ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Analysis

max time kernel
420s
max time network
390s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0028000000045035-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3785588363-1079601362-4184885025-1000\Control Panel\International\Geo\Nation	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
2656	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
2572	DPBJ.exe
2572	DPBJ.exe
2572	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_33.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_03.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_19.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_47.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_50.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_01.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_12.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_49.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_08_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_29.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_19.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_34.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_14_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_08_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_39.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_13_57.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_43.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_30.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_12.jpg	DPBJ.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\fbc404fb-fa2a-45a5-bf96-aa8508e1105f.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124050908.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\MiscStatus\ = "0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Programmable\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Programmable	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0\win64	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\TypeLib	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Implemented Categories\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\InprocServer32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\ = "Help Service 1.0 Type Library"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0\win32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\FLAGS\ = "0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\VersionIndependentProgID\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Implemented Categories	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Version\ = "1.0"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\VersionIndependentProgID	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\VersionIndependentProgID\ = "TDCCtl.TDCCtl"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Version	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Control\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\ProgID\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\ProgID\ = "TDCCtl.TDCCtl.1"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\FLAGS	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\TypeLib\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\ = "Ecawasi Ewigi object"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\MiscStatus	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\FLAGS\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Version\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\MsraLegacy.tlb"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\Control	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\InprocServer32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\InprocServer32\ = "C:\\Windows\\SysWOW64\\tdc.ocx"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\MiscStatus\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\ProgID	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0\win32\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{553B5566-AE22-4B44-46D8-0CC8A8269A29}\1.0\0\win64\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{31CB6E03-5A93-405C-2F82-872418CB1B21}\TypeLib\ = "{553B5566-AE22-4B44-46D8-0CC8A8269A29}"	DPBJ.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4848	msedge.exe
4848	msedge.exe
1740	msedge.exe
1740	msedge.exe
2416	identity_helper.exe
2416	identity_helper.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe
5856	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2572	DPBJ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2572	DPBJ.exe
Token: SeIncBasePriorityPrivilege	2572	DPBJ.exe

Suspicious use of FindShellTrayWindow 20 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2572	DPBJ.exe
2572	DPBJ.exe
2572	DPBJ.exe
2572	DPBJ.exe
2572	DPBJ.exe
1740	msedge.exe
1740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2656 wrote to memory of 2572	2656	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	82
PID 2656 wrote to memory of 2572	2656	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	82
PID 2656 wrote to memory of 2572	2656	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	82
PID 1740 wrote to memory of 1568	1740	msedge.exe	97
PID 1740 wrote to memory of 1568	1740	msedge.exe	97
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4872	1740	msedge.exe	98
PID 1740 wrote to memory of 4848	1740	msedge.exe	99
PID 1740 wrote to memory of 4848	1740	msedge.exe	99
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100
PID 1740 wrote to memory of 4372	1740	msedge.exe	100

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2572

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x148,0x14c,0x150,0x124,0x154,0x7ffb6ac046f8,0x7ffb6ac04708,0x7ffb6ac04718
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:1976
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7fe655460,0x7ff7fe655470,0x7ff7fe655480
    3⤵
    PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:6068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3388513540863422580,14715182401908446750,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
843402bd30bd238629acedf42a0dcb51

SHA1
050e6aa6f2c5b862c224e5852cdfb84db9a79bbc

SHA256
692f41363d887f712ab0862a8c317e4b62ba6a0294b238ea8c1ad4ac0fbcda7a

SHA512
977ec0f2943ad3adb9cff7e964d73f3dadc53283329248994f8c6246dfafbf2af3b25818c54f94cc73cd99f01888e84254d5435e28961db40bccbbf24e966167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
557df060b24d910f788843324c70707a

SHA1
e5d15be40f23484b3d9b77c19658adcb6e1da45c

SHA256
83cb7d7b4f4a9b084202fef8723df5c5b78f2af1a60e5a4c25a8ed407b5bf53b

SHA512
78df1a48eed7d2d297aa87b41540d64a94f5aa356b9fc5c97b32ab4d58a8bc3ba02ce829aed27d693f7ab01d31d5f2052c3ebf0129f27dd164416ea65edc911c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
f27f8d2f1b2e8ad1fc574fd89c181afe

SHA1
0c99b4b87f3a52d6e470d1c0f856f66f6efb65b2

SHA256
6647da264390f3232d4ee33c9cccdbd7d072e02ce7a010695d2f0f665bf0905a

SHA512
0d77b0c0b99b925e740ca1f9686a308a2f08a9016ec8303b8da84e4e4ca12a0b7ea7d6750fc5d5ac8a51a05b41e82e8838d5c0a0182c2a733449f7ae5b8f33fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a80851339f74abdad2308ac383b0b848

SHA1
4a0384add6f6d4187a52b50c4f774ec5ccb51fc1

SHA256
6fc6ac4951fc43e1174616576ede5b2b4aea99dd22f03a6176dd5e5c8bf1d7eb

SHA512
2425260b384fe0a0abbf35fa0a0e43072cd5f9010e6ed905d4a64b647b96871b2baf292b7b91f78b126d62b06c8ae4893bf1f7ccf9c956f6591bd5d0906dd33c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
693B

MD5
5dd3b606dadcd0e941ff91ee686f2f52

SHA1
098f0de9f3b4791991616f17714697b8241d75a3

SHA256
fba5a6ca34f612ff12d57f28d86a2a7e7d340ecb1def9836ca82e7d320a4caa8

SHA512
aea8d37b667a229bcb4070b4eb3eab9a5c662382c1f823e42c7e2173f2b2ef38e8ed0e3fbdd99987fcecebc098853c51e35b480df2be70d7194f39342274d9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6efbfa5e7bd78586875590e449179654

SHA1
eb901033f227df4d675f60405e344869219c6580

SHA256
24d4c0802c446667b2631f132b0f751a5a4e9207078bd4fbae778d96ff7fb9ac

SHA512
07f9110e2c3cccd9dd494862633cbf63c17c582dcd1881022f738ff2fe3c442397305568658e94ae0eb944368c297f2a90aad48e00321566b1bd09786ab98e7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92fa04ef13490ac4ad938c08a814a075

SHA1
b3372fbd315517695d659ea35186865589092994

SHA256
cee4a7ebb2305a8ed9e7a54b09c2dd68e862b54e45ababe57088bbe5915d3411

SHA512
206bbcbb1449f176fa27b4a8159345ac7c49244da8efcf649e38ada1c5fb813658d4460eb980c7a066a59348a20edd8ee4019ee2c52d823806d63143ea74e2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a4472e67abbb51a93ecc4909a48ca287

SHA1
bda3bac5c0ce398f0419a45eab9e68288a2dfb90

SHA256
0df1747ff4ec22b8515e79e5d6080705bb46a5620fa902dae294b740532bda11

SHA512
c1b2dc743341a0e215f6303e74f61df995be21fda5b59e753c6ebecd4c2bdea8c32c90c0d3c8db749395be61241893440da65ec598c4b1dfd2996b4fc26f8a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
e67d2b94f3304ee60045f27bad432d49

SHA1
22065edb7444b6d643a6ea4e5c72ecc5e89ab245

SHA256
350c790cc6e5965509877fb2b11bf688f4fa4e35abf4eb07abe641e1b5c2239d

SHA512
d23953b959610f4d54cc6856367bfadfadc7e4672e0ef5cf7ed717acc913237580483be887ed2b3ab3ed56339ebc0a261d9008d01a98cf0748c4e5e19e2ea03c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fb35c7ce5aac422b04aad1eb9be2826b

SHA1
ccda540ada2b186936c90f4ccc39a9d2bd4ac5b7

SHA256
b330aca99cef96b3881adc277180958cbb655692c44b6503931bfdf9780137a3

SHA512
9f17edbca68af64029722c6007bfccf957ff980b76f0c1d4fcd1eec2e4e612a3334fc1db1591c961f9ea0f0d79e4e80d26665fd8ba8c2c1108ea35df66a5d51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
171e8a333f5abe52feb07a425fbfea4d

SHA1
372a197e811b2ac10d3246eb2aa52d5c94afa395

SHA256
fd6c8a9ea010999321fe814e5913056fdc1f6eee7bd73927f222223eae49ccfa

SHA512
b22e3a964a1b5aa6b353154d2c7d5c5d7a0dac88f2b78d64522b8b5ab19c7a973c06a4011a8b6a511393986139d186e0cf43481ac50a3f3317d08e43de69e51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
96cbdb49a28114a33862ccfd8a6e1f34

SHA1
ce5c316362f90733f617748b3f9f22d9844cf4fb

SHA256
2522fc00afc768e4a3624359547215d997f2d781a6d001f3150ace17e84c56ed

SHA512
4b0a3bbb86d0553fbb126029f810a08f60ffbd9a0977e963d74cfab12245dc8869f508ecf29e07a39be4abd4e08d0f05ca971793ede6910234510b2c9f57fab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
952a6e3cbc50f011cf2f04c9470080ff

SHA1
a0d6a2509af73e523c970f6e4351861bde63d6db

SHA256
faa79ba7dfd140106187ab50f14aa7cca13650f94f796419bc0a44d7a2b79d5f

SHA512
7955092a6086f05268e4b0f88648d9275020b6cad83f81c90eac5a7cd994cc243b8dfab579d4335db62f3577fd2d8a7fbefcad6cc615e2bcf1d014115056cde4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
74d9eb5260fef5b115bec73a0af9ac54

SHA1
18862574f0044f4591a2c3cf156db8f237787acf

SHA256
7d7e7b38664d625a0bbffbcb7882b175709e92987bf9da113c4745fafbbc361d

SHA512
b85917201b1d4b4542a4424ce40ddd083ddbd0e230e1931fe6f7cdd2aa3d8a0eec8daa743ddc5467f0a92da5594144c602081d941b216ca9cafdfd3c150d32d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
924e109ced7a49325ece7756c5639bf8

SHA1
ac3c898f4e9bf3810d82e65d8115b15d7b32656a

SHA256
c30c43a85e673074844007145a61b2ef15c773abb66b470c6f764520a0d91d7b

SHA512
948d00dfac82edc00da7389fc9a5ca6d43719db753755fe69fc49b136c13c1d0eaa0a6c581963f6d359e265910542a8cf5c564a987325a4558f451cfaffe194d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
6e35417dc6ff9635a6252e13a4d32feb

SHA1
f4dab0084bebb1b1cbebf34af342c21409d7b5cd

SHA256
2332d10599b6ad2170f5eb420e5fffa0be1844f90b129e1321f77e85b003814e

SHA512
a3c83c96a8f7a3aa9469e5728d8f2bff6e5a2169ececab0768cd2d110a9e178478c73e6d853271933d92c6a38d04bdcea7b06a6a9b5713cb4b3916180fb0b602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
1898093dd97e9f4c5a1167c344456033

SHA1
8931304c3c10bf6067e4797e9e2bc8247c62b0e7

SHA256
3ca059671eb9a72c012820d04eaf95d5eba63cd28c4b3e083980b83cc15d12cf

SHA512
c492348f276583ccf1b8d30be19f7c889c28c8d0759919c23c58040c9fd407b9b4b22f9dfae5e8b8b8235ae884033c14ad6498b22c8472cee7ffa24e92a448cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
4398ca18621fb4bd892357d351544670

SHA1
5441844f7bf934e41a98d9be06b4251b230132a6

SHA256
f0869b2209bd8f6343f6db4a478bdb90c234bef30ecaea0f19bff2771d269358

SHA512
03c3bbd6cc0d3f5c65937b9463255b9a4568755c2402b6ff387d9419bf8768bfd9443478e59558fba2b8568d458b1f85350acc046b0b7f88e99927e6947ab1fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
fbe00c41e2682a1e6502b5f1fd8d33ea

SHA1
e33ebd5727d024f0de540779a2df667b3b0aee0a

SHA256
30a28506c15665fc0715fde767127c3b1f45ac137529a17e2f867e3947166eff

SHA512
c51795dca4897f9e0440f82305a227a6a1bf0278bf82d4369875ebf7567f55b7beb815b32a55cf6fbf00fc48d71c6e4e109f671c39200f7d7bdb5395f2ffee29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
3811dfbcbfaf276954079fa7811b5b21

SHA1
7416ba1753f92aa8a40aa21be0c3eea2aea72b71

SHA256
19399cd8f6105d1ed065106ab2f2bc4811796abb1c02f7103803e9ac6989f5fe

SHA512
78bd2223dd4aee99849fba862c017b159550a23d48d70912e1c250993cbd86ec06d88cd94068b0ef6f9f53f2bc69265772f0a056007f3a008c77137f84391a4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
4a7e2f3d4c1640cd3c8833b51bb00e44

SHA1
737300e4e1fc9af165d3cc4f980d068bfd31eea4

SHA256
104668af42822087c755a4c44de78d66f7a3960355df575fd064dd4a55d93993

SHA512
aa8680363cee432ac54c8d9025598500c3b84a74c2c690282b112788c8a6445255590f5e94f432a0ef3894fe3b28794a6ab7b3a6b4296dcc60daed6d64d4626c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
5188589a00c0886a2d7712da6caadaed

SHA1
f2f566b07b49adff057f5ac8f2ab58afaf5c9058

SHA256
8891b23bad1b4c198496878cf78cde5aa9b88b556d8d3ce99c4b2bf9a88a62b9

SHA512
bfd9758c53d8a3daa5970ff7167e02145d1902fd1ac95d9172ab742821b4970e3cb61564560701dcb16ade8db97bf0035c715ae66276b130d68fdc7d18e3e04f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
9a191eda5fc7f88c9c849f758d7e22f6

SHA1
46699411a8f6df655c1a883ab438802f42dfeb53

SHA256
b06f76bb96a65720316c26adf541eae663bb2523f4266d18bde1d160bbac91e4

SHA512
5f02b5548630672050a68e63184959d6a12cf1e8c170e0b047466b4931957268eda7830bc9a4f5530665a196858170dd96a1ffd9ce387dad67880846e497e56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
703249e59c8eff9c53a2e1c1e8451b03

SHA1
0e93ed2d2d0df0276b441e374aa341c2e4ea1e86

SHA256
fe843ea5461e6c78383515a4cb209af732f41dea2a666f439e018e25bc620116

SHA512
6c48049ae1f90cde259509bff5e80f3943d8f62e53c42b0ff3f5b02d83c73c12657994e8020128254d7bc17f2262ee60f4824374c980296a12b36f5ea63fd36e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
b8e9232f638ae5cb0c63c68e119301fb

SHA1
7aebe04a93a1a23c60d611f547cd7167089f1adc

SHA256
3907c4f8bf823ea88779022d20d905b72e4efb13556ff5226606bb792bd58019

SHA512
b5559a15fcce21756f995f38f5a606f7c76ae55ff55e496dcf11e1a57ee8f3f8c524d96e7fcf7b8a1545fb12f1faa79e4c15da9222b0fb8ac0553aae6b6f64e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
870B

MD5
499cff4138740584206c74e095e82bdd

SHA1
4a8ebce3ef977e56660ac94f464b703f5c7f417d

SHA256
4a81437741b4de8cb182a3c3be29aee14a10e4cf32a9982de14648ef602c43ce

SHA512
1a6c2f86ba82c1e68ec177a6104f8d71f7bda49bf00d7a33c39457f5bfbdcb305c6c793f5aec25d314e36de53164025c0f4e5d4d1a30cbdcaec79291b7d4c996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58aa45.TMP

Filesize
536B

MD5
61916879d4d78c13a5701fcf9cf6d7da

SHA1
50f3593d7cbd3739c52dd2cbf8d3842f20fa0940

SHA256
1b81e0c76d3e3863b91bf355350c84ea75496d6f299b4eae90b14a7d1cbefbe9

SHA512
ef4e321d4e392e044681fe4f549d438f9a4b27b5065815e5fa07eb22449eb5237f86abb5990e12ef159780a2823b552d712c33b7424e1130af4bf452fe470f8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf7b5d3917a07906cb099331cc132f9f

SHA1
4066017e2192b34635e06c12e3669d8ec8966373

SHA256
31cd8b09fe9d97cb0bcf912cef5ccd0199d2d59016414b773d5c236a045bbebd

SHA512
0519f2f9400a54db235cc4a6409fdf401fe62387c74b17f85dcbe02c3a95a3aca386c4447c01c325b4010ef9512c0761ead31a69264de02887d660363072f97f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1db6fea52b4f4110c938b9669fff1470

SHA1
736b70f850bf0a265ebbe81247009a87058529b4

SHA256
2aa976dc7651b6525730c2d688538af5efce7d91973781e494f9ec05088a72d4

SHA512
2bb5f2ce72b867801f11ee6305eb4d958850602465d38651a33c72c78873a7d56013e28358028b31aaa0fabb6d8d9b474f079a7fda211ae495b900056258ddb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\@8230.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
a8048b0d3d67d70f20d53664fefdc6c1

SHA1
841c7ae31c37b98e16f0d33db6a5d8a23dd866bd

SHA256
e1c7b01487de7e67579d1e79e0fffaf275507cb14f5eb3953361a744c3ed99c5

SHA512
7aed4c4b2fb27b89c38277f390a4c0893d61927d13e08257beca73d89e9ee41f02769ba87f76d0ee7f4ee6667787512c9722312a376347885f8926ca97f198f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
80dd4b813a2bedd4ec89871124a5e018

SHA1
755d0b6e01f84175b538322c782522a92f7864d3

SHA256
9ef7de17a501504cea777e5f8775147cab4b1bf0a567f37341842df3aedfd34b

SHA512
cded44725f14c67c6553902a2b88ab2fe9ad1c645846064cec9a8d9a29537df75d5706029d9fbda8a0d1a8f78ee20674a91b9b7bad2a2ba6b84a713151aed2c0

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
1.4MB

MD5
ccf4659c2880239fd7f069fc9bef5209

SHA1
76757bd14199310c3d83f9293ea98bd3b3d5147d

SHA256
d6fc3a60fca5d82f57484b99649e996ab66fd1c1c376b1666f89c824650098ad

SHA512
4a8a4c9f7849c8644e69f2c52c5814c99ccdf38c288d0dacb64fcaa589a0a232d6826a437481b595476b05ff37db9e234a8f9a83b6f35b0cc80d2f0a6da8d1c4

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_08_54.jpg

Filesize
108KB

MD5
c51c2b14d2d3b8333b26dfa1a08b604a

SHA1
f5b2f837d0b9c6bb66ae69239fd714faf2645306

SHA256
1169ba4d5c7e583891d287e499bf2724f950baae844e7a2273b10ddd6e15dee6

SHA512
11521a2aa94bfde9e3b6d32990d9bc1b2e52f27f76d5bf088905bc7a023efeec1f19d1098a5d77a48f70b2388fb1a05e54a48a95adc76eee702e3e003665e92d

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_08_58.jpg

Filesize
67KB

MD5
785a7f6c07612b5587d2098c8e763073

SHA1
fd28b36531d89dff5389d4cf3fb58ab0d69f5f49

SHA256
021e8e01ab5d8c1db0cf005a69cfb3e69877d32c74074dd45be9d82ff472226f

SHA512
bcc83765ed2072aa871a7551311380c7f7b96ca45f5ef3faf6f7780aa49f202abd747723b057d613d6867702fb1a577bca45016b3d55daac994f6935aaeaffef

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_08_59.jpg

Filesize
66KB

MD5
bf29ba36f3c7192888154baad66d88c5

SHA1
bd6794fecad1282222d2647f526f1fe5d02d6034

SHA256
aa3622f77f5f7635c8f414852dffae3327cad1625303ea5bfad9d58529a10d19

SHA512
7318956e660b6c5b289bf5049031fbe32ef3292a1ecbe1dc65cfe87d06344dbda12003b71a48bf82a25abba350a19fc3f97ce41a37ed6c24aca08c60198b9b1b

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_04.jpg

Filesize
57KB

MD5
723c660271d2c339625209a55f4b2be5

SHA1
8ece3f2a3c641c22be6093aec549637490ee8bd3

SHA256
c202443a5e2b8a9c8d9d275432492aa1f5964397b51ffa8400ede3f2a7fa72ef

SHA512
ab756c4054e415a97fc734c16560da1aeadce6a247a2331e81ec0cf5b6153b5765b8eddff53e925200e55244edc0b442209196957e88b91d2b14eaadb1ded652

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_11.jpg

Filesize
135KB

MD5
a6c13979933f8372bea43e47de8d02dc

SHA1
6f3bd305814e6ea5bba1b75fdcfb30b8dfbc419a

SHA256
952ba75b5333ef206f50eafb38599de83eda5f392471fdc3094525098b4ab5ab

SHA512
3870ca380c9b9cb2d0d93aa22a619d40fe04203f7151d85df3cc029c63608029aa92f1839f6447d436394b64c5c1aa56da38d3c4fb3477c06d16b541a92bcda5

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_24.jpg

Filesize
143KB

MD5
cb4715d25fae1b2079d2791d2db78013

SHA1
e4189b017ac7215d3751d12200d3f0b418438e6b

SHA256
d4abbb4dfc3b8b671024e0928df1de1e4caf77ae04c638ab97746c23673c31ac

SHA512
a4bbe6df84b26caa159692e45b3370933cedde23c56cc09483c60f2eead9d37cdac48cd33ea2969bb866d7483f81d7d704ce488c023b139fff74ec9791a3b9b7

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_31.jpg

Filesize
134KB

MD5
e1808faf1973773b783b6bee0fcb94fb

SHA1
c8ec3319db25ba19e1c99b66ba7792f031f551cb

SHA256
ea82e8324f3444a5ac853d55735b9576ab5257fa3e2ff1e82e9e6c15feaa4b99

SHA512
7d33e20363436a4d040f21688342cf102fc9f754377cf407b23c9dea117b4f9fe5836180e6c9e7738c8cfb2ce4f29f11f5a2fb4dc54043a5169e5055dad85134

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_33.jpg

Filesize
152KB

MD5
82bb488ee40758934d35a8dbf1cfb2d1

SHA1
e7a1d3fd30582e736be8cf25b34283d4daf1e7e9

SHA256
3475e4a25ee27bfa8822204e2ab650260ee484a8ce1d44100f74a419f3cb2b40

SHA512
00b6c481c11d464cdd2e5ca6c017e12355183d2173cdd66acd9dbee99cb8c48a37f8423c0d26f79efbb2d14837dc8a99e83edd5f0c305c0bda8dd85a26e1fb67

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_39.jpg

Filesize
143KB

MD5
a6f35b9c96a9619c08e5c902e8ef5dfe

SHA1
ed920364ca1fc0e6b31047b1403defe42279d9f5

SHA256
1eaad9c0a45f7be79ff759bb99bd0ee9ae8ce3e019b8d30814f8512fa6ac0011

SHA512
a8151a366513d1f14c2cb5575c96834fb5c8bdec4efb6bf640c09290167486944c00664f5c0fd47ad7b8320c226ffdc538220fe23a237e7b0faed9b671c22f14

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_09_54.jpg

Filesize
121KB

MD5
22e6fac2b16a316a1e836009249b7e6f

SHA1
e58c413b433abbe177939e7b929336b6f20330ad

SHA256
8470e8353432f7613e44f7d3c4cf94cae9928c7a7e7af15b22e100eb72563cbd

SHA512
5e767f15f9661b886e52389efdf2633c59308fdb2f05d66fecfd67ed8011797f8e0a2d2cdd2140796e2cc5ea3b667ca4f7e62e5f3262a8496c47b05888a141ff

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_10_00.jpg

Filesize
113KB

MD5
03a199ba05fc84be80dfaf49ec9c38bf

SHA1
f3303c445e44c6a79b6b63edc8cc15a2538d14e2

SHA256
22eee9bcee33c4133b2c4eeff74cbd29d4c1da01059f0442b61f5fcb13e5ed16

SHA512
f02baae2e7e809877473d9f02753fd2927779c59a1fbba284a4db1124753e3b9dfcb77b4088706286b38b9474884ce2340b6cff56fa6666e938b0b5b1dadf0af

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_11_07.jpg

Filesize
122KB

MD5
4c6698defb977a8d331ea346531da964

SHA1
76eda54d841eba49dacc81741a9da4d29ea48d7f

SHA256
d080577909b4af166f3713729afcb914567b0f527d46169c8199e240a489a02c

SHA512
675f8ccaf28d45264be1942962a649d88838a120ba2a27adf3c5a085558af8826f7abb49d58f1e836383d7618b3190e55af692d78858d7118d8d5a19d583291b

Download Submit
C:\Windows\SysWOW64\28463\Nov_24_2024__05_12_23.jpg

Filesize
120KB

MD5
3dc046b315f0232dbbe997e62dff2d27

SHA1
987214f105c861459df23deb389485f6e4ba1943

SHA256
55fe6d6b6317547045e234aeea8a07b9806b60f6708cd1e60a9b7dfd35cbc4bf

SHA512
3d4efb8a02aa5a1690eff45996677a563d136d58b68cfde0cb775c9b15b32e102c4ceb5743098dbdb05c86e073fe48f5f14429a3f1c17d6335a11b00e51f8e5c

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/2572-28-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2572-31-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-445-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-652-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-32-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-339-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-34-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-35-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-36-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-37-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-30-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/2572-43-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2572-42-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2572-900-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-41-0x0000000003200000-0x0000000003203000-memory.dmp

Filesize
12KB

Download
memory/2572-38-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-1180-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-39-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-29-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2572-26-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2572-27-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2572-68-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-1524-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-33-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-24-0x0000000002170000-0x00000000021CA000-memory.dmp

Filesize
360KB

Download
memory/2572-1600-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-65-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2572-1915-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-23-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-62-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2572-60-0x0000000002170000-0x00000000021CA000-memory.dmp

Filesize
360KB

Download
memory/2572-58-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-44-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2572-2250-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-45-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/2572-2494-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-46-0x0000000002150000-0x0000000002151000-memory.dmp

Filesize
4KB

Download
memory/2572-3027-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-48-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2572-3117-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-3634-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-3738-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-47-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2572-4298-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2572-25-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download