251d400d0e01c4574fc743c811ec95333f9db27cd83a3cbd9705e0

SHA512
6f2a3eed7cfdebdd28d811bea105d76e5a2d3ffab79b0a8984871a83f0faade61e5c01e029d26fbb3eea7a4b39888b8b977d2c3033d3519db4756ec9f0d7963c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn7457.tmp\ioSpecial.ini

Filesize
719B

MD5
a5b6d2237223b58ddede83203657b2b9

SHA1
c48d7ad949ca285160de8a9edd28bc927df73c83

SHA256
489c501bda26eeb06aec199cf1f602e20acfdf50e96bf3d7aaa00a69eece3fef

SHA512
b45faffec8117257ba243964d67ae6a965524640a8207f7796f48c29d0927baab2e860854e7e82cc692b3dd2bc4bf13635af8caa217e7cc3138815810bc1063c

Download Submit
memory/4328-150-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4328-152-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/4328-202-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4328-151-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/4328-153-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4328-220-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4328-223-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/4328-224-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/4328-154-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download