ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Analysis

max time kernel
300s
max time network
271s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023b94-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

Executes dropped EXE 1 IoCs

pid	Process
400	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
4156	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
400	DPBJ.exe
400	DPBJ.exe
400	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_27.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_29.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_29.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_33.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_08.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.006	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File opened for modification	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009.tmp	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_47.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\key.bin	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_22.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_22.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_54.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_21.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_16.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_19.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_08.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_43.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_38.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_22.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_54.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_48_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_49_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_50_33.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_23_2024__12_47_43.jpg	DPBJ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\win64\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\InprocServer32	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\FLAGS	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\FLAGS\ = "0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\win64	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\ = "Zetah Esipaza Lovalviqo object"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\InprocServer32\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\ProgID	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\ProgID\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\ = "PhotoAcquireObjects"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\HELPDIR	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\HELPDIR\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\TypeLib\ = "{0B5B637F-20BA-F065-4432-F3D56DA064A8}"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\win32	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\TypeLib	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\TypeLib\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\VersionIndependentProgID\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\VersionIndependentProgID\ = "Adobe.Reader.HTMLPreview"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\FLAGS\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\HELPDIR\ = "%ProgramFiles(x86)%\\Windows Photo Viewer"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\VersionIndependentProgID	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\InprocServer32\ = "C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\adoberfp.dll"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA1C6A40-B095-4F4A-5BB7-561B738C7686}\ProgID\ = "Adobe.Reader.HTMLPreview.1"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\win32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\win32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0B5B637F-20BA-F065-4432-F3D56DA064A8}\1.0\0\win64\	DPBJ.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
404	msedge.exe
404	msedge.exe
4956	msedge.exe
4956	msedge.exe
1400	identity_helper.exe
1400	identity_helper.exe
3248	msedge.exe
3248	msedge.exe
3248	msedge.exe
3248	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
400	DPBJ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	400	DPBJ.exe
Token: SeIncBasePriorityPrivilege	400	DPBJ.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe
4956	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
400	DPBJ.exe
400	DPBJ.exe
400	DPBJ.exe
400	DPBJ.exe
400	DPBJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 400	4156	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	82
PID 4156 wrote to memory of 400	4156	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	82
PID 4156 wrote to memory of 400	4156	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	82
PID 4956 wrote to memory of 3440	4956	msedge.exe	93
PID 4956 wrote to memory of 3440	4956	msedge.exe	93
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 4816	4956	msedge.exe	94
PID 4956 wrote to memory of 404	4956	msedge.exe	95
PID 4956 wrote to memory of 404	4956	msedge.exe	95
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96
PID 4956 wrote to memory of 2196	4956	msedge.exe	96

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd400346f8,0x7ffd40034708,0x7ffd40034718
  2⤵
  PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8246068395578757176,13421675293327068454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3128 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\42067562-51e0-4cdb-9636-57cda75f5b3f.tmp

Filesize
402B

MD5
54c1d311012f48e50ac72e9b0d6b8e71

SHA1
2a7569f5395a1efd20d031ed5e65c424b2e89861

SHA256
a69b42b2df74adb169138aab69eca376a5148930e440e90d8a57404069b6f38a

SHA512
9d1fa30376fa78197ae987410687c80463b5dbf518b7b789de8ec6809f58d3800033cd5c55a9573fcd842d656e7ead6ffb0f63841374e058558ae3ddc7f762f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e3b84b14781f94ffb4c1d36c95b9def9

SHA1
e7103d3e72330f40d5deb8f6f21ac56000a9a4fa

SHA256
79e7e8c8b1dad138df2c276c0cdafcb3b5c4d94bea653865a1f06865848757f4

SHA512
ec1f1591e973ec3438df4a9f890bb2bff1210a99f68e53247987619c10d75ce850bab5634745f8f5143479899e7369ee0c818121398101d2432fa55a1ce0bd1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
678B

MD5
45772d0f51933a056a73143987744ed4

SHA1
90c6fa045895191643e989683ffdb8314bfb97f7

SHA256
dbb0999165febb55b6142ec34812b16312e68a3f92a144d94da4c1305839d89c

SHA512
01c1f3e5b64a8ec2933835eab09bd965d5bbc42b90fecdc714c4ea099c10d68a5231f00ddd4059b1551be15861a82f4d504013d1d7370397266850e33e519c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
770B

MD5
c1096b201fef0e524aed57938c6726ad

SHA1
4f8cec6c403a5a0f92ef45f5a0b5ad5c172fe515

SHA256
4f24b038828ab460778787cc388d8214a2bd3422fab86a595443c5257d6187f4

SHA512
6c7738d6964b0c94fa33e71b9a912d5494f2874ba02e6a778254c1d9395406895aeee638ace9c2beedc2b793cc648e099d7ea697cf57726a3bd910182c0fdf6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2d47a0b3d1a145c4b13a192146ab5f81

SHA1
61eeccd5ff1e991b7dd96c6ad379dfdffa83ebfb

SHA256
35ca56ec438844b52b429ec226e5f7c46a694091b02d934b8ab20dfe6b5610a7

SHA512
f6287adffe96df2e4d4b9066b338727350dd156da87b265ecc5d39e34eee36dffb1026b2ad0fbef9c72c99d255edb7fd2aa09403244122d7125ed975bf69b1af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8a72fcbe37bfa6d297f7d16b6fdeb022

SHA1
e9fdc2f0b83184163dfe06ce5f15eace71a5f3f1

SHA256
86f2e66de20b5641bdba0a6ed1ddc5a43ef287da4c66ce67c10f62d3feb540db

SHA512
3dea65ef22d0f7a053fe86105c6d9f556891e621e07caf2e4ce9fc9c8398fb5ba4b8deeb8d94eed4120097d1414dc5e0e13aea54e5fadf7c7b5ee4827f859726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
747fbbd256da42d4c149c1727500e942

SHA1
83de6a9142fbd872807680d28453a1a11e7438db

SHA256
4b2bba01dfd5e9f005c3bd50730a65c1452fbbc1bcc28caf2eb8465acaef7268

SHA512
21f75abe774c33e4623a1c2415fb163f861d016e7e9be9a6d2d1af8e1abf160a3aba065515060183cb239e7008dcc5c9c72fcacd35ed05cab007ab1162b5bef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\@7A31.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
1.6MB

MD5
305bf4991cdcd4fbb3b6bba799754520

SHA1
5f228089c5e507998d957d6f90129a11fc59eed1

SHA256
172a04b588100fa4d9bf6ddd96bf0cd98373ca468d31e7860441d2956c9f6d99

SHA512
2ea5a2091ef827e50b2adfefeeeb792307072ee2f88dec7d43ae26892381320af37bca608e171a867bd5b808013924d4567d5269af38d04cb65af81699e0fa8b

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_25.jpg

Filesize
121KB

MD5
ab414f460e2c0c086c4d6e02e2b25487

SHA1
8b8a546108316a273a304e4b0eb11b42a3d75126

SHA256
a35c08ff210bf217d90344337669b97576596a334db2edf0ae7af370c53e376e

SHA512
cb52847d302f5e0b8da92fa0a40bdcfcb3b70330361cd677e79cecd98f2bb4e131e786f0ca1db21d028d276788b96329d4c1df91036e35e2850ad65ef63dbcf4

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_44.jpg

Filesize
36KB

MD5
a6c0eae9082524624dfc4e46a7b436a5

SHA1
1780d724ccf06171fb4940445f79e26cca148301

SHA256
c2020ff33f236be8928346c386a77659b0f4268267faa7c1fd05a1e937680baa

SHA512
2418b49fd1e465c79189a13f55f90836252cd0e2cf1cc551aa076947e67cce022eabac7e40c157a9bc75716f588a2acc29a7e9286b19082a6cfa9ebcb19f3d42

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_45.jpg

Filesize
35KB

MD5
e8ea2ac172115764d80cbdeda2e9b705

SHA1
add0299b7e243fde0003c6ac2164fba404c13d05

SHA256
8bf4014fecd30588f6a1455bfe186d148d8cfa7b98f1965791b548c976161be9

SHA512
b3cc656dea45670458603c70011fb49c8329a6e8c17700fb149dc165b066f8eae1ec942d3ed1b92af63189b7905c91f0f0d442d258b4a11b61284e4eaba6268a

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_46.jpg

Filesize
36KB

MD5
6e6ca3ea24f0b02cc3905d8cda3c6f93

SHA1
dbe52da2e5ec30fc7fd2022ff570415ddcc76db2

SHA256
182c099703920c30a0d622d6a1e8546bc889dfe2c30a6c1fb957442a4e22a65a

SHA512
de32e1008356e208fa2951943fa0761d60aef28b4ff33e183bd7a682ba63d318bc397738537e7a759438edbef90a2847e245ce4359ce55f6663e79a3178ee1f7

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_48.jpg

Filesize
139KB

MD5
1d65b063e03595cb39c25338a8d0371b

SHA1
593c850ce3bd70e66f4e3f49a49a26cf7d7f37be

SHA256
7cf14fdd652d1808832c3a253b31f40d9406a2484b9f8e1b56a5e38dd0c9f5cb

SHA512
e4c78598f2218ac1345e7d980c25c757a0ba88541fd999f0098f4347032cb038c658d9e2c38e7841187531ee13297941e736c6c2aa4714538b829305d67acbed

Download Submit
C:\Windows\SysWOW64\28463\Nov_23_2024__12_46_57.jpg

Filesize
136KB

MD5
dd4cb94783946658cef8f65bd983ccf9

SHA1
f462cd630ffdc5504d98bcfc167adc53df26664e

SHA256
2a81c3f3ed4a1e2ad5534cb633384b973f4b4ed83d251f373c7b3dbe6e457c36

SHA512
2c506eb3328ab27c39b08a279df7edea5d7de1f46be72feba7a52fffd934ce11c4695e89aacb543cce692c259a779937bf5c86186b0618dd7800d7ebc1482430

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/400-29-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/400-112-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-48-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-51-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/400-35-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/400-36-0x0000000000AF0000-0x0000000000AF1000-memory.dmp

Filesize
4KB

Download
memory/400-37-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/400-455-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-26-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/400-27-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/400-28-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/400-289-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-23-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/400-31-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/400-331-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-25-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/400-34-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/400-53-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/400-24-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/400-700-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-710-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-819-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-970-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-32-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/400-33-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/400-30-0x0000000003350000-0x0000000003353000-memory.dmp

Filesize
12KB

Download
memory/400-1300-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-21-0x0000000000B10000-0x0000000000B6A000-memory.dmp

Filesize
360KB

Download
memory/400-1684-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-1793-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-2125-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-2613-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/400-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download