ardamax | 1e4477ca2d8f7cdf3e3c31dfe6aea10b3986141d33db29e74d61e51abf3e69fd

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
Size

1.1MB
MD5

18ace9212d0af0d550b6b8f7c9a1884a
SHA1

ce4dbed0628feb68ad54d48ca1ea66571dbc7d50
SHA256

1e4477ca2d8f7cdf3e3c31dfe6aea10b3986141d33db29e74d61e51abf3e69fd
SHA512

85c45a6db4085f6f8a9ea1649c1d72c03fc517ad64694ca348befb5ab4dbb1b061a5bc15059431b985886f96618c94ce83f25f9d5b15356d9c9aa794c220f7f9
SSDEEP

24576:wk/AT4ghJhZyCBAqPdXkZ945twISis688Oq4P8AnPLedRaFsGaJCYbZsigDJxrPk:BoT4ghXZyCBDFkAT9SisR8j4P8SkaCHO

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x00070000000233e8-8.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2596	XME.exe

Loads dropped DLL 2 IoCs

pid	Process
2596	XME.exe
796	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\XME Start = "C:\\Windows\\SysWOW64\\PFNNNQ\\XME.exe"	XME.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PFNNNQ\XME.004	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PFNNNQ\XME.001	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PFNNNQ\XME.002	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PFNNNQ\AKV.exe	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\PFNNNQ\XME.exe	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\PFNNNQ\	XME.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1692	msedge.exe
1692	msedge.exe
4668	msedge.exe
4668	msedge.exe
688	identity_helper.exe
688	identity_helper.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2596	XME.exe
Token: SeIncBasePriorityPrivilege	2596	XME.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe
4668	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2596	XME.exe
2596	XME.exe
2596	XME.exe
2596	XME.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 796 wrote to memory of 2596	796	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe	81
PID 796 wrote to memory of 2596	796	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe	81
PID 796 wrote to memory of 2596	796	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe	81
PID 796 wrote to memory of 4668	796	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe	82
PID 796 wrote to memory of 4668	796	18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe	82
PID 4668 wrote to memory of 4848	4668	msedge.exe	83
PID 4668 wrote to memory of 4848	4668	msedge.exe	83
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1836	4668	msedge.exe	84
PID 4668 wrote to memory of 1692	4668	msedge.exe	85
PID 4668 wrote to memory of 1692	4668	msedge.exe	85
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86
PID 4668 wrote to memory of 2072	4668	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18ace9212d0af0d550b6b8f7c9a1884a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:796
- C:\Windows\SysWOW64\PFNNNQ\XME.exe
  "C:\Windows\system32\PFNNNQ\XME.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://idgunny.zing.vn/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4668
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb884446f8,0x7ffb88444708,0x7ffb88444718
    3⤵
    PID:4848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
    3⤵
    PID:1836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:2072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:3264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
    3⤵
    PID:3028
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
    3⤵
    PID:940
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4772 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
    3⤵
    PID:1128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
    3⤵
    PID:3912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
    3⤵
    PID:3644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5408 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3676
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,10706267946826326755,3634615460745598670,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1372 /prefetch:1
    3⤵
    PID:2140

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b613328c016b8ebcb89a96bd93d6045e

SHA1
d2976dda24885d4922ef9b3e22bf8ed66a2cb37c

SHA256
434e0e9f1d1ad53b996f43fe5f135146018ffec1118898e583d2f01ee76203f7

SHA512
e037454168bb02d2b5da3175865f370a503c09906861fb0c83083fda3dc1b4b0589a2f1f92b7bdb17d4e3e9a5000b9838dd9f76d983562584ac3c71f56471667

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4f918a5ad2a0f7a27e1f9d4e05985492

SHA1
9e5063696aa2855e71d6199aa13ce8b103ecf811

SHA256
973c222afc3c9c7bf282a4bc5eb97be6aa5cc31daa9bdb124fee1208ea09a9ed

SHA512
b791cbd78cf8cc1cef0dc00450b57d47782db291711c57a84bc58028e91af33f7c6958d9252912fec52b2511de3bdceac7268f3c91680fb5217da7beba0bee7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
633b0d233f43d99835b1a93eb617a547

SHA1
c881a2ced4f28cf5042636e4afe45105d94ab239

SHA256
274ecee7ff9f7a8f1fa4761776b1fadab276f1ce41f69f9a28ff3cdba18f5607

SHA512
0b3f5251a316215128845e35537b8a19501fb89dab4a7f5f687957d9db441ce2fbc9df22304c245aab4a0ee4ae41d5a4bb13a081dd510c9143199e08b051c183

Download Submit
C:\Windows\SysWOW64\PFNNNQ\AKV.exe

Filesize
466KB

MD5
4c5711d8a02899113661bdff195d80d5

SHA1
263592abea6d60887defb4b1bcb47dbb383edfb6

SHA256
661eee852ace18c0fe63548e3ca276866b40dd0dce722f67976b8c4bfdb92195

SHA512
4b16ee6c75a169ad02c6b30d08efcd969ba8840adf49f6eeec3abbe8b9f5f288e1b1cfb4431711a74510a6973663335e43d256ae0dcd1a68f55331152a4f64ae

Download Submit
C:\Windows\SysWOW64\PFNNNQ\XME.001

Filesize
61KB

MD5
7a5612cc859be918c5767487f8a6815a

SHA1
a855d3a3e6336ac0508a8099e8ace14680394c36

SHA256
643419bc7e3a46ecdd7196858b3489c806c5edc486b513ce58519a109544c9d1

SHA512
31c541870dbc695c34d132c4232accc2fe511f30188a4db33d5c41758cf5af00a4906b55b0a208b5848436313fd3d8ccf6be7f1af62ecedd3a5c4c301dc5e11d

Download Submit
C:\Windows\SysWOW64\PFNNNQ\XME.002

Filesize
43KB

MD5
b2bcd668abf17ee408d232cc636614b2

SHA1
c354f941121515536c4f0d9ae49ed1a9b28534b4

SHA256
563f5e99f0beb961ecf6a8284bf41fee3e85d6f63cdff1669438f5a2168bfd99

SHA512
ba1be164de5919ae45f4bedfebe7e7799626b457f07b42fc43b8912f2932955833617b45e147e2e4d406f57f57f50c1869aa611db18a569919395e42fa53a702

Download Submit
C:\Windows\SysWOW64\PFNNNQ\XME.004

Filesize
1KB

MD5
a05387f2fdd651151e90831e8ec5e09f

SHA1
03882bd5181a5ec41bd6d3d9fe8bd1dd88a9975a

SHA256
bb0b9c4429e12787d6ca35adc70cc50d594550a0f2b22450c1ceae60a26b5856

SHA512
7deb0a9c052dbf53243ff43ec3a885ffdeac729d4f7ba16d12508c35e47d948d0dbf927f90200477d5fcb1658254fae8cc982963f3dcc48ef863bd2c58a7c5de

Download Submit
C:\Windows\SysWOW64\PFNNNQ\XME.exe

Filesize
1.5MB

MD5
a9ea3f61a57b36cde9953afd91f18d34

SHA1
e7e931b96b6e39b64a2a38d704bbe9561a234cbc

SHA256
accbdc6de9b6b671e6dc5bda9f1f983fbfcaa07467fbf6eabd25b9d5314d82ec

SHA512
0a6a42a772a3afd66233d9d3abb962b3a8cbf3d6e0e719352795b6441a148617dbe788991f0cead29d4b1540726504c9c56bebd9836ae6263b82a121fafd89fc

Download Submit
memory/2596-18-0x00000000006F0000-0x00000000006F1000-memory.dmp

Filesize
4KB

Download