ardamax | 715c39d532cf9243cbfbe0d464b585983576ac2db32b1e32f1b43821d323d5a7

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2025 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
Size

1.0MB
MD5

d5dedd2de2398a21f8a3e7ac54a48d6c
SHA1

cd05cad7901e516327f1ee804a02dbd2556e875f
SHA256

715c39d532cf9243cbfbe0d464b585983576ac2db32b1e32f1b43821d323d5a7
SHA512

de3e7637df5019bdab4ecf2cfba368c539aa884be63f215828ceff59c51de3e4e6c5f8598f0400a88b98588f2c2540d43f345018ac9f9f765a5ea42f48b7fff3
SSDEEP

24576:pbPT3o8Gle4a1P1aRpLcIc45+QYwsshEgpRfd:p7TY8GMFUgW9Yw9hEg

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023e26-8.dat	family_ardamax

Downloads MZ/PE file 1 IoCs

flow	pid	Process
81	708	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe

Executes dropped EXE 1 IoCs

pid	Process
4924	NSA.exe

Loads dropped DLL 2 IoCs

pid	Process
4924	NSA.exe
3620	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NSA Start = "C:\\Windows\\SysWOW64\\ACXKTY\\NSA.exe"	NSA.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ACXKTY\NSA.002	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
File created	C:\Windows\SysWOW64\ACXKTY\AKV.exe	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
File created	C:\Windows\SysWOW64\ACXKTY\NSA.exe	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
File opened for modification	C:\Windows\SysWOW64\ACXKTY\	NSA.exe
File created	C:\Windows\SysWOW64\ACXKTY\NSA.004	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
File created	C:\Windows\SysWOW64\ACXKTY\NSA.001	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4164	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2564	msedge.exe
2564	msedge.exe
736	msedge.exe
736	msedge.exe
4472	identity_helper.exe
4472	identity_helper.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4924	NSA.exe
Token: SeIncBasePriorityPrivilege	4924	NSA.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe
736	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4924	NSA.exe
4924	NSA.exe
4924	NSA.exe
4924	NSA.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 4924	4724	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe	87
PID 4724 wrote to memory of 4924	4724	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe	87
PID 4724 wrote to memory of 4924	4724	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe	87
PID 4724 wrote to memory of 3620	4724	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe	88
PID 4724 wrote to memory of 3620	4724	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe	88
PID 4724 wrote to memory of 3620	4724	JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe	88
PID 3620 wrote to memory of 736	3620	cmd.exe	92
PID 3620 wrote to memory of 736	3620	cmd.exe	92
PID 736 wrote to memory of 3512	736	msedge.exe	94
PID 736 wrote to memory of 3512	736	msedge.exe	94
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2884	736	msedge.exe	95
PID 736 wrote to memory of 2564	736	msedge.exe	96
PID 736 wrote to memory of 2564	736	msedge.exe	96
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97
PID 736 wrote to memory of 2680	736	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5dedd2de2398a21f8a3e7ac54a48d6c.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\SysWOW64\ACXKTY\NSA.exe
  "C:\Windows\system32\ACXKTY\NSA.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\strona.bat" "
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.google.pl/
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9f22b46f8,0x7ff9f22b4708,0x7ff9f22b4718
      4⤵
      PID:3512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:2884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2564
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
      4⤵
      PID:2680
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
      4⤵
      PID:4840
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
      4⤵
      PID:1932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
      4⤵
      PID:2148
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
      4⤵
      PID:4704
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
      4⤵
      PID:4760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
      4⤵
      PID:752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
      4⤵
      PID:3760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,982875046938408736,3857914782763276294,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5036 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RTI2NEE1MjAtRDM5OS00RERCLTgzNzItQzhFMUU3RTg0Mzc1fSIgdXNlcmlkPSJ7NTU0MDM5NEYtMEY1MS00MDQ0LThEMTAtOURBQ0UyRTc2MzlGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7Mzk2MzgxNzItRTRERi00RTQ2LUE3NkYtQ0U3NjgwODBBQjY4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIyIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1Mzc5NDA0ODA2Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fc7e2abfae997eac3dd58ba7132b3a2a

SHA1
ed7e80b26252b600acc6d89b985f4235b0fb03fb

SHA256
be084d16cf52949ceb38b98ebc8761cd5bf1a6ac9e8c247efc12bb669f5f023a

SHA512
a504e52646c4be5ee0f0d979b0d7a539228ab638394c658d1a88eff86f6db4091146b176484388afa6967a296af7ea97b4d2678577ea85f83d721ef2fe63f928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa50e46aef7f210bf65d44c570031714

SHA1
41993bb24a2c4cffdb5ea9bd4eeb825bf6b6fa79

SHA256
857a7702a47be49f185619891e5c74e34b4bb2515279033f3b5a0a9be2da839d

SHA512
dd5a1e88b2000957e3ddf057329a24dbbfc5408857cd1432799f20c21b967b627627bf1a3caa23e9698bb8133b7033d925487bcf46d864186a707176f8969029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
d1a09712428734470e8a1ecaff151b67

SHA1
295b2b0f4c581a1b22a530fd1a294fc676b2ec67

SHA256
1367dedc90b67d2f8a2abfd68171986a11f91e0e7e43dbf6429c5e6609028c74

SHA512
142a5d28b249d10cbc22dc74182069baf6331e90ec4e5faeaa7b2a75f9fcd7959eb47bbab073e74399b5311c5da7985021a968493a5e43e43ab58533860631f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b723cf440dd851690b0a96073c5acb58

SHA1
e7c69a2d0829ad457f27615ca7c844d94bd98bde

SHA256
69ea0ae2823affaafa90b75d2fe7c61df4d02dd943bf1e2c25b6f858e2adb1b2

SHA512
7a8d75c93dbb79b5ddfce90bd745b57ee1d67d02636140774a1ff0782119421c48b4b90dcdcd018709414ba17a96f5fc5efc26610ce06e4d6e0f2ee2d4f00968

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
34926f5484feff85aa28c0850b807eb2

SHA1
ad9d958f4877f4de94ea4f74c023dbf62bf2ff90

SHA256
b19fcafb0b286492b676002fd5273768e44793158cbc0fdd65e515641111abbd

SHA512
95459b1c62f742b4b6eea16bbe21795c81b488de6a5a45c715ce2c02c23dd32be262587e8f4a210ca7741bdb8c7f51655ab2bcaba2f5539dff05a85d33f93473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
33346e30591ea9621527d84c3f0aef2b

SHA1
03b0c0f0afd3ca09a31ff3cc72451297d4b32409

SHA256
f11842f91217fc1ec3383372e8bfb9ac8808efacc30e55512a2f55d4a6cca0dc

SHA512
2718388084905ba9de7f673511b731338646742a9acaa1931afb723743e11624baf9c5aae6981dc1d89c2c8a4a2d0665817b384ffaad07fbfb0db162b748b2b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
268beac12d4c9df8f7797817fbb911ea

SHA1
aa425b0984bba3ffd2d1fe4fadad38d4268a2b07

SHA256
0fc03ee7b1a9efaad424343906b4cccd256b6b668375003d07590765f0246ff8

SHA512
398d963878c6d7920083b962249c378128780467c2fc650a1d41079fcec4ddbe013ab4337e527f415f6fb773b5923322ef4da2e12d69b2c1d61742b0a5653cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
857a5deb90bf4330fe49ae88f7c7b30d

SHA1
f7f349b516a75d87113c6ed163bae02e91fecf38

SHA256
f36af281e0c798c66bda9c9b0515e931c955dd41a2950892cc000de75f189c05

SHA512
a530d537d2698c4d29fda9bf682d52cb1e9e24798c50bc69e25216808bf15302827f649f02a820ca5a45fdbba070d80a8770abdc17bb77b4b72864ed1efacce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\strona.bat

Filesize
30B

MD5
be6d969461b88d3f5872bbb1f9fde229

SHA1
a3694241b9754733fb1b24b1394de664013a653e

SHA256
ae229d30a02abf08fb7b0a28c7c57ce6a4ef501352e92835a7e89a45755affaf

SHA512
f6e5b858196e71bf280bc8bb88bc50f0d9d46da5c06103c81a961da461c201bcd40480866a65e186e9a48e9790eec10d8cffc2b98031302545a50a7d4a930b7b

Download Submit
C:\Windows\SysWOW64\ACXKTY\AKV.exe

Filesize
448KB

MD5
c49125a39e0ae69b1cc77040ba8a9441

SHA1
92941e9559d9b1a0a944595377b6c5d44b53a6a4

SHA256
f7e3d70532b7a0b04bde2fc3a9439b8a95ba7b89eff5f214ef53041a58c97524

SHA512
f61f42e500ebdd0559c420f05849265964e58aba7bb2be1095d41dddc1393ccf2191de0ed61d5fefd3957c4890c61fced1497481b76f158a12f7d95e626224c6

Download Submit
C:\Windows\SysWOW64\ACXKTY\NSA.001

Filesize
61KB

MD5
8d8041fe45149cc7383c52f719c4d1d6

SHA1
ae81719657952ad493161bcf0788fb45357dc03e

SHA256
cd6a210bcc19fc0f301fe3fb0cc58318d275df9666057877f7dc56ff0c134531

SHA512
0eb1168a4596b4ca5fbe864e16e5ec3cb8fc7cd6a6407ee095a34d7d5dcaa4ca270022b00f1ece2ee9048b6fd29cfdad9a0900dbf5a75d7a69d09bfa73c23983

Download Submit
C:\Windows\SysWOW64\ACXKTY\NSA.002

Filesize
43KB

MD5
d977f26d7f7ffcb0f002813b55ff032d

SHA1
7e17b642dc1286908c18caba6fedb890de8fcc86

SHA256
2ce6c66843f0d0f156ae523f25d2cf4c9886fcae7b4f69deefbde4bc5328bf29

SHA512
e291f6acf5df88c52eb9232d55eb43fc08cbd423b7ae46148f710de909db49c04fc1d64e05b8e307ddd880134c525188109b94182ca99ea5934b66b9316e9e25

Download Submit
C:\Windows\SysWOW64\ACXKTY\NSA.004

Filesize
638B

MD5
d94f764bdbd8bd11118008a078dc1e47

SHA1
912cdbfc8482349ba42e92aa837f85181fcde066

SHA256
0818cff0b9c7efcb7fdce31e361ecf0aeba838e967c3df0ed67ffe7d6cf1a94a

SHA512
bfdf7fd26ed6f1496d6a31a3703e5ecd4358195cf552f56e3a71584927e41f0695de3c1978c43ce18713b308e3d4f2fe10ef973668fddf68addd76cc930cf22b

Download Submit
C:\Windows\SysWOW64\ACXKTY\NSA.exe

Filesize
1.4MB

MD5
27a49221ba75a90934342bbe70f6c954

SHA1
751e322d6f7e46c132f0f97c56d60344248f1959

SHA256
946611f5091452aa46310d3ba8a885e808617b8ae9c57a468f7fe3abda4b052d

SHA512
9476f49d2e3c10f3e5cd91313e03405f944bc9887fd65e6c2236caab3a42e2c9a5392d7c34f6c5787a7dc8c3cfd43a3a90a6e052176aa60a43da0327d7ff78d6

Download Submit
memory/4924-79-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/4924-19-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download