ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c98-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

Executes dropped EXE 1 IoCs

pid	Process
620	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
1620	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
620	DPBJ.exe
620	DPBJ.exe
620	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_43.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_21.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.002	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_27.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.001	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_54.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_33.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_50.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_14.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_39.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_26.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_01.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_01.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_25.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.006	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_16.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_30.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_03.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_39.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\key.bin	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_31_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_49.jpg	DPBJ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133768853637095100"	chrome.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\TypeLib\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\0	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\TypeLib	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\Version\ = "1.0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\ProgID\ = "Scripting.Dictionary"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\FLAGS	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\FLAGS\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\TypeLib\ = "{408C6AC4-C417-1672-3851-3EFFBF084E51}"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\Version	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\ProgID	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\ = "TAPI3 Terminal Manager 1.0 Type Library"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\0\win32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\Implemented Categories\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\0\win32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\FLAGS\ = "0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\InprocServer32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\ = "Xevalojte Ojiqaw Ijekosni"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\termmgr.dll"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\Version\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{408C6AC4-C417-1672-3851-3EFFBF084E51}\1.0\0\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\Implemented Categories	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\InprocServer32\ = "C:\\Windows\\SysWOW64\\scrrun.dll"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\ProgID\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{12D41BA4-895E-4D36-B28D-331169E92845}\InprocServer32	DPBJ.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
956	chrome.exe
956	chrome.exe
4600	taskmgr.exe
956	chrome.exe
956	chrome.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
620	DPBJ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	620	DPBJ.exe
Token: SeIncBasePriorityPrivilege	620	DPBJ.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe
Token: SeShutdownPrivilege	3308	chrome.exe
Token: SeCreatePagefilePrivilege	3308	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
3308	chrome.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe
4600	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
620	DPBJ.exe
620	DPBJ.exe
620	DPBJ.exe
620	DPBJ.exe
620	DPBJ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 620	1620	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	83
PID 1620 wrote to memory of 620	1620	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	83
PID 1620 wrote to memory of 620	1620	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	83
PID 3308 wrote to memory of 3488	3308	chrome.exe	101
PID 3308 wrote to memory of 3488	3308	chrome.exe	101
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 1940	3308	chrome.exe	102
PID 3308 wrote to memory of 3452	3308	chrome.exe	103
PID 3308 wrote to memory of 3452	3308	chrome.exe	103
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104
PID 3308 wrote to memory of 2696	3308	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:620

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc5d86cc40,0x7ffc5d86cc4c,0x7ffc5d86cc58
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2184,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3176,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3716,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4836,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:2832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4928 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5052,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5248,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4776,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3284,i,15454504632635369470,9980634936715580153,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:956

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4520

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
0438038411d15c49bd57323d3cd3a42a

SHA1
48e97d0ea1dde5dc2b5d34a613fb4aedee024329

SHA256
b747041824bffc5fcf3262efbcba3a86d2f8b20fdc15848194f8c534aff437e2

SHA512
e646418cea6a9483f2de490621525a6f0414c7c516bbf6e4c94e0ad19e2ce14073103019347555aff0c431fcb2fa725edad7f41922cb074698d0808454b53a22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
79f65ea1c9fb00985b4c0b0d3ee293e8

SHA1
b5ddb197a728cbb2ff8d48f8d1cad25293d072df

SHA256
24d117d6fff05d28a9652322f2844f93d3d1da532386a55fc5abd88cc57d64ec

SHA512
f1a4eaee7d1bb382f42c77b3fd81d2dd14c6f9c23fc4b7ff3bbfc79e998a5fddf7fc541416d8480008ebb2ccdbb0d2590c63fd988b9c5cc700fe0dd6a3b5d106

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
4ee8240879e1155023a236dcaa34e640

SHA1
2fdb235d50536a43a286d0e9315a73b10c50f68a

SHA256
6839cedfc07435dc5ce82d2d86b570dc8072c1172284d5de1c69a1dc9c645902

SHA512
29943a71be06752f9064ce4c54f7986f58d077fdf0e55293185ee71728ea9cac53d5bd86e78197024e4d6bde6d0da7a59e1f56820448773b9727954ce8742d28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
aa05b61f8b21069ed8b33d409be75199

SHA1
9b414a8a7b42f3dca6fa3bc4b6594559ef9ec161

SHA256
6a60ee81f5b4774688fa715d8f509040cfba02622e1b12fe16d03c245a4c7bdd

SHA512
b4ef5ab54a2bbac34fe1547c126be3bb80dd801120a5ddf7890ae74580d3c1c47996f36f0d9ba654f1ea7c3054d0725d7a36a53c54bfadcaf6b22b9028123db4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
7a0b98b850bd9169a8d0aa14f18af333

SHA1
b5fdba0454278dd760938ed5c31299b7e5e8bccb

SHA256
9eb9cbfe86a06c7ba732151b668e0722ae41bc333515a078b81fb54d8a405772

SHA512
17703ed00b60c2197a22b380b6cd96ada713fc6fd356b2359d76eacff5698f237968002224db12bbc3f3466b1594cc766e63cd28ea0ced3f795a9c9e1e9607da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
173da8863428759299d8cb7b217ed2ea

SHA1
f2b10838351cb142db803eea50894960ba866909

SHA256
bc03e3a6c7d7d7bb1bf6a11d54ad9d23beb5abf9605c5ccb21154ee0a4a73cdf

SHA512
ccb7d7ec2fba62a7b7af8ee0d2ec65eae15eee6d2eb8fb66723e11aba50a7bf39a9d984710083774abd2b9ce564059f4a29be719b1bdfb0f995905199f4a19c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
859B

MD5
57b6f482c4324d36251e3c1d1172cffd

SHA1
08fb01fcd50a6a2e981c57b4e8b24aaca490fc90

SHA256
917eedeab94db4ae827b50cc6f7b98fb719880064f91f86338790aad3df69d88

SHA512
bdb7aa38da69614ed0ee7e5e75b278e74f6587266edbb141cbae51a65824cc378c8f5450454f823774281d0bf80c4cbcb33537cdc90c1c93b7c7d597e441c332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
2bf1167c790c852c719e4bdcfc074a09

SHA1
7d4ebbe35c8c85dc2659f0e58dfb05952b47a04b

SHA256
77dad94f16e16d1b1a66d23b92cc2f6f09f72bfb114398f0811a5ad29117ee0b

SHA512
76e3b634e4671e11c7ba133aa3cd964817f3c739691324b3be5351f69a592323b3641fdff5edc54d74f732d86cd7880c0cdb536c2a104b5c96f8b4d071e44196

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
894f55a977194fe169ade0df3f2323e4

SHA1
8b8f80480aa1171d334b881f5b48ebbc1779d055

SHA256
c66396c4df835e968362cd2734138ad4eccd4b58ac801fa225a4bc6c8b4c5716

SHA512
7eb07e2dd085d38fa744140f48013d5967e667cf20f4dac04e1fe4003454660b2a6d29181f38b6c8401a643ad7d0eddb5cdc17ca2dd98be920d89b509833dd77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
4f475cc90b41d7205c4a3f8bcc2c0f8c

SHA1
4ed7542da72ddd0cb651d1708872cbab21ee52ff

SHA256
a759ae7455c6b888b245a075e16f6353f2817dd1cb5a26b9babe5d325f5759de

SHA512
1f584075b92ae9a4dabb8ee92a4b54d95a733c16ef037a2b42b80741620b5b35002e3097612724280c7a54232d21f9ef3e69b8d5b81c4a40e3ede5bda36f30a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3ffd2658c399d8d6c555b407b761c63f

SHA1
44c63bd98608366e1659b722caef6837acbc6d98

SHA256
3d9cdcc1095a633ddd4829dece6c089cb659f51b2652acc5bd897b7dae80c76f

SHA512
8964aa3f59ad3dd2d2d34006cc178a45f4a82d537dc551a7327c554988910e41231550b8d767a13f1370c0ed165508344c0afd6ca749c8a8b777b648c8948384

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ecda95628ed937b8c8ca8b2f3d7dd743

SHA1
2cfb81e45e943cf07ce005f8dea7f81b1d7a50bc

SHA256
36777c55bfd04445b6007e91c08eb4a3a0e24eca5319a9d389f87f4eb06044ac

SHA512
0b862a211c15219149ccce853bd4f6f8f342b5662382e3357a91da0dd2e9f103666c9f139c7120b0448bdbe3496bdd0dd89a82b5f3d8b71dfe17ad93df0cc566

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
5b6de974a5076788e041c3d1ea5d5581

SHA1
fe45250c776f51b2fa04a56a22eb506f535cb1be

SHA256
f6194a67b0f3c8bebd397c84614129082b5091d0934b922fcb8516f023446135

SHA512
bf5a7007bbdd1becf33b49d0feec698151d093eb881c61719871cff6aa870e9ff1f68c212e54e9b7284e21621758f3d4373f696f57472566610721ed3a808ba3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1676fbe525faf70e56bf7a6a6536b9ce

SHA1
ebead58b91ebbf7b478eaa9de582649f2ad67dd7

SHA256
51e9ae0b10f7b3af6eb71e67f815e61dc6bc6822a01e1d7fbd5670db6a49814a

SHA512
ddb3fbde3c981f06ce7ee40d5ca6289600fcaf94198f4931b7e662eb54c398229a7ad370a817dc405c41d4b1b86c22e4863c1df6713e1bf42a0727ac1ce6d44b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
db245cd14a7f0d02fdf4991c8d3dace0

SHA1
5e16fb59fe2a769724a88aeef7e654a5efcb7e23

SHA256
cf86d9d44ca99f8798b8dae31fd323421186358d20484dc00ed6b0e2d7a8b6d3

SHA512
52f6f6dab0dce3f493e7bfd67a045803338b26676c51a7218a30d5b77bc4261183a246cc487f863164e3180c2b2fb87b1f1d3d188f8bccc68bd4f8a779c4346c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
01026ec27bc94be8ffe4d8a8320a8fa0

SHA1
31e78e0849b50f7a63ca8093976d56a9ec51c3a3

SHA256
718a0cf137249eac4d3c21644b2f56b885f528f40b2f113b38aa7457ab2dc1e3

SHA512
76d48eb740dd9e0586665817f47f140eb2c57a77c42f8dd510830c22bd233f3ef386b5fce6ede1d7860bbfd8f606416e85cdc79271e719c632a105eee11b35c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dacfcdf4f4ce7cf0969073787e1de5cc

SHA1
59135156eb14a47c3e90620f1363f20cd420f2ed

SHA256
c692989fef3d279480d4be0a3dd72e3725382a536504564280d4382ef9d4b68a

SHA512
e8c958e8ef1ddec27986b9e023321ef0e928a68891b515bf03140404affa2f6ea87763f6c8e4e4533d6e3472fde200e1cfd00e079223f20aa871120cc978db80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc0fff87a86144e1f5bd47fef19a1e6a

SHA1
f0cd47cb30dd019f61c213d1ab54fd9a95302528

SHA256
4b7812fcb738e8346aba3f956f369182260b419e903fcfd60fd5ac5f2393d333

SHA512
939aac2d53568fdaea67c0d012fa19fec28add73ff059d52f64b29947e177f2e5b6fba26c0b0c6b397ac5f80edb7c5af84fc60e3c22d17cc25dd5ef3e3974321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
81ec56294c3eefd40afaf967fc04436f

SHA1
6b316733db6152a32ec46252bcd28b65a376c203

SHA256
d88d931ffcf4fd091e37cf0100ae8a7841441356eccc054a50b8d525f24467e4

SHA512
e851ea1157eee23e545a91bc1531ed6c2a282dc4d00f50284fbc16cc3df6e410cd72df50c613b8764b9a60eaae3a11356e8e474bc5fc77ef8816e6263feab780

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
581fca632ac379298e0e654614f70841

SHA1
9a9afb4346633886035c78744a854ff1488d130b

SHA256
810e548bfc702580faca91b4b4b8baf957b773b8daf87e3c69cff1fe1ec3be65

SHA512
075d1650e9fef8b1f43e291da6b4e52095c25b0123d47a65b548787005cfb61b9fbf68ba89cfdb54f06a03099a010dccef656d78e568e232e4c8217822524e2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
e1c98a11aada27843788c115e01a261a

SHA1
85ab8c63eec6403fffcfed9cf8b9239a16f95719

SHA256
4661b530add23e49edb1030460b133d181a21d9cd66110bf5da33dd995ae2b90

SHA512
7afe41fadb301435b20a73aea31528f1dffbe4d68861728062bfd8dca1a32404520f5acaa8da74a81ec800b216ded480f605d32ddc252b0c75d0ad46ce95a72f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
271fde9fbd5a4d638a9d7de745565e03

SHA1
5cecbfb2beb826590bf4bf103aca0b57e835e5b4

SHA256
f870cf8d4b6baca4c9117f0897853bfcc4cfb0813af349b69e54e9a5e04e6a18

SHA512
0f6de82d6948bb92c79f05c6619719b085217e56a7ecf19bad5108a250ad20e6a800f0901d265c852d9903daeef23e34b53b427ba18a16901828662948750a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\@AA0B.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.002

Filesize
228B

MD5
1b32143e6d6faf6bc1786a0a165af5e7

SHA1
6bbc7afaee3f9201801d75133b22bebacbb3f538

SHA256
3d67dd82f481717c544df46f19c7ae392ff8dd1b953337a62d2c9e47a5d64f71

SHA512
90bd554469f6cad4ed9548238270a0d59cb6d4f74a6949449b3ca6984ac73e4c9e5d811b1e62b8d32ca621510343ad86ae8b9290e6666eba2f98ad1beb71e77d

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.002

Filesize
356B

MD5
45d342fd44f03e7acf9c693a776422b8

SHA1
5b5f2d90ee33e537b88abd2441d99dcbc04d1e7c

SHA256
5a224e799c3091f725c40b21d89fd0ab39f7255c21cf8aad32d1ce568c219a5e

SHA512
ef8e83795a6ae7707c4cc27f38ada134cc9b82fff420ee9a205318076bac416bb41bbdf9b555c33359fd72c4a092f4785450745432a91f299ab2495adaea5df2

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
1.5MB

MD5
5ad4d5add8c3def0a211f58d75f9d085

SHA1
73b9c6fbdff5ff607ef4a22b6a91fce0af183461

SHA256
b8d408be74d35c8033167392f1c933736eb0342c2e4f8d27abffcb419c78e5ad

SHA512
51e06a73cc416dee333884c08d268162da113e29f050ba02c83f3e70caec9804951516cd7ba111ee0bbb71404d6eb99320efca35ba5a4fc9568b65e2ec47226e

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_14.jpg

Filesize
115KB

MD5
c64c31e032665b3b77a41a16b9b25101

SHA1
4366a41c010a3bb62c4f25db63f31d52533112e1

SHA256
4dbfccda8f0a4514ff3dba32ea999597fced05acfd510143163b5c7c38605a70

SHA512
329a5f4a284da5687bd8013b820cd86641429d04534f12baed600b35c2ab1f4b8cdc1b7642c7de46363826f7f988bd4c06d1ab3d8b9c479f8777c39fa10f870a

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_24.jpg

Filesize
63KB

MD5
8ffa156dda7255c3e13c4e53fd25a9c7

SHA1
475048f7aff6f1cb9fea683e56f027a61c0ba178

SHA256
f602d2b055b11154c03d53335e7b32bfb90751ab67e6862a01223080284c66b5

SHA512
fd2704c9fccf3bf8c7ffde64e7903b952f0ea0740f795c7796a8eb0ae907e89048f05efb63f879e1ae7f62be1e045b7ac38ec7be75097b80b302cf624e7559b1

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_27.jpg

Filesize
53KB

MD5
5235559d6c1b316926cbef2ff7b1c7b9

SHA1
1b5bfae52e821de8ef356cedaa100b1b176fd72f

SHA256
b08bbef7ce258d00ee072e450b88894296e751ce998d7509a0d6d02cd1cbb33c

SHA512
926f7c1feb498d6a46cec59c4eae8c86d8ba6d6c5e688804bbf3fd0b6e241ed63a85078fd0586211ce1c3c1f07678a39702be08db760cdc478581091341c4b86

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_33.jpg

Filesize
54KB

MD5
2281227ec914dbf5311acb3f31926b13

SHA1
def5a9c4f57fed53672f01d171afc479cc3b6832

SHA256
c3185d86d4b86e75f7bed21a176c87425ed349b05c344384db1ebab3e22789b6

SHA512
fc7699d5da7bd4b880f9a783df728d9161096ad6dfc70940445c422c2ff4f38ebd82c2fb9b690536e0212cd0c3ac3a210157f01cb9d5edde92cc7b946d533c31

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__01_29_39.jpg

Filesize
154KB

MD5
8f8c953a29f4100713d7668af8050619

SHA1
62409ee61a5518e886152de71b7daabb86dcf086

SHA256
f42734755dfb21e8d69f17eff6a166770fede50e3d84dd938e7b8a019a40932a

SHA512
4044d0b06da116b17c0a8840637bf632a255ae0a96e7b9ba34b1a6ceaee1e66c29efbcfef8b035d4f09e17862f47f3c519fa3877d2c82eba6e5bc18493b36188

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__01_30_19.jpg

Filesize
129KB

MD5
35a519654ed54c5381e0335f1a7cc5e7

SHA1
1901561b1bb0f27099a2fa1f5c5e04c981d5d7aa

SHA256
73be5a9c07ebac625d7990e64eecf9ca1da2dfe650210db6515449a8b982587c

SHA512
a550d63f62d14edba7576b725d2691d8ecc77e5a9765b69d450da312073bb61c153fb7bd06991fadbf54031565174ab22641d3dc1a926ce154f57d23ccfc4cc1

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/620-28-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/620-56-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/620-37-0x0000000000680000-0x0000000000681000-memory.dmp

Filesize
4KB

Download
memory/620-38-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/620-269-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-39-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/620-293-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-40-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/620-21-0x0000000000B70000-0x0000000000BCA000-memory.dmp

Filesize
360KB

Download
memory/620-54-0x0000000000B70000-0x0000000000BCA000-memory.dmp

Filesize
360KB

Download
memory/620-23-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/620-539-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-24-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/620-25-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/620-585-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-26-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/620-27-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/620-102-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-29-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/620-624-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-30-0x0000000003350000-0x0000000003353000-memory.dmp

Filesize
12KB

Download
memory/620-52-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-31-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/620-819-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-32-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/620-20-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-145-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-1154-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-36-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/620-976-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/620-35-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/620-34-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/620-33-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/4600-843-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-844-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-845-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-846-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-847-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-842-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-838-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-837-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download
memory/4600-836-0x0000020D8BFA0000-0x0000020D8BFA1000-memory.dmp

Filesize
4KB

Download