ardamax | d3dc6d1359e7ad3ba3601f5b19f339ec88ee9e407024dacf77ad55e88b44b205

Analysis

max time kernel
142s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2024 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
Size

1.3MB
MD5

6b1817042284839dbfd6c1f5175c13d7
SHA1

0e36607409ac6a4377723074ad09ac9e20c4e342
SHA256

d3dc6d1359e7ad3ba3601f5b19f339ec88ee9e407024dacf77ad55e88b44b205
SHA512

b93216e2791f29a51f5b18f1409f7e859d20114e52fc7db8585ef355f9b8ed3036a80d5da97efef51515aa2817a88b493d3c77a8062afb414781950844158243
SSDEEP

24576:yGLDngp5eo+32uLRmF0jvaUiW8DwyIZUuCOVWdaowv1okwOI1ZPVoWDoqZOPrtV4:HLo5eo+muLRFjyv7IzCKWy1jwFPVNo/s

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002344c-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
920	LKTF.exe

Loads dropped DLL 8 IoCs

pid	Process
4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
920	LKTF.exe
920	LKTF.exe
920	LKTF.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LKTF Agent = "C:\\Windows\\SysWOW64\\28463\\LKTF.exe"	LKTF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\LKTF.001	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\LKTF.006	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\LKTF.007	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\LKTF.exe	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	LKTF.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LKTF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	920	LKTF.exe
Token: SeIncBasePriorityPrivilege	920	LKTF.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4404	AcroRd32.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
920	LKTF.exe
920	LKTF.exe
920	LKTF.exe
920	LKTF.exe
920	LKTF.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe
4404	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4476 wrote to memory of 920	4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe	85
PID 4476 wrote to memory of 920	4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe	85
PID 4476 wrote to memory of 920	4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe	85
PID 4476 wrote to memory of 4404	4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe	86
PID 4476 wrote to memory of 4404	4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe	86
PID 4476 wrote to memory of 4404	4476	6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe	86
PID 4404 wrote to memory of 1804	4404	AcroRd32.exe	89
PID 4404 wrote to memory of 1804	4404	AcroRd32.exe	89
PID 4404 wrote to memory of 1804	4404	AcroRd32.exe	89
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3024	1804	RdrCEF.exe	90
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91
PID 1804 wrote to memory of 3520	1804	RdrCEF.exe	91

C:\Users\Admin\AppData\Local\Temp\6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6b1817042284839dbfd6c1f5175c13d7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476
- C:\Windows\SysWOW64\28463\LKTF.exe
  "C:\Windows\system32\28463\LKTF.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:920
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\EQ02.pdf"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=94D2A3869DAB0BD6DAE82408B5014239 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3024
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=7BDBE0312EAD72EA904165D79912BA28 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=7BDBE0312EAD72EA904165D79912BA28 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3520
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C6F596ACF178FEA888473075FF9A403D --mojo-platform-channel-handle=2304 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3968
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=DC3413BD09002124A0193C5D7AAAB6B2 --mojo-platform-channel-handle=1948 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1528
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C023412554859637B754C7FE51A693D9 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C023412554859637B754C7FE51A693D9 --renderer-client-id=6 --mojo-platform-channel-handle=2420 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3136
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=69B5FB0D85F082D4101590C88EEE90FA --mojo-platform-channel-handle=2788 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5056d38a983e9f435e24ffc52ca2e2ee

SHA1
e44cc78a73410b668fc9c48b1d01c3503599e272

SHA256
5d8bfe17b9459204cf6f1007e70c3e1502335edc67df4fc98477b16d6ff6392e

SHA512
8429c3c577a191d5290c0715dcbf3e31bf87c23878f848a07b329560523ee13452c119c8c1fafd26f13d92d5a2eb364840b8e66a8114c4f70319c6d88d6b6f2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\@9B27.tmp

Filesize
4KB

MD5
25530555085337eb644b061f239aa9d4

SHA1
8d91e099aba5439d4bfa8bce464c94e3e1acf620

SHA256
3fb6b438ad1530abdd068bffb303fb8a4de51430e0e18ddb6b1a0469ffab8325

SHA512
b1f9de0c276533a5a7070aeb2b6415cc1c0bdd2baf5e0645c6ac5ba767cab0d76e5b4461800d89724992af2c863294ada3c1eb2e4516183fe2010c33d47d6a2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\EQ02.pdf

Filesize
1.1MB

MD5
3dfc582359aee59ed39b7bdbd181a9e9

SHA1
593270a3df5f28893b677ade0bd20f2c0e190ca8

SHA256
3bdf2cf5e4843e982f1e054331f00e7c41656c068f0fcfe932040a924463d647

SHA512
d3103fc0940c7da1382ae27e44806d717cbadac6779580fbe492d9718982fac727b99c90c07958dc8a62892fe416a46e0f2108815ecf066cc8c7eb8c61820b22

Download Submit
C:\Windows\SysWOW64\28463\LKTF.001

Filesize
410B

MD5
f3f1e64f43a3b1d885f9352ec326ecf9

SHA1
05717fc5633a7242d1d9a44ab0f35d5843a04409

SHA256
fbb7b63ae7c77de9380fc1c5ef4bf3aeda6ad10f287a20f1ab454a82d69eb450

SHA512
3aec0799e9ba09a98288b589b770ab0a6e32ebc07eac4c94eded6ff6450aeb85dcae66b71b5fb921273d773d341e2b810270b9fba1de2fcce86cf56e22fe547d

Download Submit
C:\Windows\SysWOW64\28463\LKTF.006

Filesize
8KB

MD5
81e20f4361cf8f5a57812871c24d945e

SHA1
5d7877d6959ab26599b05795a71633f00c37a3da

SHA256
e6e8b4a29dccb3531f58c75b754caf7f26afe3e7043239305fd0ae7ab2f7571d

SHA512
69b1d75ab7123054bf98cf3a0f2cc7a0749cda8d85ebdef85be7d89f1454154ce29070907b934727a6c5276ff430e94810b87a5634d25d8529df9ee36fd20818

Download Submit
C:\Windows\SysWOW64\28463\LKTF.007

Filesize
5KB

MD5
e9fbdcc2f5fb657fa519b3f5c69fc52d

SHA1
c49cca77b46a59d620711de7564d43e5dafcd2b5

SHA256
cc440cfc4ce1a1ff503cc9e8937c59aae64bfce4daa3e7dc757220a25cadc2e4

SHA512
913759967e16b99d8ea66433e5dc99d5ddbf737be6784306e67c2b23a525b7a578fcae1028221d3209abc452ff30508eb750c62113c3868a7af36b544e525fb1

Download Submit
C:\Windows\SysWOW64\28463\LKTF.exe

Filesize
473KB

MD5
97d8ad45f48b4b28a93aab94699b7168

SHA1
8b69b7fd7c008b95d12386f6da415097e72151de

SHA256
661df22a66b2062b233eb0bd9665de924cfe0ac9c6ba29e20ffef24f817f9331

SHA512
3351eac970bab391de410fcf1937da75d2e4722b808f10332f487ddfe469544e32e7d4ed0e5bdc19bd5f472cffcc55ca1498c95945b4e9c4ceff6ff5cc521c8a

Download Submit
memory/920-23-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/920-157-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/4404-158-0x000000000A0A0000-0x000000000A34B000-memory.dmp

Filesize
2.7MB

Download