ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Analysis

max time kernel
149s
max time network
150s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 04:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045067-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

Executes dropped EXE 1 IoCs

pid	Process
2796	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
4788	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
2796	DPBJ.exe
2796	DPBJ.exe
2796	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_29.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_21.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_50.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_12.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_01_01.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_01_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.006	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009.tmp	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_33.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_38.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.002	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_12.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_25.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_01_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_01_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_27.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_22.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_42.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_22.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_24.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_14.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_08.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_42.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_43.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.001	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_17.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_29.jpg	DPBJ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\eef368c0-d203-4892-b867-383533208d8f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124050035.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 32 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\wbem\\Win32_TPM.dll"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\win64	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\FLAGS	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\HELPDIR\ = "%windir%\\SysWow64\\wbem"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\Version\ = "1.0"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\ = "Win32_TPM 1.0 Type Library"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\InprocServer32\ = "C:\\Windows\\SysWOW64\\AppIdPolicyEngineApi.dll"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\win32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\FLAGS\ = "0"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\HELPDIR	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\InprocServer32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\TypeLib\ = "{AFA72E89-0F08-7656-91B2-175736B82860}"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\Version\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\InprocServer32\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\win32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\TypeLib\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\FLAGS\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\ = "Riziwojja class"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\win64\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\Version	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\Programmable	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\Programmable\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\wbem\\Win32_TPM.dll"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AFA72E89-0F08-7656-91B2-175736B82860}\1.0\HELPDIR\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{71AECDB2-7C1C-494E-829D-78E9FDA03728}\TypeLib	DPBJ.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5756	msedge.exe
5756	msedge.exe
1860	msedge.exe
1860	msedge.exe
5372	identity_helper.exe
5372	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	DPBJ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: 33	2796	DPBJ.exe
Token: SeIncBasePriorityPrivilege	2796	DPBJ.exe
Token: SeDebugPrivilege	2972	firefox.exe
Token: SeDebugPrivilege	2972	firefox.exe
Token: SeDebugPrivilege	2972	firefox.exe
Token: SeDebugPrivilege	2972	firefox.exe
Token: SeDebugPrivilege	2972	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2796	DPBJ.exe
2796	DPBJ.exe
2796	DPBJ.exe
2796	DPBJ.exe
2796	DPBJ.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe
2972	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2796	4788	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	81
PID 4788 wrote to memory of 2796	4788	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	81
PID 4788 wrote to memory of 2796	4788	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	81
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 3912 wrote to memory of 2972	3912	firefox.exe	90
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 3964	2972	firefox.exe	91
PID 2972 wrote to memory of 2052	2972	firefox.exe	92
PID 2972 wrote to memory of 2052	2972	firefox.exe	92
PID 2972 wrote to memory of 2052	2972	firefox.exe	92
PID 2972 wrote to memory of 2052	2972	firefox.exe	92
PID 2972 wrote to memory of 2052	2972	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1972 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1880 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ddf0220-aab9-4b6f-a911-a2397033e200} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" gpu
    3⤵
    PID:3964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2360 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {944a1efe-059c-4bca-bd16-76620cdecb49} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" socket
    3⤵
    PID:2052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1436 -childID 1 -isForBrowser -prefsHandle 2776 -prefMapHandle 2808 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9487c647-ccb8-4e01-8bcb-db6dd7082cf7} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:4768
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4340 -childID 2 -isForBrowser -prefsHandle 4332 -prefMapHandle 4328 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69de75a8-1310-4120-9c94-6421f1d9666f} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:3048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4912 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4948 -prefMapHandle 4944 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e21c055c-7741-4027-8cf5-320e90215fec} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" utility
    3⤵
    - Checks processor information in registry
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 3 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5232fb02-68d7-4ced-a08a-b4f58c10ba43} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:4700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 4 -isForBrowser -prefsHandle 5460 -prefMapHandle 5464 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ef8204d7-af80-48ed-b9b7-dbf87642d508} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:3132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 5 -isForBrowser -prefsHandle 5660 -prefMapHandle 5668 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5d378bb-fe88-40d7-a5c5-2716ba372026} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:4528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6116 -childID 6 -isForBrowser -prefsHandle 6108 -prefMapHandle 6100 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfbd7325-3a25-40df-9828-58c776fe8f39} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6332 -parentBuildID 20240401114208 -prefsHandle 4508 -prefMapHandle 4512 -prefsLen 29358 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ecbc0bda-8dbc-48bd-aa15-14345551dcab} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" rdd
    3⤵
    PID:4672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6340 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6328 -prefMapHandle 6324 -prefsLen 29358 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {77479768-a8ed-438f-ba35-392fe5cc6b22} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" utility
    3⤵
    - Checks processor information in registry
    PID:2108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6648 -childID 7 -isForBrowser -prefsHandle 6640 -prefMapHandle 6348 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d3863d7-647a-4950-b7c3-a0edec9eb677} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6980 -childID 8 -isForBrowser -prefsHandle 6868 -prefMapHandle 6880 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {31f71eaa-6f99-4692-8028-7f1381e714f6} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:2468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5100 -childID 9 -isForBrowser -prefsHandle 5740 -prefMapHandle 6928 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b8a722b-45a4-4499-ac5e-1a914dc83916} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:6016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 10 -isForBrowser -prefsHandle 5672 -prefMapHandle 5828 -prefsLen 27261 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc426c11-276e-41b0-adb5-942e394a86fa} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:5168
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -childID 11 -isForBrowser -prefsHandle 2624 -prefMapHandle 6156 -prefsLen 27827 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e852c89-18ce-4e1f-8027-f15c844d5967} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:5864
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6892 -childID 12 -isForBrowser -prefsHandle 4296 -prefMapHandle 5564 -prefsLen 28048 -prefMapSize 244658 -jsInitHandle 1260 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5c92707e-e2b5-48c5-bcb2-7e5a80f12755} 2972 "\\.\pipe\gecko-crash-server-pipe.2972" tab
    3⤵
    PID:5840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x120,0x14c,0x7ffbee2346f8,0x7ffbee234708,0x7ffbee234718
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4148
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x2ac,0x2b0,0x2b4,0x26c,0x2b8,0x7ff7ea3c5460,0x7ff7ea3c5470,0x7ff7ea3c5480
    3⤵
    PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:6688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:6948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:6260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,11633759993308057088,17746990473528380227,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:6392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78bc0ec5146f28b496567487b9233baf

SHA1
4b1794d6cbe18501a7745d9559aa91d0cb2a19c1

SHA256
f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109

SHA512
0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a134f1844e0964bb17172c44ded4030f

SHA1
853de9d2c79d58138933a0b8cf76738e4b951d7e

SHA256
50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589

SHA512
c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
60f15f8d3d70c7235a0bd7748764129a

SHA1
fb60ac4a4b5856aea75aa625e2df23e9e955ed1e

SHA256
43d2ac9512956b537a2f31c39c37682ddb3cdc780cc34baa699920b99721e8cc

SHA512
7a99f24cde51ae69086d6abf2d629bad7bfcce331c68e9f5d501c6effd696b6c0881fa2f0e22923f7d889250be2a614a7aff230dd8a9c2019bda93400e555e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
36694e462a185e2476b9a8038342ead9

SHA1
b40dd5faf1ac4a58e6e4df4fb1a2dec16d3b14bb

SHA256
53a73248f7db167464a59f5b2119f09afec2d843e1ec17442c61f2293f83b62a

SHA512
38fa285b795353b7f5735d0de37eafe3093115753045f87295f5dd7a819792b814cfbdf30f0e94e85903f059ad0e177b859e1205a7abbab8dc8257c73b3318c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7d3258b5440a2948fe811844e3530fca

SHA1
f0d599469dc5a4d05b2f25474c1b63c5f0f8c5d6

SHA256
515dc07eea3362faba0389cdbeb4b59caee88d312b0688b5ffb15ce209680f72

SHA512
8079d0cd4c3e3143a93054079f4ae1580dcc919b40385f3ecea0b02d559e2f7f8c830321537998bd92be01130d28d7250465c83bf2e47ee7191f20cc6f76cac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fdac871e86d88cd93511df42e0d1e5f2

SHA1
5c469c7317e8b7e913e5ad4ed52ebdba6e10d1af

SHA256
e28779ce161e397995a6ddf58fc611f6681b298156d95c5d2650a8ad75e3a8a0

SHA512
68212799373d0bd80da25d52e09d76a8162f02a4fb66f951116eea46ca4960da681c2bda35e717a8e876299a880194e13283d0d5b9e5d929c9436c724c92695b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9010fe212d7da97a4e9cf63a903ee7a4

SHA1
8f124a736d045eea3c50a9597d18c9af8b128e28

SHA256
c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834

SHA512
f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
21320325bdfc20c6f4e4d136228fc9c5

SHA1
7e96950811d7ddbc1daeb7341ddb9768980bf2b5

SHA256
5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e

SHA512
ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
c2384fbe1b4af65b303330b4310e6e7a

SHA1
57f68815472866135002b1fdf2dedadb5aab2d5b

SHA256
5d23161533f8f70c0d0a326ebb1ca2ca5a6e62a6e2b66a2b0bfc9e0def063ed9

SHA512
40712e16e5307f88b336f8e25d544726f2d6a72b5d890f8f3c8582171084d16081267d3a8130e33f0d2d1c8e0527d18594e8195a76e74a50e69b282762a439fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
a71f904ff7bf24ef694fc920149de258

SHA1
6b1cfa4ee3719229942b53187e35d1e409b6270a

SHA256
5e8e72f1361ebf76630d4c28813a4d78f46679249cd2e2be67fab0f09d61266b

SHA512
601fc8ec25bcd257af24dba9b86db42718c27e158801a12ab6e57a24c0aaef32a3ee8fbbb084d4e41288f1e4957d04f771431f827bdf22f211b63f7ad52daaf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5987d4.TMP

Filesize
538B

MD5
792bc397cad378fd16702946d21f55a6

SHA1
2185f8b62604f9b4b77bef8e75ef12fc5b290867

SHA256
46341c914bcc3da6857f119121e095b121f3bf7e33192b42d3977dde014afc78

SHA512
19f80be714cf251d60ed24479096cc6335e746b1d2cfbe668d657f4128127190d6ffd5dbe870ac31906209bc1c54b5cd615412670135355336ed6c2e75d70d68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fe23483d-2884-48e8-9a77-a65b1f136fa7.tmp

Filesize
4KB

MD5
5e5b03a17248f40e1349e2b9cbaa162a

SHA1
6129f9ef5271e59137146e8dc28a2b4488634fe9

SHA256
f2a8b64da8f849806064c36a187bd6f646b191edeb360f23e89c5ca5b8b2f08d

SHA512
23fa46a225ea79c053e96009dbeb21949cc79f8903ad359af62b732cf5b6b8d02bb36947a2301344f7d16c3cdb919b4a56d1f252f596a9494258a5e78e06f780

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
65da73189490886bb91a9741d24d4e71

SHA1
ba02e598ed42b879b7ba9cc8ef2cfa3360b61822

SHA256
36f458deb7030785d6ed6f017a10e529557a2c304c15b3786f7e89f88cd31cd2

SHA512
96b780e112f3c2684fe6d55798b49879c6db36636c17c649b10f724cd1287b3d769b20c8ea4261037da2e6a9afea9dc35f39d531bff6aabcb2c508eb998f65c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\@8453.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7a03caee2cf46d9cd2cb6ed9c62d38a1

SHA1
b23a64ae09a2dc74c17f81aea4b5dc2b1347c168

SHA256
4dfd49992c8787ade319fb7a63a7ca9f88e97d464a12626ac7f473db5ee8d15f

SHA512
3243ff0b9768e230e1e8718f11869c25e89365c078581eaf91bfefab98b971d02692955fe7aae26c51d79301bb6527c87dc6b40a225ff2380f7c42305fd42566

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
27889356124dbffb201ae770716059ce

SHA1
f031dc04725e223402f1c6ed8e2915d0e26e9f83

SHA256
8dc9bea8c151306746ecec3fd5d0d41411c3feda4fb415e49142872edf3c1e72

SHA512
fad0f81d2e32739d6318199e41275c710796b448c982781e7c8d26ad8b1a9b788105605e9c46e4249889199e1d8fb53cbb6dd88b9aff2f6a3ac8e7ea1266230a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\AlternateServices.bin

Filesize
28KB

MD5
d5c7f45adff95c5968ddf6e87e1791ca

SHA1
183c85c53e1be9c7df0b92bb29765ca628504890

SHA256
d5043ef062004263204d0a2cc7ee279be178a244600833a0130af03ee33696ba

SHA512
f130658b6736c064d9bac2adbb387e2b24bfd6c5d5097d507d63c11fa14099d3f4924a90fbfa8982948b0bd185561b5a8ed7683a2044c6e8b197d6d13f15ec23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\AlternateServices.bin

Filesize
8KB

MD5
2521116482e417781f9b914ad875fd51

SHA1
fb09e89d6d67cc508265080a0b0ff668bad03ab7

SHA256
5ca1e5f1e1a94dab335fa1090fd565c63820e3cee11c19ffdb9b52e449321b5e

SHA512
5c942c3fd19fbf0835c54efb18b6e78eb7497881ee84277903920f1fe92472a1cb7d1a8e6a940578c5b322e250388c7a2438aa5a470501065af238d79967df2e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c6fce153a5439a1082b617f3ba882631

SHA1
d8f2c6e6b1d9c189588f34f9b9b20d58fa0961dc

SHA256
a1c145f8c41978b2bac330391036459a2b5b8cb6e93c0bfc4d19538c5d5454f0

SHA512
230d9ce534d4a75b58c73ab37e2badf542b36dafb5d1ea504fbfec6e7a362ef8800618f83aa7ac91642a499c4047890d43c21f41281b771ac7c5c743b6d108dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\1c067523-2f5f-4619-af73-74c367ef0e02

Filesize
25KB

MD5
f20efa8e5b46d7d53f9749487c5ec876

SHA1
d927f4743ba92e61bd5d5df55dd5b0c10c63b4dd

SHA256
8f215fa1d9f6325e995ea4c1e49c5c26f0202e731cd96349f3660847e4b82f32

SHA512
df452ffa33536dc8b01e782a65a8d98857a9534bd1c76865beb70a147ce195b0830c446bf3ed8e934bf743845128953974feba7a28d646b3abd1a322d5982f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\cbabca81-74a2-459b-9e2f-8c092a31e884

Filesize
982B

MD5
8f193bf1381204bb56ced3dcfab18494

SHA1
21f7a95d4b403cc556f82a991fe542611bc54277

SHA256
e394a0a6d059a25d5f2b7f555aba276e5c94e8d925eca6140d67918660602d49

SHA512
611d64ecfbe9aa4f22789bfad1066facc45a731645e5ad6f1ffead9f4471dd212f81c5061378d0c487bfb7de415547f5c7fe15be9cb61b5d9f7f84700474e07f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\f272db46-534b-49fa-9e81-7398b18ea004

Filesize
671B

MD5
c54837d671ce4afdae81797dfe91a64e

SHA1
4b05f5678b4a1cf838cf88f768533959431ed621

SHA256
4cc29fe50dd3183da904bd26983bcd251c997322308b324266ab06a79a832fa6

SHA512
21cbcbb050ae1af6757fdf0b9bd7aa89027e9efb2fafa64854b952c13b32c836c4a85d526c04cf0373123a76a0628f53d662806210ae1adb4d164241d56bf544

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
10KB

MD5
d7ef0a4b7020efe795dd46f0049ee1dd

SHA1
058b643f9f1d3ba4a381fb5c45aa38fd911f130c

SHA256
2d41bcae0c21707a78e2cc9f5f588ba30a13a53773e68c2790a64dc3be762f43

SHA512
34012e069a1dba4feda3540a74a6377399acd83d3ac48b75a2c40babc12cfb034b03af2790d8d1ae2d16363aaff91c1a2bf7b83ce6becc076a2c2e1220f393ef

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
11KB

MD5
6003d4bee1a08eb94afe5caf1cbaa73b

SHA1
9a01f4e7603a8f82f5a51d79bdd0321273d77278

SHA256
7b62fcd6ddc9b90f849f809e78b0f21fa16f02163697282a18b6a694662e4314

SHA512
4a390e10289fbca9771065d3bd900967d886875558689f505ecfea0f615a7d5142eb39d38be3b2d31b02a0b46f3ba827f48f85316dfad36e0e104ce94fda1f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
10KB

MD5
54931a357743ad2f5b40fcd7154fae01

SHA1
279bdd1ed22d1418c5d1696690393c5f0426f735

SHA256
01bd09614e8d423e6ded7cde875491236af666775170e9b2742a41d4327792db

SHA512
bc49d6514c45772d04f4ccf08e2e78488da35fc74105a1c9fb335d35154f53c05fad5b2e73cb20e0a22c89372e0f48e40da69cf01cb7ee621fda3335eba31c75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
11KB

MD5
316af1b6bd833231a90647808228449c

SHA1
bd1ff3ae59deaf5550a0de29221eac556923c5bc

SHA256
56ffb9af2abec5cb92844e0a4c7b782bb8166db2373b4caa558901f830eb9bdc

SHA512
0643f5576be4219f9634108791e787dc92a8112ccc86e3e12c251d876705a9f9b2adc9b6b0395930b1f20456119407307e1322b2f34d1023f2475f0d13fe26ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
2c9e2d74e9b922d1ba77e7c51076171a

SHA1
02ffedc5d9648d64e4c186932d18ebf868dfdf5d

SHA256
764ea48ecde44473a886d8b09e03db6f41a9c8e5be053afe0cc979d2f122b808

SHA512
2b8c39c784fc3522f729a5926fc0602fb65b197d130a4a268fef943ad91e1ec9d348ddc1f5143c2780281d9f1af24b41a25d71d32f507376660b9055f9c3c897

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
ad34f5ac0f9dd84d0d7e1f1731e29c4d

SHA1
9d2147b40e247a7776f2e59b8fd8387a9d857231

SHA256
ddad4bfeacc9f9661a99af183ca3752c173871a4d206cf8e15ec212536d67250

SHA512
f2c5454725aac88740e21a10df7890b904a1ba6c423dda3b86e16f0ab4e25cd62fb043d9bd3e3273a8eca757e49ff99251a4476e3f23b4d048a6dc6736770ef7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
6KB

MD5
ef8775a8b3c01977b4c84a0871b4483e

SHA1
07c3e5767f4ec225f53bb00a3504cf6a5de37405

SHA256
0828b72a834fbadf06e56fe0bd595565ee4b8f19e26bd15b4ab359c0121340a4

SHA512
01532d1f828061e132c7790a9cbd74a870db3f438b42200e0abbfdff1290dc7de6d1132c639f45a89c64c6f74d7e6c5cb5fab0b5d56c58a13b4ade7c792b58da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
5KB

MD5
ecd6a7dcdd6257d04c9c9e5be85cb86c

SHA1
82bc287dc76b335667607e1c22279b77de7950ee

SHA256
549ef85fb50c4c5d65fe4b64c24e364b9aaecff3f72551fe8b4bd1aafa7192fd

SHA512
d68c9c7c9666698bcec003d3a7a8f8a3c51d98705b3bd69d5e66c15ba1e25c6ce3c120fbc676b360f151f41a6d5801adab742c3a31db3f0b284ade5533ff0607

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\storage\default\https+++www.youtube.com\cache\morgue\202\{7df583d3-dffa-4f4e-a1d4-2aca85689dca}.final

Filesize
192B

MD5
2a252393b98be6348c4ba18003cc3471

SHA1
40f75302fcbe4a8ac2e33a8d9daf801abc2a9598

SHA256
04cae3c7b208fc55b25763913d0bbdc99232942086efdf705f2a27764be6f5ee

SHA512
07af4a7b0d10f1b5e1fe0877b21abc98483d78797608a1763cfb71e25559fdce10d20f03c16f4284d7ae7ab90266f45240425e3a264de9525ec1657345b85198

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\storage\default\https+++www.youtube.com\idb\3951151508yCt7-%iCt7-%r5eesdpco.sqlite

Filesize
48KB

MD5
97729696e60e991863dba6fdf514a498

SHA1
bfc1477ddbe7bed7bf6d820e64fdaa5f9f79040a

SHA256
badeb474a0d9ddf2f445f201493266ecb0fe5579c64b03922dfd48f0e8a8ec24

SHA512
9d14202ac418adb755d114f2c71ee62868528d4a8d6be0890b2fbc8267d232549e6ce5531783524643642eed7e32828457a56123bd02ab5d89cc78eeb33a4efa

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
1.5MB

MD5
77ca75222e9287b15d5a1a31bee0d4ba

SHA1
3545ee2b3583799e96d54288806d66b5ab02d18e

SHA256
1939eacf333a3fea2031fde0909959c310b7ca858b89eb7b9a408bee622a076f

SHA512
44caf1642fb64325ce1a8847917410823d5e10a52106506d4c0ae4eb7b9424820cbd583856ac297fb805f3424b5784447943aa8805f23c8140fba8391f480d3c

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_08.jpg

Filesize
113KB

MD5
18150413d79e769e302b06d1b9826080

SHA1
413e69fd4035ea2d290fcc892a1faf3eb393e20c

SHA256
5c81ce0d751c0ea26b899d8c47c290ade95b0855c24133af222758ab1ed29f4d

SHA512
952c79150762f299ddb777eccdddf6f0f7c6a8bdca89bb14297cd7f84f95d416daa87d95e2793ddf113d0990efd2297e4ce86d6ea7dbf5fc2a7b0b9b06df1b0f

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_21.jpg

Filesize
42KB

MD5
fddd534b2e3ea9e931ecc5539090f35c

SHA1
08b8f65888520552ffb337f8e7df169a0c14b67b

SHA256
cc7a71c44cca011620445c88a4c3826cf082fac21b2a4c674bac1eb8369a9747

SHA512
56d3ec7caf33064ca81370f3f938c8405194de8a8d9117b67347fa6cc401222e66ece20309fd8254699d03005a644b96b2a08a8a20eb23ef4a285adf3fba2393

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_26.jpg

Filesize
47KB

MD5
b08364f1ebbbb63a70d59c69d6457120

SHA1
5dfacd54068f52bff1158d57887981d58e9878e2

SHA256
3ac68b397efe07cd0ff19723f297f3470244f52818528890ac569f2c6935d88b

SHA512
d9a01d626d2057bd6c153ec1164b6eb3498ab6f1c36a09ca5deaccbd72024ced587ab84625c3691f22f33e3ce1fa0caa3ce1b619c3d2793e46dda35e7315fb76

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_32.jpg

Filesize
48KB

MD5
65392f242bbe14ddb634479bc1f289d6

SHA1
7afd67e2ca856074b32f48154a8934a1f787ba2e

SHA256
bff9ad14ef4a8e42c30397abc89c030cd40d0970f0cb0821e4f6b105b197bfad

SHA512
ed57c6a5b6e835a51dd2d7d9d4dd611e49f469ab9a9d08185446e52c31672cb8441154a00c08e2867288a2d33d88b52e698c9fa6e0da274bcf4358cab1383216

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_38.jpg

Filesize
118KB

MD5
17e5f04882fe8d150e0cda7d9b1527f9

SHA1
a7ba7a28eab01ad32e80bbab771b4d6794c8be78

SHA256
0ac0de1d0f78a024335b0f5b72faa27d1b4c39c2ebacc81ddcdad720e62a0d0f

SHA512
5d6a264ccf6e3a9daaa8e14b0aa763c1e60eacbcd32c73d31e9b4af6ad52f3bcd671c830500a94640164b228740b1d275e60cd85836e38bcdfc3dfc1da6d43ca

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_47.jpg

Filesize
61KB

MD5
b379bdf35b248a4947e1d26f4a330175

SHA1
f78d0ab335cd3bc1a530b1ed089dd06cf41e61c0

SHA256
72ae081bce6b7de905cecbd24901b9056ac16a585e4ad7d72ab65f29fa7c48a0

SHA512
765766cec68194114174b27c94c33095e57164cd70fbcc154874059ccb544910e30ef38e2fceab0b9a4ac790910028b095eb78bc3185f46bffbcbbf0173d821f

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_56.jpg

Filesize
43KB

MD5
fc1361141db424a55a2e5015cbdbd622

SHA1
947e06c86723ead0715ed6dc428df2f1de3aca8d

SHA256
af7621e6e1070b4e8ec521dd51ee30cfc062cff4ec870f1e00893124c13b7396

SHA512
960b130aaa7b1cb38f269dfc5ddd2d229b0b6bc0520ec9ca993a1dcb4b231849343470735342c0ffa3ebd61f4b7e65c5c19a4110a3ee14e948ee656a00c9b23a

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__04_59_58.jpg

Filesize
42KB

MD5
5ff066b4f0d16fe0c19cb1c1c13fa0eb

SHA1
e8f358041cca29278d9e0e9e62dfd7edd29fd3fc

SHA256
bbb890d6ff21b914ce79be51ba9fd2ae384a6338fd4a0eecd0b399f2c059e883

SHA512
13cc16ea20f4d2d7f0703a8aee6f810e053517116265362bdbc9d1e697e95c4723c08bd0d22351dcf3c0b57a6e3c92ceea508af9ea665d75bf86c0b85577b720

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_05.jpg

Filesize
138KB

MD5
6ed4ee942aae94ce489bce0e32e47fd7

SHA1
39ad2932ac668995a7bc00fc0ad263ad7c6c301a

SHA256
26c14eba64a87655401cb9e6f4a98e9d792f6c2c18a95929e95831a5eff145e2

SHA512
ee0e9204a2a72c8c8c94acc35e75b74fc2b56eac9a8d334b35f9d9c63ae9bfc9d9c822925722ca4476a70bf1a1a68af27e08b84bf5777120a247d667949ad15c

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_28.jpg

Filesize
77KB

MD5
67bc5edbad8a96e2e2592daed3e90a4a

SHA1
9dbaec492547ac1182a33f688bcc8097e5e3d085

SHA256
dac997f9f1ba1babe3a8637579d6b2c83d5f0030520ab074211b28ea3309ac82

SHA512
b1bd55436db1cd659dbdc166ac1f0733b582d200a9135cecdc397731230de629198bf998457ca3200137a84727259cfd77bb15834dc2fe9bd082e1912ac113cc

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_31.jpg

Filesize
57KB

MD5
44397ea431b386dcb7f38ee23f560ebd

SHA1
0b338ab8f32059844a19178936509452e033cdd8

SHA256
e40b50cf255814eb65cbd91f555e356d7a0cb445eefc7a7bd3a1a55b8b689d1f

SHA512
ada5ed097115c9fecd9624d7e41bfb6101f09664078dd3d45934e1e9d3acf5dd5cd490d9e90cc260aad87de0fc763876d2b36cbbbb7cde60716efa5d375ec86e

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_00_51.jpg

Filesize
144KB

MD5
46448785a180116034b36e58b4b429e6

SHA1
af24d84f5f095efedb4b3ddcafe1856ecb39e4ed

SHA256
b8f841810b0131650d5c017234e5f648d9278c787b43c210a5748a6f378f7459

SHA512
0409f9ae24e6dc620ba7dffeb3bdfdab1b003b7b7e6ce9a85cae3cd694956040e766790a022e0a7846537a19e1a7af8b68aa904a0ff4d39c61156e6d0cc9138a

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/2796-36-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-32-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/2796-27-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2796-28-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2796-24-0x00000000022E0000-0x000000000233A000-memory.dmp

Filesize
360KB

Download
memory/2796-30-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2796-31-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2796-37-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-33-0x0000000003340000-0x0000000003343000-memory.dmp

Filesize
12KB

Download
memory/2796-38-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-46-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/2796-1140-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-45-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/2796-44-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2796-43-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/2796-35-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-29-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2796-1308-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-34-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-1737-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-1849-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-39-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-40-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-1001-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-368-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-58-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-2060-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-60-0x00000000022E0000-0x000000000233A000-memory.dmp

Filesize
360KB

Download
memory/2796-41-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-42-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/2796-2232-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-26-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2796-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2796-62-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download