ardamax | ee59f1c354acb7693b6084a65a3f5bd955f2d22a8c15318671bd5d2e5eb390dc

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe
Size

1.3MB
MD5

7897b657b549d7bece1f4eba26529a5d
SHA1

6e3b8704af7560254e5c9dafb88c20e6f372f5ed
SHA256

ee59f1c354acb7693b6084a65a3f5bd955f2d22a8c15318671bd5d2e5eb390dc
SHA512

ca8a65e30c48b250be7a2f6062650fbbfacf4869cb36617e26ca0f8b353ea0f65b8c557e1600f92fc169e67ce68c57d60b49d32bd11bbfad61ebd9034a2923b4
SSDEEP

24576:grHRqUW1BYrRh4jd3e1B/EYCfGMuAflTn7Lzrws4p4TFk/GiVWWd5kSOW:grHRfW1BYw3e1B/Xg/uAflTnLrwsywmb

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b91-37.dat	family_ardamax

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	explore.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PAYMENT SLIP.exe

Executes dropped EXE 3 IoCs

pid	Process
2572	explore.exe
444	PAYMENT SLIP.exe
4048	FVF.exe

Loads dropped DLL 3 IoCs

pid	Process
4048	FVF.exe
4796	AcroRd32.exe
4796	AcroRd32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FVF Start = "C:\\Windows\\SysWOW64\\MVFIFT\\FVF.exe"	FVF.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MVFIFT\AKV.exe	PAYMENT SLIP.exe
File created	C:\Windows\SysWOW64\MVFIFT\FVF.exe	PAYMENT SLIP.exe
File opened for modification	C:\Windows\SysWOW64\MVFIFT\	FVF.exe
File created	C:\Windows\SysWOW64\MVFIFT\FVF.004	PAYMENT SLIP.exe
File created	C:\Windows\SysWOW64\MVFIFT\FVF.001	PAYMENT SLIP.exe
File created	C:\Windows\SysWOW64\MVFIFT\FVF.002	PAYMENT SLIP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAYMENT SLIP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FVF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explore.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	explore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4048	FVF.exe
4048	FVF.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4048	FVF.exe
Token: SeIncBasePriorityPrivilege	4048	FVF.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4796	AcroRd32.exe
4048	FVF.exe
4048	FVF.exe
4048	FVF.exe
4048	FVF.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe
4796	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2572	1880	7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe	87
PID 1880 wrote to memory of 2572	1880	7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe	87
PID 1880 wrote to memory of 2572	1880	7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe	87
PID 2572 wrote to memory of 444	2572	explore.exe	88
PID 2572 wrote to memory of 444	2572	explore.exe	88
PID 2572 wrote to memory of 444	2572	explore.exe	88
PID 2572 wrote to memory of 4796	2572	explore.exe	89
PID 2572 wrote to memory of 4796	2572	explore.exe	89
PID 2572 wrote to memory of 4796	2572	explore.exe	89
PID 444 wrote to memory of 4048	444	PAYMENT SLIP.exe	90
PID 444 wrote to memory of 4048	444	PAYMENT SLIP.exe	90
PID 444 wrote to memory of 4048	444	PAYMENT SLIP.exe	90
PID 4796 wrote to memory of 4116	4796	AcroRd32.exe	95
PID 4796 wrote to memory of 4116	4796	AcroRd32.exe	95
PID 4796 wrote to memory of 4116	4796	AcroRd32.exe	95
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 4812	4116	RdrCEF.exe	96
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97
PID 4116 wrote to memory of 1312	4116	RdrCEF.exe	97

C:\Users\Admin\AppData\Local\Temp\7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7897b657b549d7bece1f4eba26529a5d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\explore.exe
  "C:\Users\Admin\AppData\Local\Temp\explore.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe
    "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:444
  - - C:\Windows\SysWOW64\MVFIFT\FVF.exe
      "C:\Windows\system32\MVFIFT\FVF.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4048
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TT COPY.pdf"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4796
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4116
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=77A4E041DA25ECABB23581C66E9F8A5D --mojo-platform-channel-handle=1720 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4812
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D9C01BAFFBF7B67494ED8AD312B15F5D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D9C01BAFFBF7B67494ED8AD312B15F5D --renderer-client-id=2 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job /prefetch:1
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F426AB42029B9360F0A61155F153B0D9 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D34CB3DD601AB34444BB104300838A19 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=64C6E06BF671A3B22680B09AF4B3F592 --mojo-platform-channel-handle=1712 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
4ad8c3e07642b1e5a0275644607b507e

SHA1
57d5924d2139e2149157208312ed15c5a478338c

SHA256
93921d8ce66a45a259111dd2100c7fd72fe0372895101a3c53643354d64e5f4d

SHA512
17258c1fda624597966f78cd0bc6fa2f1b1d8f9044228f3b57f0bc3a7d509aa8d657ec44809644b91d504a4f2f2c43c16b9f9b93daa4425507181a15232ba757

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.exe

Filesize
1.2MB

MD5
9b1abc28205943c6c162690d44b1feac

SHA1
7b1ec5f066933948fb29e224258e428091c281ab

SHA256
b7a3a2f8457113309d842c507ce31a5d0d2720ebe570dc03c902d875db7a69c1

SHA512
4d257c9a859a064178aa1ca9025839a2227305fb4af6a1d93007390244d89f9069bb662c2a1e8086c2da2b5a526a5119a340765b58d3b42f7b313629cddb04e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TT COPY.pdf

Filesize
102KB

MD5
abe92b6faf82930249e978bb1eced7a2

SHA1
58570a506b2ce9d69b9542eb666144d5faf70af3

SHA256
19378f3e67ede578630f5d22df27d1f9b0375bee2705a031f71d3823efe9d04d

SHA512
5ea2ce19474c07710669dec4c67da84fdc45969f9fa0a7a7adb19468c655523d601f9f134991b9b099a2fc3564321c32e8da2d89ce84e744a592315067f78b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\explore.exe

Filesize
1.3MB

MD5
2a889ee573126d117ae8f421f4b0ef80

SHA1
2197693be3cce6fd7027d545596a4131bbbcc900

SHA256
0e5c1bfcaee6957c27be741996ab5cd14bcfcb492bc07209d69b885309e8666e

SHA512
2f40098029eded022199e78eaba9df87eb16d6304f83e334eccd99eae0acb3c23a28b4a2e60c5382fb48a070dc6a4720361dfee7a90ca64aae6db3c7a71d2caf

Download Submit
C:\Windows\SysWOW64\MVFIFT\AKV.exe

Filesize
489KB

MD5
0725c70d7b45945089905464a2710dc8

SHA1
a47223eb378919afc8c2a6af6b031bca12eacaae

SHA256
5340cf0385c1ccf9a5f01e9bbcb68474d5760c1c60bd87772fbd8a498208a3c5

SHA512
3b95b3c582c2df9a59c2aaa5e9f04ea093dda8b53a7df4b966d46c6f61643e8beed3e3cca0e784301f5f14ea17e2520ecf10dca0ae805e5b31bd51ac94d10888

Download Submit
C:\Windows\SysWOW64\MVFIFT\FVF.001

Filesize
61KB

MD5
513c67ebf0379f75a6920540283a4579

SHA1
2fe191acb478d62026a8dbf63f65619d168ddee6

SHA256
8f636876880c59251548fca626731e648553e0b81b02f4667c22cbfadfbd6e30

SHA512
2330f5bbd8d7de91473430bc35a125fe13b261afa5b4ef9533d4d6ebcde6cfe27f705fccbdefa092eb9123eb33dcc1448deab72adab981726517afe458beb01d

Download Submit
C:\Windows\SysWOW64\MVFIFT\FVF.002

Filesize
44KB

MD5
1db8aa9ffda07a5f5559cbf25087147b

SHA1
eea77894bff8e24fb0861159927f67decb629184

SHA256
8cf369255b48195b8ecec1c7bf2e76924641880aa7311e6cf504ca534bbfcd62

SHA512
b9f80191dd8975c2e484eeec1bc7c6212d1b614061e69d96eda87b7a061a78a34de220f22607c3eb1c0fa37f152744a5c8f65a896e2884a9daf969db54a11704

Download Submit
C:\Windows\SysWOW64\MVFIFT\FVF.004

Filesize
1KB

MD5
58d3b4b51a4da90f88aa80b7d6d82d56

SHA1
3cf528bfd6588c4ade33586158b5ab3c71dae4ed

SHA256
b658d0e8de0f7515904c058c2cb7a88f1de207d6ea5cde8bed93b51a48fa133c

SHA512
f8ba2f031d047f91b243113f8d1a5b0dc2dd170edff3eef9659bb3a0c8703b40e6c11d6304e17e14c3f9fc2b4eb63702d70ac49055e144b2abd4bbde6b52ff4d

Download Submit
C:\Windows\SysWOW64\MVFIFT\FVF.exe

Filesize
1.7MB

MD5
7dc8f94e34ad6f38e94f957043c39617

SHA1
081a26dc478bd3de6f2889b9c8da8b2e79723d8b

SHA256
618fb51d23c0ca116dbd24dc5e0240ebda862e405283d64871549321fde08202

SHA512
539c239670369f34e7907d072bdf6b91becb927454db3212b0c307363289b1900edffa2f9fac22d3d14435fcee28b7bdeee1f039f027d74f84627c85774b9f56

Download Submit
memory/1880-5-0x000000001B080000-0x000000001B088000-memory.dmp

Filesize
32KB

Download
memory/1880-18-0x00007FFCE6890000-0x00007FFCE7231000-memory.dmp

Filesize
9.6MB

Download
memory/1880-8-0x00007FFCE6890000-0x00007FFCE7231000-memory.dmp

Filesize
9.6MB

Download
memory/1880-6-0x00007FFCE6890000-0x00007FFCE7231000-memory.dmp

Filesize
9.6MB

Download
memory/1880-7-0x000000001BDB0000-0x000000001BDFC000-memory.dmp

Filesize
304KB

Download
memory/1880-0-0x00007FFCE6B45000-0x00007FFCE6B46000-memory.dmp

Filesize
4KB

Download
memory/1880-4-0x000000001BC50000-0x000000001BCEC000-memory.dmp

Filesize
624KB

Download
memory/1880-3-0x000000001B6A0000-0x000000001BB6E000-memory.dmp

Filesize
4.8MB

Download
memory/1880-2-0x00007FFCE6890000-0x00007FFCE7231000-memory.dmp

Filesize
9.6MB

Download
memory/1880-1-0x000000001B120000-0x000000001B1C6000-memory.dmp

Filesize
664KB

Download
memory/4796-48-0x0000000004B30000-0x0000000004B45000-memory.dmp

Filesize
84KB

Download