ardamax | a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325

Analysis

max time kernel
123s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Size

2.4MB
MD5

68288c29d8546aadc301eda4436def32
SHA1

b2f25aa72549ab250213e20850aa3e5beab1928f
SHA256

a5c263a5bf6522fcaaab2cf772e5d257644734d78a7149ae511fe338da350325
SHA512

d6b17aea77d4df88af97cebc0ecc40ec5bdb4e79f3ed44378c47438216eb03082544375327a93551c92ebe9e8003814781194983d88c12c525c95104bfa0b369
SSDEEP

49152:gX5TvrVpRCDhBeEJl+KVR/PKaF42Nt3XET4LTE7j5CS:gXxvrZeeEJRHa24sE71p

Score

10^/10

ardamax darkcomet defense_evasion discovery keylogger persistence rat stealer trojan

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cc7-52.dat	family_ardamax

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	HKCMB.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3688	attrib.exe
4936	attrib.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	HKCMB.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	INSTALL.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe

Executes dropped EXE 5 IoCs

pid	Process
1116	Transaction mangement.exe
3160	HKCMB.exe
5096	INSTALL.EXE
540	FQO.exe
380	msdcsc.exe

Loads dropped DLL 3 IoCs

pid	Process
540	FQO.exe
2832	AcroRd32.exe
2832	AcroRd32.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	HKCMB.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FQO Start = "C:\\Windows\\SysWOW64\\JHPMIJ\\FQO.exe"	FQO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	HKCMB.exe
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.004	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.002	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.exe	INSTALL.EXE
File opened for modification	C:\Windows\SysWOW64\JHPMIJ\	FQO.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	HKCMB.exe
File created	C:\Windows\SysWOW64\JHPMIJ\FQO.001	INSTALL.EXE
File created	C:\Windows\SysWOW64\JHPMIJ\AKV.exe	INSTALL.EXE

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1116 set thread context of 3160	1116	Transaction mangement.exe	88

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe	Transaction mangement.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HKCMB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Transaction mangement.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FQO.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	HKCMB.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3160	HKCMB.exe
Token: SeSecurityPrivilege	3160	HKCMB.exe
Token: SeTakeOwnershipPrivilege	3160	HKCMB.exe
Token: SeLoadDriverPrivilege	3160	HKCMB.exe
Token: SeSystemProfilePrivilege	3160	HKCMB.exe
Token: SeSystemtimePrivilege	3160	HKCMB.exe
Token: SeProfSingleProcessPrivilege	3160	HKCMB.exe
Token: SeIncBasePriorityPrivilege	3160	HKCMB.exe
Token: SeCreatePagefilePrivilege	3160	HKCMB.exe
Token: SeBackupPrivilege	3160	HKCMB.exe
Token: SeRestorePrivilege	3160	HKCMB.exe
Token: SeShutdownPrivilege	3160	HKCMB.exe
Token: SeDebugPrivilege	3160	HKCMB.exe
Token: SeSystemEnvironmentPrivilege	3160	HKCMB.exe
Token: SeChangeNotifyPrivilege	3160	HKCMB.exe
Token: SeRemoteShutdownPrivilege	3160	HKCMB.exe
Token: SeUndockPrivilege	3160	HKCMB.exe
Token: SeManageVolumePrivilege	3160	HKCMB.exe
Token: SeImpersonatePrivilege	3160	HKCMB.exe
Token: SeCreateGlobalPrivilege	3160	HKCMB.exe
Token: 33	3160	HKCMB.exe
Token: 34	3160	HKCMB.exe
Token: 35	3160	HKCMB.exe
Token: 36	3160	HKCMB.exe
Token: 33	540	FQO.exe
Token: SeIncBasePriorityPrivilege	540	FQO.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2832	AcroRd32.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
2832	AcroRd32.exe
540	FQO.exe
540	FQO.exe
540	FQO.exe
540	FQO.exe
2832	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1904 wrote to memory of 1116	1904	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	86
PID 1904 wrote to memory of 1116	1904	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	86
PID 1904 wrote to memory of 1116	1904	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	86
PID 1904 wrote to memory of 2832	1904	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	87
PID 1904 wrote to memory of 2832	1904	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	87
PID 1904 wrote to memory of 2832	1904	JaffaCakes118_68288c29d8546aadc301eda4436def32.exe	87
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 1116 wrote to memory of 3160	1116	Transaction mangement.exe	88
PID 3160 wrote to memory of 4660	3160	HKCMB.exe	89
PID 3160 wrote to memory of 4660	3160	HKCMB.exe	89
PID 3160 wrote to memory of 4660	3160	HKCMB.exe	89
PID 3160 wrote to memory of 5036	3160	HKCMB.exe	91
PID 3160 wrote to memory of 5036	3160	HKCMB.exe	91
PID 3160 wrote to memory of 5036	3160	HKCMB.exe	91
PID 3160 wrote to memory of 5096	3160	HKCMB.exe	93
PID 3160 wrote to memory of 5096	3160	HKCMB.exe	93
PID 3160 wrote to memory of 5096	3160	HKCMB.exe	93
PID 4660 wrote to memory of 3688	4660	cmd.exe	94
PID 4660 wrote to memory of 3688	4660	cmd.exe	94
PID 4660 wrote to memory of 3688	4660	cmd.exe	94
PID 5036 wrote to memory of 4936	5036	cmd.exe	95
PID 5036 wrote to memory of 4936	5036	cmd.exe	95
PID 5036 wrote to memory of 4936	5036	cmd.exe	95
PID 5096 wrote to memory of 540	5096	INSTALL.EXE	96
PID 5096 wrote to memory of 540	5096	INSTALL.EXE	96
PID 5096 wrote to memory of 540	5096	INSTALL.EXE	96
PID 3160 wrote to memory of 380	3160	HKCMB.exe	97
PID 3160 wrote to memory of 380	3160	HKCMB.exe	97
PID 3160 wrote to memory of 380	3160	HKCMB.exe	97
PID 2832 wrote to memory of 3884	2832	AcroRd32.exe	99
PID 2832 wrote to memory of 3884	2832	AcroRd32.exe	99
PID 2832 wrote to memory of 3884	2832	AcroRd32.exe	99
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100
PID 3884 wrote to memory of 3668	3884	RdrCEF.exe	100

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3688	attrib.exe
4936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68288c29d8546aadc301eda4436def32.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1904
- C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe
  "C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe
    3⤵
    - Modifies WinLogon for persistence
    - Drops file in Drivers directory
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4660
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
        5⤵
        Sets file to hidden
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE
      "C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5096
    - - C:\Windows\SysWOW64\JHPMIJ\FQO.exe
        
        "C:\Windows\system32\JHPMIJ\FQO.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:540
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:380
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=58DAAB7F001085031BBD043AE4147EDD --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3668
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F56128D45C28008B65F6EADA717F43F8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F56128D45C28008B65F6EADA717F43F8 --renderer-client-id=2 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1868
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8B4322355B4FF7939B3DAA50488E53E8 --mojo-platform-channel-handle=1804 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4076
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B4BE7F4DF333B7EF39FDDA2DD680B37B --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:264
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D8AB7A5A5591F67CBF8764CD4D78AC6A --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D8AB7A5A5591F67CBF8764CD4D78AC6A --renderer-client-id=6 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:2788
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1024CB97477349511771CA06A48E26D2 --mojo-platform-channel-handle=1932 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e2953ed0cafd081ae7a33508a97c7468

SHA1
e7a8b9d42ffc5e7e54fbe9f28c2abcac18cfadd7

SHA256
3bf8ab2f77eb02278c107e9b5d4223f1a9bbc40e133155cd7a1ba0d8dc95d06e

SHA512
36680a23df341b6332d9b13d78036a6c74638f1842d7a4fec7743dc06406e9fee601f1b72bab5410129f7cc3348a53361aa9746734aec277d9435b1a421a52f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\INSTALL.EXE

Filesize
1.1MB

MD5
4766452f3b2d1952a671143d9b813585

SHA1
169ba313c0ccc234e2a227a97c05976f968ad3e6

SHA256
064a538b07c4722cdcec11bc6d04b8fecc44061c8d6472d9bb39d1a1848a0160

SHA512
0a1e5d3841e3cadaefae31653069b8add53d096bb938b83c6a4fc9c50815ac65fcefe5e2218ee6297440ca09f52d72394a2956fe5990387408d39ca3dbfbc2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction mangement.exe

Filesize
2.2MB

MD5
9a540f97fb137ff20426f30e8db62dc8

SHA1
1cd77f98dc2797cceb083e6b949261e2ea49fe4e

SHA256
d19447e7601934db1ce2038f15ad1a57835df5330d1f8780941b127fbde7cc59

SHA512
467bdac8408f6e1b66b7075f5b9ff09ba141782209d90ff6570187e41f52e38bfb0c1dfd08b8b5366f9a25257090cd28f187506b6d2e823afcde74539fe6ba0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transaction_mangement.pdf

Filesize
194KB

MD5
8764991d86c925a5f8bbe847cd0f3cb3

SHA1
19e3f30d0baabc7c457fd61fecee8d1e8ab28d0e

SHA256
5e75cc26bca0932a6685e42e07d32b9e55c3eb3a4b4af5e2b80f0a48a4116f79

SHA512
f3f6f31f21935be78af1a792f45c481563a9653e624194588ff99e378cf7b0633fce7042e0b6dc01f04c14b4fa285964915e1b7ede8f29ae094b97cc15d11bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
62B

MD5
c6abd7a109bb37ab773b9e79b91b7741

SHA1
7933b8795914b27483d2afed35b3830e8bf5bdb6

SHA256
8bc84b3ddfd9c295f555926bf1c311be423732423c585ca90796cdee7a245629

SHA512
35d14c9b7366a4737e3685223d55d85c583c7fbe73274577424dc8d9960cc78c79a80a8b42a62f6d9d9962ddd60cf2a332411d4ac18196258dc9d5b0b575e3dc

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\HKCMB.exe

Filesize
1.1MB

MD5
d881de17aa8f2e2c08cbb7b265f928f9

SHA1
08936aebc87decf0af6e8eada191062b5e65ac2a

SHA256
b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0

SHA512
5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

Download Submit
C:\Windows\SysWOW64\JHPMIJ\AKV.exe

Filesize
456KB

MD5
51507d91d43683b9c4b8fafeb4d888f8

SHA1
ead2f68338da7af4720378cd46133589fc9405ba

SHA256
71b3aecefd36e4855a369019ac5871c544d39f8889d23cd455466a24cdecce6b

SHA512
a5a7ff3f8ffb72719b7e2c9dc2719c99ea32bd68994918ea027c0d7d54cfe0c80bfd34486dd8d3cdd390376bc4c8d1f7d97de4b98b7d39a3e10c3e2682c07d1c

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.001

Filesize
61KB

MD5
383d5f5d4240d590e7dec3f7312a4ac7

SHA1
f6bcade8d37afb80cf52a89b3e84683f4643fbce

SHA256
7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422

SHA512
e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.002

Filesize
43KB

MD5
93df156c4bd9d7341f4c4a4847616a69

SHA1
c7663b32c3c8e247bc16b51aff87b45484652dc1

SHA256
e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e

SHA512
ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.004

Filesize
1KB

MD5
c419eadafd70c55f88b6235ccf3d14a0

SHA1
e04856391e275bfe54fdc6dfabdfe798f80d2afb

SHA256
76f3de81ac5a57b368786feffd51e82c49527298bd6ed554ae2cdac118043968

SHA512
4b3e1e8d94f7e8bd9a32758fab27b2fed6299882a092fea578e1107655e9d5a7d9480eca2c205b3a85e897a1ae3ffd92587b7c4b9ccd3722bb84bfb45a30f683

Download Submit
C:\Windows\SysWOW64\JHPMIJ\FQO.exe

Filesize
1.7MB

MD5
3cd29c0df98a7aeb69a9692843ca3edb

SHA1
7c86aea093f1979d18901bd1b89a2b02a60ac3e2

SHA256
5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32

SHA512
e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
1KB

MD5
ea1a1fb9ccfd94175ac7949b7c0937fd

SHA1
19f49e082f0bfbe697a30a283a8d96e5f2c96f97

SHA256
2f741dca98c6bb003b57a004523cd3ed6fc1d9c629ba27bb9ae065da2691e904

SHA512
b79bc17c026c5bb9804252fd09ef05f3c1400b5a81c3776c812de832e13d251adfa5ba9b301c9fb1126d9e55fb348f69978e2397cb9dcfc29bdfda89ba2461c8

Download Submit
memory/1116-24-0x0000000073D90000-0x0000000074341000-memory.dmp

Filesize
5.7MB

Download
memory/1116-15-0x0000000073D90000-0x0000000074341000-memory.dmp

Filesize
5.7MB

Download
memory/1116-14-0x0000000073D90000-0x0000000074341000-memory.dmp

Filesize
5.7MB

Download
memory/1116-13-0x0000000073D92000-0x0000000073D93000-memory.dmp

Filesize
4KB

Download
memory/2832-111-0x0000000007C30000-0x0000000007C45000-memory.dmp

Filesize
84KB

Download
memory/3160-22-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/3160-18-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download
memory/3160-121-0x0000000000400000-0x000000000062F000-memory.dmp

Filesize
2.2MB

Download