Malware Analysis Report

2024-10-18 23:04

Sample ID 240125-pwty5sfgc9
Target 74b80a2d154807e988ef4d9923c7641c
SHA256 5f5969a2c2893e169939e6a413c2888303d67c9071d3d8cc6ed7857ff0cfb95e
Tags
ardamax discovery keylogger persistence stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5f5969a2c2893e169939e6a413c2888303d67c9071d3d8cc6ed7857ff0cfb95e

Threat Level: Known bad

The file 74b80a2d154807e988ef4d9923c7641c was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer upx

Ardamax

Ardamax main executable

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 12:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 12:41

Reported

2024-01-25 12:43

Platform

win7-20231215-en

Max time kernel

149s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\ten.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FAHD Agent = "C:\\Windows\\SysWOW64\\28463\\FAHD.exe" C:\Windows\SysWOW64\28463\FAHD.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\FAHD.exe N/A
File created C:\Windows\SysWOW64\Install.exe C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe N/A
File created C:\Windows\SysWOW64\ten.exe C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.001 C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.006 C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.007 C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.exe C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\key.bin C:\Windows\SysWOW64\Install.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ARFXZ.$$A C:\Windows\SysWOW64\ten.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Programmable\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\win32\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\HELPDIR\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\InprocServer32 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ProgID\ = "msinkaut.InkCollector.1" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Programmable C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\FLAGS C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\HELPDIR C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\TypeLib\ = "{12177A99-131B-4570-0A64-8D9CC8CEE007}" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Version\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\InprocServer32\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\FLAGS\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Version\ = "1.5" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\VersionIndependentProgID C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\VersionIndependentProgID\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\VersionIndependentProgID\ = "msinkaut.InkCollector" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007} C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\win32 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ProgID C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\49" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ProgID\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{12177A99-131B-4570-0A64-8D9CC8CEE007}\1.0\ = "Groove tool template services 1.0 Type Library" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\TypeLib C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\TypeLib\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1} C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\ = "Sicapzope Livasi Acazi Object" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\Ink\\InkObj.dll" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{510CAD12-928F-4927-5C94-797C1DDFFDF1}\Version C:\Windows\SysWOW64\28463\FAHD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 1072 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\Install.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 3068 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe C:\Windows\SysWOW64\ten.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe
PID 1072 wrote to memory of 2828 N/A C:\Windows\SysWOW64\Install.exe C:\Windows\SysWOW64\28463\FAHD.exe

Processes

C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe

"C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"

C:\Windows\SysWOW64\Install.exe

"C:\Windows\system32\Install.exe"

C:\Windows\SysWOW64\ten.exe

"C:\Windows\system32\ten.exe"

C:\Windows\SysWOW64\28463\FAHD.exe

"C:\Windows\system32\28463\FAHD.exe"

Network

N/A

Files

memory/3068-0-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3068-1-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3068-3-0x0000000000230000-0x0000000000232000-memory.dmp

\Windows\SysWOW64\Install.exe

MD5 88c4198144891c867237d80daa82bf12
SHA1 c2e0794514e43b3079e590122891f6c1fcfa85ac
SHA256 f3976f840a95648bbcffe606d1d06f26592c28eec0b8fe3a55d39b68f3d31125
SHA512 2bf074556a895bcfa31cd871b2c463edc84e31ed99617a14a9e51b0ff712dd19b0f220336cdaf61f70753743f57f16cbdab6efda872b8977701e989f2f92f48f

C:\Windows\SysWOW64\Install.exe

MD5 d9ea462cec53336f9a45057eb3a56147
SHA1 a2faac2b64a644f051a696cf8555ce144bb485fa
SHA256 9964e6da949b5613268f8f4a4ec80c8278a092f17712dee09ae8d7f9d6982991
SHA512 ff6c03853f6c3d8eab2ba07d01762adb51c7de3ab76db987132d5a94f484af10fad765704b7597cb89dea17ef7e352719e7468eeb4f026c53b245cf7bb9270fd

memory/2776-23-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\ten.exe

MD5 692eae85521e98c363fff6b7b48d6c39
SHA1 1aa2d68abe360be10dea980ec41b5321a2b0306a
SHA256 0e23ac39b2daf7d5b238f72ad101c0dd202ba42d3c1bf29701c8ba1936bb0d7d
SHA512 16a4b4c2e135c5bba779d0913e041e4599c460a56dd3782d608843ff767f8484fb15bc2c20664714b7b2d28ab940e60f1751e2e54e5eb2c2c1f1051fd05d47d3

\Users\Admin\AppData\Local\Temp\@40A8.tmp

MD5 4b8ed89120fe8ddc31ddba07bc15372b
SHA1 181e7ac3d444656f50c1cd02a6832708253428e6
SHA256 2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93
SHA512 49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

\Windows\SysWOW64\Install.exe

MD5 e012b45dd4336131ca57dd19ced90a19
SHA1 89599db18bdaa3fe1f6c689e933b7f4217ba83ed
SHA256 3702158e724d4d8763b72dc98f694df1a2d087ba196e3bb1ca48a0c611e6d8d0
SHA512 e0721fb0d0bf634ee0bc898efe00cbee4c2a651a2f94748ba7c9cddb01f8909c73353a36b48ee50eb8aea057836678bfae8ed4675dbc5d9b4b01f46682e44833

memory/2776-27-0x0000000000400000-0x0000000000433000-memory.dmp

\Windows\SysWOW64\Install.exe

MD5 b6f6e45452433dae611b509091850009
SHA1 af59ef222336644e79d3a1ad1354921bda10c0ed
SHA256 5252f26f187164ad6e3547fafb87dde3a83aa046c54e1df5b02742b64a66d161
SHA512 bb13dc7c63aa144bbc6635d79d0bbb7d32393f0f1575f8dac8cdbd173d9478a494f54429799888e682fd1800629d67be70e93f3d94cb3ce20f042fdebd9df5df

\Windows\SysWOW64\Install.exe

MD5 ae5cbf62d4d8bbae1f9a0205dd8c204c
SHA1 9de63bea2162a1df9f47dfc539950a55f473fe78
SHA256 9bf1374cfbef0ce2339d5fed3a98f5eb44df47f38f70dea9baccf3f228e15585
SHA512 3e8faf1872df096f829485e59637be46941eb51ecaf4d376181bd14e3c0258793840cce8dd1d9632cce44346fbff8ca01c90c09f9e757ed8449459705c884aa5

memory/3068-16-0x00000000025C0000-0x00000000025F3000-memory.dmp

memory/3068-15-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\Windows\SysWOW64\Install.exe

MD5 248c17669183440a6e551be22cbb259d
SHA1 424a2d7b686d819f4a2c10c1d73f32d7dac3c44f
SHA256 93d916053f485995906aa1f6f956c8676811196df10b7c642d90819a9fb13ac3
SHA512 9be76282d2de512e53eb06d6b26153b874d400e16f4ea960a5408c5a9af4ba9083623f5e261c7a8a32c5f56ba2929159158047b285bd465a755c958defe19063

\Windows\SysWOW64\28463\FAHD.exe

MD5 d215c21f47ef99bafe6fe2806f681b24
SHA1 b2665d920c74db75c6cb79e9b540b746643da2d9
SHA256 08e73482b860921dab332ae6a6b473dd1c0fc34331eaa0ffe7fc5852e3b8d9d7
SHA512 a7f319432191f946a00bc468c4584303233b427344c15c5307dd800f9da94ca85bbbbaf4fc84d2340b52f84dcbfdb0eadb1e10956b3fe01d14e306fa8fb4295a

memory/2828-44-0x0000000000270000-0x000000000034F000-memory.dmp

\Windows\SysWOW64\28463\FAHD.exe

MD5 7f0d0aa2e3d0ca720a1bd9e11ce634c5
SHA1 17fe92950ccb893415c8450542a63a62a3471117
SHA256 f2a7935fc5bbbee10e3aba109e44d269b4edd68ada5829090d4c39985b11abac
SHA512 20fa6f3275a770732a6d101cedfa71673559f623b1b4bcc1c266b2708d476ed4dd6b2452a311f8f2481dae09e37b06247ec8961184f0e30e614039ecc666c1e1

memory/2828-45-0x0000000000270000-0x000000000034F000-memory.dmp

memory/2828-46-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2828-47-0x0000000001D40000-0x0000000001D9A000-memory.dmp

C:\Windows\SysWOW64\28463\FAHD.exe

MD5 a8ae9617e3bce190abb4373e1cda3f18
SHA1 8178b8dad8f9e9999df8d22f485ba7a94d447e44
SHA256 b5b1b60511c400798d68b0d05f700bbc9739a03f374352870657b80b1eafbc30
SHA512 f45eab95d7fc5b46534977795b76862dc7f6bd1c40a7dd9a144ab9bc47af066b2e468973d239d3e900819d5e4b0fdaa97bb4846975fabe365997c88e6661f6d5

C:\Windows\SysWOW64\28463\key.bin

MD5 27c90d4d9b049f4cd00f32ed1d2e5baf
SHA1 338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256 172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512 d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

memory/2828-49-0x00000000031E0000-0x00000000031E3000-memory.dmp

memory/1072-40-0x0000000002F70000-0x000000000304F000-memory.dmp

C:\Windows\SysWOW64\28463\FAHD.exe

MD5 2709fd329d26dbf992210e88d0ed2bb4
SHA1 6831506d36aa3c21f9a8c6826aeb6013186e6898
SHA256 fa5c3022a4b14b130a035cfff276e3482f78ec23906bc5f0c46587317aff99a1
SHA512 223d7ae105ce9d0ad38fc84c2c50f6e0aa4b16e3e126ace5e98b2cd0f389705134e4903ec8bc2d9302c5ec4dee0b2f605407c59e262d385b2b45ce80a15a7d00

C:\Windows\SysWOW64\28463\FAHD.007

MD5 1b5e72f0ebd49cf146f9ae68d792ffe5
SHA1 1e90a69c12b9a849fbbac0670296b07331c1cf87
SHA256 8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e
SHA512 6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

C:\Windows\SysWOW64\28463\FAHD.006

MD5 395bbef326fa5ad1216b23f5debf167b
SHA1 aa4a7334b5a693b3f0d6f47b568e0d13a593d782
SHA256 7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1
SHA512 dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

memory/2828-65-0x00000000033D0000-0x00000000033D1000-memory.dmp

C:\Windows\SysWOW64\28463\FAHD.001

MD5 aaddd93bb3db1717fe3b5dfcf18875a9
SHA1 7621645bfb8033d652903c1447884ffd380a8e4e
SHA256 a1516ef8837625db18dc20cad3515689abbebbd94d0c16e21dc3aa30d051fe28
SHA512 ce73f201b29507338ad75a1d7e5b82397afb0ebf266dc2771b6202ad4ffeeb0cfa5b017ba6868916b381bda1a45ef36925b261296c34a95b0fdea16f8998fab0

memory/2828-63-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/2828-62-0x0000000003380000-0x0000000003381000-memory.dmp

memory/2828-61-0x0000000003360000-0x0000000003361000-memory.dmp

memory/2828-60-0x0000000003340000-0x0000000003341000-memory.dmp

memory/2828-59-0x0000000003320000-0x0000000003321000-memory.dmp

memory/2828-58-0x0000000003300000-0x0000000003301000-memory.dmp

memory/2828-57-0x00000000032E0000-0x00000000032E1000-memory.dmp

memory/2828-56-0x00000000032C0000-0x00000000032C1000-memory.dmp

memory/2828-55-0x00000000032A0000-0x00000000032A1000-memory.dmp

memory/2828-54-0x0000000003280000-0x0000000003281000-memory.dmp

memory/2828-53-0x0000000002610000-0x0000000002611000-memory.dmp

memory/2828-52-0x00000000024B0000-0x00000000024B1000-memory.dmp

memory/2828-51-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/2828-50-0x0000000000270000-0x0000000000271000-memory.dmp

memory/2828-70-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/2828-71-0x0000000001D40000-0x0000000001D9A000-memory.dmp

memory/2828-73-0x0000000000400000-0x00000000004DF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 12:41

Reported

2024-01-25 12:43

Platform

win10v2004-20231222-en

Max time kernel

148s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\ten.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Install.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FAHD Agent = "C:\\Windows\\SysWOW64\\28463\\FAHD.exe" C:\Windows\SysWOW64\28463\FAHD.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ten.exe C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.001 C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.006 C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.007 C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\FAHD.exe C:\Windows\SysWOW64\Install.exe N/A
File created C:\Windows\SysWOW64\28463\key.bin C:\Windows\SysWOW64\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\FAHD.exe N/A
File created C:\Windows\SysWOW64\Install.exe C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ARFXZ.$$A C:\Windows\SysWOW64\ten.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898} C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\HELPDIR C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\FLAGS\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\TypeLib\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\InprocServer32 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\InprocServer32\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ProgID\ = "SAPI.SpNullPhoneConverter.1" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\Version C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\VersionIndependentProgID\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ProgID\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\ = "UPnP 1.0 Type Library (Device Host)" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\FLAGS C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\Version\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\VersionIndependentProgID\ = "SAPI.SpNullPhoneConverter" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\TypeLib C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\Version\ = "5.4" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\HELPDIR\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\VersionIndependentProgID C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD} C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ = "Omipiwla.Kapih" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\win32 C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\upnpcont.exe" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\TypeLib\ = "{5B5D2749-9F84-D3C3-37B8-3660E8509898}" C:\Windows\SysWOW64\28463\FAHD.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5679B76-8BC0-46F7-74B7-C26974A7E8DD}\ProgID C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\ C:\Windows\SysWOW64\28463\FAHD.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5B5D2749-9F84-D3C3-37B8-3660E8509898}\1.0\0\win32\ C:\Windows\SysWOW64\28463\FAHD.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\FAHD.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe

"C:\Users\Admin\AppData\Local\Temp\74b80a2d154807e988ef4d9923c7641c.exe"

C:\Windows\SysWOW64\ten.exe

"C:\Windows\system32\ten.exe"

C:\Windows\SysWOW64\Install.exe

"C:\Windows\system32\Install.exe"

C:\Windows\SysWOW64\28463\FAHD.exe

"C:\Windows\system32\28463\FAHD.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1596-0-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/1596-2-0x0000000000A50000-0x0000000000A52000-memory.dmp

memory/1596-1-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\Windows\SysWOW64\Install.exe

MD5 c04ad59777b9f1d796d7463d27764582
SHA1 bfe2c17f294e123a7ece9d82413309fa62c3194e
SHA256 48f9fb1932465b5d3f5659d59ec606b2dd1114f9da8add0caf5d82a781fcc7f7
SHA512 f6b272f105cef301bbfa6b27a8af99879d2c2c5a30a808bae1b71c70a0615938eea94479db8d2e992e893b68b0fd8fd2bda70c9056d721ae45f53516e120cefe

C:\Windows\SysWOW64\Install.exe

MD5 b076e422cb28f37c5d29157b7b8aa96e
SHA1 0f8c637a89ca4d0258666bd8ca35915c5f188790
SHA256 bbe943b4473c3c40efc385a17afcabd84d3ad8dea9a46c77e2a71c8910aff844
SHA512 77f0da83de6fa920c9c44de3a589b23b2d520701a363d40ed79490fc68431e46e8607c41423781d774b7235e4fac02b287edbecb46cf12251a585090e7ca0854

memory/1596-26-0x0000000000400000-0x00000000004B1000-memory.dmp

memory/3496-29-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3496-28-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\SysWOW64\ten.exe

MD5 692eae85521e98c363fff6b7b48d6c39
SHA1 1aa2d68abe360be10dea980ec41b5321a2b0306a
SHA256 0e23ac39b2daf7d5b238f72ad101c0dd202ba42d3c1bf29701c8ba1936bb0d7d
SHA512 16a4b4c2e135c5bba779d0913e041e4599c460a56dd3782d608843ff767f8484fb15bc2c20664714b7b2d28ab940e60f1751e2e54e5eb2c2c1f1051fd05d47d3

C:\Users\Admin\AppData\Local\Temp\@42D5.tmp

MD5 4b8ed89120fe8ddc31ddba07bc15372b
SHA1 181e7ac3d444656f50c1cd02a6832708253428e6
SHA256 2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93
SHA512 49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

C:\Windows\SysWOW64\Install.exe

MD5 94be864f52c017301c4a5677ff4d1588
SHA1 d1d356df73855d44ffac7ee5c5cc307735ec1a1f
SHA256 55d54a0f058fc8c698f9cb8555a1ff4e28dc62c8bf57a8fc8d85bd148025d94c
SHA512 fdcf532640ab17333987a35697d819d704a4e3dc47848d737cb17fe6c13bf5258faaca71c46ab8a251d34735900e815d9d31211c8eb22e19a27909fb10195706

C:\Windows\SysWOW64\28463\FAHD.exe

MD5 2709fd329d26dbf992210e88d0ed2bb4
SHA1 6831506d36aa3c21f9a8c6826aeb6013186e6898
SHA256 fa5c3022a4b14b130a035cfff276e3482f78ec23906bc5f0c46587317aff99a1
SHA512 223d7ae105ce9d0ad38fc84c2c50f6e0aa4b16e3e126ace5e98b2cd0f389705134e4903ec8bc2d9302c5ec4dee0b2f605407c59e262d385b2b45ce80a15a7d00

memory/1276-44-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1276-45-0x00000000021C0000-0x000000000221A000-memory.dmp

C:\Windows\SysWOW64\28463\key.bin

MD5 27c90d4d9b049f4cd00f32ed1d2e5baf
SHA1 338a3ea8f1e929d8916ece9b6e91e697eb562550
SHA256 172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb
SHA512 d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

memory/1276-48-0x00000000023F0000-0x00000000023F1000-memory.dmp

memory/1276-49-0x0000000002410000-0x0000000002411000-memory.dmp

memory/1276-50-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1276-52-0x0000000003220000-0x0000000003221000-memory.dmp

memory/1276-54-0x0000000003280000-0x0000000003281000-memory.dmp

memory/1276-55-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/1276-53-0x0000000003210000-0x0000000003213000-memory.dmp

memory/1276-51-0x0000000002390000-0x0000000002391000-memory.dmp

memory/1276-47-0x0000000002400000-0x0000000002401000-memory.dmp

C:\Windows\SysWOW64\28463\FAHD.007

MD5 1b5e72f0ebd49cf146f9ae68d792ffe5
SHA1 1e90a69c12b9a849fbbac0670296b07331c1cf87
SHA256 8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e
SHA512 6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

memory/1276-67-0x0000000002640000-0x0000000002641000-memory.dmp

memory/1276-66-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1276-81-0x0000000003470000-0x0000000003471000-memory.dmp

memory/1276-82-0x00000000034A0000-0x00000000034A1000-memory.dmp

memory/1276-108-0x00000000050F0000-0x00000000050F1000-memory.dmp

memory/1276-107-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/1276-106-0x0000000003910000-0x0000000003911000-memory.dmp

memory/1276-105-0x0000000003980000-0x0000000003981000-memory.dmp

memory/1276-104-0x0000000003990000-0x0000000003991000-memory.dmp

memory/1276-103-0x0000000003960000-0x0000000003961000-memory.dmp

memory/1276-102-0x0000000003970000-0x0000000003971000-memory.dmp

memory/1276-101-0x0000000003940000-0x0000000003941000-memory.dmp

memory/1276-100-0x0000000003950000-0x0000000003951000-memory.dmp

memory/1276-99-0x0000000003920000-0x0000000003921000-memory.dmp

memory/1276-98-0x0000000003930000-0x0000000003931000-memory.dmp

memory/1276-97-0x00000000038F0000-0x00000000038F1000-memory.dmp

memory/1276-95-0x00000000038D0000-0x00000000038D1000-memory.dmp

memory/1276-96-0x0000000003900000-0x0000000003901000-memory.dmp

C:\Windows\SysWOW64\28463\FAHD.006

MD5 395bbef326fa5ad1216b23f5debf167b
SHA1 aa4a7334b5a693b3f0d6f47b568e0d13a593d782
SHA256 7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1
SHA512 dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

memory/1276-93-0x0000000003880000-0x0000000003881000-memory.dmp

memory/1276-92-0x0000000003890000-0x0000000003891000-memory.dmp

memory/1276-91-0x0000000003860000-0x0000000003861000-memory.dmp

memory/1276-90-0x0000000003500000-0x0000000003501000-memory.dmp

memory/1276-89-0x0000000003510000-0x0000000003511000-memory.dmp

memory/1276-88-0x00000000034E0000-0x00000000034E1000-memory.dmp

memory/1276-87-0x00000000034F0000-0x00000000034F1000-memory.dmp

memory/1276-86-0x0000000003270000-0x0000000003271000-memory.dmp

memory/1276-85-0x00000000034B0000-0x00000000034B1000-memory.dmp

memory/1276-84-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/1276-83-0x0000000003490000-0x0000000003491000-memory.dmp

memory/1276-80-0x0000000003480000-0x0000000003481000-memory.dmp

memory/1276-79-0x0000000003450000-0x0000000003451000-memory.dmp

memory/1276-78-0x0000000003460000-0x0000000003461000-memory.dmp

memory/1276-77-0x0000000003430000-0x0000000003431000-memory.dmp

memory/1276-76-0x0000000003440000-0x0000000003441000-memory.dmp

memory/1276-75-0x0000000003410000-0x0000000003411000-memory.dmp

memory/1276-74-0x0000000003420000-0x0000000003421000-memory.dmp

memory/1276-73-0x00000000033F0000-0x00000000033F1000-memory.dmp

memory/1276-72-0x0000000003400000-0x0000000003401000-memory.dmp

memory/1276-71-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/1276-70-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/1276-69-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/1276-68-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/1276-65-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1276-64-0x0000000003230000-0x0000000003231000-memory.dmp

memory/1276-63-0x0000000002160000-0x0000000002161000-memory.dmp

C:\Windows\SysWOW64\28463\FAHD.001

MD5 aaddd93bb3db1717fe3b5dfcf18875a9
SHA1 7621645bfb8033d652903c1447884ffd380a8e4e
SHA256 a1516ef8837625db18dc20cad3515689abbebbd94d0c16e21dc3aa30d051fe28
SHA512 ce73f201b29507338ad75a1d7e5b82397afb0ebf266dc2771b6202ad4ffeeb0cfa5b017ba6868916b381bda1a45ef36925b261296c34a95b0fdea16f8998fab0

memory/1276-59-0x0000000000530000-0x0000000000531000-memory.dmp

memory/1276-58-0x0000000002420000-0x0000000002421000-memory.dmp

memory/1276-57-0x0000000002370000-0x0000000002371000-memory.dmp

memory/1276-56-0x0000000003260000-0x0000000003261000-memory.dmp

memory/1276-125-0x0000000000400000-0x00000000004DF000-memory.dmp

memory/1276-128-0x0000000000400000-0x00000000004DF000-memory.dmp