ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Resubmissions

25-11-2024 11:59

241125-n5vrcsvrax 10

25-11-2024 11:53

241125-n2k3ravpfy 10

25-11-2024 11:39

241125-nstcrs1mfr 10

25-11-2024 11:34

241125-npnywa1ldp 10

Analysis

max time kernel
113s
max time network
115s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016cd8-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2556	DPBJ.exe

Loads dropped DLL 4 IoCs

pid	Process
516	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
516	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
2556	DPBJ.exe
2556	DPBJ.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_50.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_24.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_27.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.006	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_40.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_57.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_01.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_25.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_30.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_39.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_37.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_10.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_57.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_59.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_43.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_12.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_14.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.007	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_17.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_21.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_08.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_54.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_16.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.001	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_06.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_03.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_34.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_38.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_19.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.009.tmp	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_46.jpg	DPBJ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\win32	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\win64\ = "%SystemRoot%\\SysWow64\\mmc.exe\\4"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\FLAGS\ = "0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\TypeLib\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\Version\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\Version\ = "1.0"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\wmpencen.dll"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\InprocServer32	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\FLAGS\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\Version	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\win64	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\win64\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\win32\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\HELPDIR	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\HELPDIR\ = "%SystemRoot%\\SysWow64\\mmc.exe"	DPBJ.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\TypeLib	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\InprocServer32\	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\Programmable	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\Programmable\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\ = "MMC Internal Web Browser event sink 1.0 Type Library"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\FLAGS	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\ = "Ifimi Wolaba"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\mmc.exe\\4"	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0\HELPDIR\	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EA644171-4E62-4DAD-47A1-33DB2D08571D}\TypeLib\ = "{330DDB00-8471-0B14-1068-8E95244D5001}"	DPBJ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{330DDB00-8471-0B14-1068-8E95244D5001}\1.0	DPBJ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2556	DPBJ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2556	DPBJ.exe
Token: SeIncBasePriorityPrivilege	2556	DPBJ.exe
Token: SeDebugPrivilege	2812	firefox.exe
Token: SeDebugPrivilege	2812	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2556	DPBJ.exe
2556	DPBJ.exe
2556	DPBJ.exe
2556	DPBJ.exe
2556	DPBJ.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe
2812	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 2556	516	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	31
PID 516 wrote to memory of 2556	516	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	31
PID 516 wrote to memory of 2556	516	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	31
PID 516 wrote to memory of 2556	516	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	31
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2892 wrote to memory of 2812	2892	firefox.exe	33
PID 2812 wrote to memory of 1300	2812	firefox.exe	34
PID 2812 wrote to memory of 1300	2812	firefox.exe	34
PID 2812 wrote to memory of 1300	2812	firefox.exe	34
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 2964	2812	firefox.exe	35
PID 2812 wrote to memory of 1672	2812	firefox.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:516
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2556

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.0.274505797\1166871816" -parentBuildID 20221007134813 -prefsHandle 1216 -prefMapHandle 1208 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf9cb05b-7dd8-4a33-9dc8-8633ffc8d19a} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 1280 46f2e58 gpu
    3⤵
    PID:1300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.1.1871694671\1564820602" -parentBuildID 20221007134813 -prefsHandle 1472 -prefMapHandle 1468 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a77f5eb-6897-46c4-987a-a8193738f4a0} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 1484 e71058 socket
    3⤵
    PID:2964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.2.881481305\866768707" -childID 1 -isForBrowser -prefsHandle 2084 -prefMapHandle 2080 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {632e2b52-00e2-413b-a276-cb9988392855} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 2096 1998fe58 tab
    3⤵
    PID:1672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.3.1293249782\1658256025" -childID 2 -isForBrowser -prefsHandle 2436 -prefMapHandle 2448 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {21841fde-61cb-4bde-8a85-05eefc98d66f} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 2456 4041e58 tab
    3⤵
    PID:2072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.4.526090764\1314257201" -childID 3 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b75f845-7599-494c-acef-b42e824864b6} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 2912 1b8d8b58 tab
    3⤵
    PID:908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.5.1804517339\854986125" -childID 4 -isForBrowser -prefsHandle 3868 -prefMapHandle 3864 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f5b625d-fa77-47aa-9261-d7021f7cb814} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 3876 1dda5a58 tab
    3⤵
    PID:2404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.6.1023794877\2032257917" -childID 5 -isForBrowser -prefsHandle 3984 -prefMapHandle 3988 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d235068c-56ed-4e02-b629-528819171293} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 3972 1ea0b058 tab
    3⤵
    PID:1528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.7.1603207309\212980577" -childID 6 -isForBrowser -prefsHandle 4168 -prefMapHandle 4172 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92f7a19c-706e-49c5-b1a9-6910f2702876} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 4156 1ea0b958 tab
    3⤵
    PID:608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2812.8.1604481063\1236633385" -childID 7 -isForBrowser -prefsHandle 3708 -prefMapHandle 1088 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 884 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e93af11-c807-44c7-a1ae-dd2cc8cb6f33} 2812 "\\.\pipe\gecko-crash-server-pipe.2812" 3684 45fd258 tab
    3⤵
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
a6b4f9df296704b6ffb63ebfce633803

SHA1
1bbaac692ca0b934167435b636fd7a1945e47468

SHA256
0dca1a1a532e65cf9532a764a20cdd410ddd962ab69c77b313b3733221921479

SHA512
3157b47a738b3e7362b87c4f6577b70f09e1ee77e2dabdc75d2b3a4ce44a5f669a9605e0ac16b9fb16f03aaf0402c763296ffd5b9f761e2adb1077da974f8328

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\cache2\doomed\14617

Filesize
13KB

MD5
b1ce0337319c95607d1cd3bec39404a6

SHA1
44a687b244dbefa9d2481049db0a3767f8a263d5

SHA256
a0f2c851b8555245d00f574c4cd2adfe43b7df7a859407aca1c923095ba8d101

SHA512
baf349293c3e5e4cd0824b98e589fb53f0dfa991bae4a305ee432d9c793895b558a54657b8949aa9ca3f467b6384ba55f1d27e1674f20dc9d9af577ccbc6aab9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6c75b34cc8de61c8ed49bc205586d2ec

SHA1
9e6e5ab5d1a52da630bef5cde2f8f576c73dbb04

SHA256
402e3343cfbf0c12bab68b754dae9f3b02f6bb67b5b0d75cde2ef078d488b80a

SHA512
b441930737c8828954c9e5fc9600c21ccea598f9aeb226aa32055121995a98b62c1f19573d5f235f62c2f596a6b9854c8fa0a1205c08dfd9b3bbc881e6b39017

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\08904963-9069-42e9-aa80-34075fbf7ea6

Filesize
12KB

MD5
4823e0c7da5bd8948ac489f9399a623c

SHA1
ea50dbfc2d9f48184f69eafe645dc8ffecde28ce

SHA256
8a7c3805f39a2ccdb0764e971c33acef1fd0a2cac7b708579d2d2cfd64481a5c

SHA512
ac06238824cea7a3f50cc1e8b78ae41a9d85756a20b781b4e8f4137ffa6625513cc238692706bbf3ec5e909797cdf71346b43798c7cc11817d89d5933cb9448e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\5a53ddc7-ebf9-4e40-8394-49170423b3ec

Filesize
745B

MD5
8f4c43af40d1841cd7763f3f000489f0

SHA1
ae41c932444044956607f928affaa1efe306f519

SHA256
6dd1e3648456d71626f035bc9f724611fe848cd2db31d80c40304748bd8a40c5

SHA512
418f5e932889e87c4295cace06fa791a5141de6adc7e31da6e1ca9cd9dbcf7672eebc191c74026e746045d709061b09ccca21ac673f8b954a1705844e61c298b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\logins-backup.json

Filesize
648B

MD5
bf2d1221a8a59ffd29b27cb7de9b4658

SHA1
88cefa8bc47cb2c34d96032fc9afac64c94f4b4b

SHA256
9cc1a60eb55780533de77cdd94344d7aa7237ea21d2397e548e27b20123a88bb

SHA512
6d0e46ed312629f09502dff817e45918651a9df42240b83661cba2b0d278e2b15c9cb7f3b22302bf0edd5b278e1c38cd43594a7bcf0fb2b4ce69d8b877da0100

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
b74da8cd6d841154c66b6f0668a0585a

SHA1
52566a4e43594185520ae2be36ed6b29fee8e1c4

SHA256
859bef985ce3584fad9c30481b1e341945a1b61194d253a1feff1ebcc618fb6c

SHA512
f62a42d919d1bf543b7e0e08171841a99bbb85c35124521994d58b917b73a8a50a7ea14f1faa67c50871ba48e5468e65bc37a55a75ff58f661a4595e00d6b296

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
7afe626e7c20383ce29820b883c8b7d0

SHA1
fb0adce5a600209b27bb359725054f072a554107

SHA256
1cf98534f592a00610c9014fd2271fd7268465b231badc761c92d6bde2a2503f

SHA512
0981f16ffd6904eb760af3eaf49b19f706762b71e793947d8722c0fc60777d26f5effff0b82fc0f312350cd6d95ea3e7536d5e4505805a87779fe45e97ab771c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
411f0a0370fb4db55ad8b1df30726f7c

SHA1
7cfc2d9c4e10c60ac14ed2d1d88bc4ee11e0b1af

SHA256
3428b87bbd186ed1111471acafd421c3d55a1fdd54a2cc9eeb2505dd23645436

SHA512
d06e772cfc144aa7b80d961ac90db417b788398e7e3b9c8b375c72f071765fe06389efaacb2edc18a26399c8afd08a91a4c1c4d4e58ab49e2798b53a98a575ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
2e69705fa33aa28ae6697f0c61a4da6d

SHA1
53fc576683486bc0c15d40a90b533fb6cc3ea8d4

SHA256
4429687dacc71e156047acc746a520e9109b76ac643cd8bb53911c76b10611b0

SHA512
abd1f62351a3659f18ed7c85e25f41f2207238d23ca3f42d99e7c96f65f637cff566934d90cd5df54b478823e43b2021fe3d54d0fd4a2f8a69c760e61c051219

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
b689b2e3eb75f4fc54d5be07b570adb7

SHA1
e9867b5b8bdf038ffb1f1e2913d66d973f3f39c9

SHA256
76407b3e44154682cbf4357da65a3c20aef02fc4eef2bbb88eb050fce148e6e7

SHA512
50416eef6fde4b74849a9a589f92310a8e5caaf78228c98371f18c491ac3eba2030cc65cbd9a817e8477817f1023270ff484446d30f92613a9de60eb4818573c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
ce5a9ca9d42120a7f5b2a0af1450baa1

SHA1
1c8a21a7b84fd42ecb653a14693466aa4bc29ef1

SHA256
0b29bb777292ec8904ba3df44f5684fddcd28667d8c07a923408643914902b52

SHA512
77bfce2d2f7e76b3ad14896ff1fdf179ca785047aca33df2a2bbb1542ccea07f36e89a451bcde04d592a934fe7c80312316792cd7482b5538ef5304425fb0169

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
30cb0fe839512cb18b713add0a604fc6

SHA1
3be154c12481557621df191ff257e91bf75eb99d

SHA256
f5764032c58087498e9cf6788ac8e42daf54552138dd1f80aed4e8ade54c5a68

SHA512
28f475b720c723c071e097c083b52a37946013cca8a6a26d8d7595b7d0b825427baec72a75d4a1f35afa95a4757c96d7147433c6b1795096a309d9490c34754a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
3933ca51b5938da302a17f8e320eda57

SHA1
55b285ed278745fe1be2e03521a0fde9ae77edbe

SHA256
4efcff7fde21fdc16fc8ad9eec5547fd930d948c78dc638985c06d15b5521c77

SHA512
e6b14d63556aefd648c97f7b9840e633a6c1e6d0ed40bbe3a5e103ec53efa1cee73657142f77c4df6e2cb3d23aac28e3caf7b036e72f867d047c44a72a0a182d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\storage\default\https+++www.facebook.com\ls\usage

Filesize
12B

MD5
1aa6238c49a38068f9149feb44a2db0b

SHA1
035372ad84af747c9f2d19ccddc50a48f24611a7

SHA256
f0b29179dee8c1b28d0b9ffd1496c99b3f504269078f2eda57c1c45ce7a50fc6

SHA512
a025ad2e905abc3b55be132eff86a7f657fce4ccac3c631589bac4b7736fb117fc61fadc1e9a611b960ec05017c3d0f800ca2adad7b1fe5007be97d9866323b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
406d1f6b9b48d9a95ccb444d4435c694

SHA1
402b53db9cdd9fcfe45b116e7cbcd48ce02a37d6

SHA256
914ff37bd2ff138f544ea9b20d54739d9816b3b9a512105631bef832cffa7a74

SHA512
389a71d5750cc44ad93319e4f6618891fe76e7c90a147d83b9606d9f7cf6407e2f8fa91b15e4e469e493d6189cee101dfbdd5720b9862675b4b3ed477332c136

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
994KB

MD5
99fb604586751f06fc31bc975fb3f6a3

SHA1
016e5445134b5e69b749c63b13dd92351b68c951

SHA256
b0af1d5a01c4fd089073d6cb2be034d43222205f069946d5fe3a78bb41f42e90

SHA512
0fabdf380591a5b76b3726e80b3693ebce59fdc448b2ad17ccf8782d42cf05064210ce32b615bc0385633203f179abdfe1e4dfe3dda8da755aeac06d79ab6a64

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_41.jpg

Filesize
115KB

MD5
9be0149c50d53b63fc3e340bf0f71dcf

SHA1
6254d60761f7b0d80d0c95ef1ff020c03e26daba

SHA256
beb102b5cfba6a0038d1be2dac3dca5e3d49176f12741de2116f84fb783f5f6e

SHA512
9ce6f9bf6d0fdd4ef3ab145f0e8606a174ef9e4f39a96e853bf5d51bc4eaa8fffbc566a71d65004fd31ed9a5dd688ed235c390945f8bb4c743395130b20b8b3f

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_45.jpg

Filesize
40KB

MD5
c29b61b44c0084315caaa6369899102c

SHA1
25c949161313875881c88d01368141a1ba5ac96c

SHA256
22009c36e1540ef5db8e813472e53591a4da905bd5cced3b2dbc499b9b7aa377

SHA512
44028714e08615da774793352106c7955f80640a6307093c76a73651c744241d18831d2296f8b9649cb9c8e1769a0b26ebda3fcb9515146b02f1acd198d8bd6f

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_59_50.jpg

Filesize
40KB

MD5
18828a6d1348b3a28e169ab6bca8673c

SHA1
e165ed4f3c30d814e0b45353f6b8291a719df0de

SHA256
ef63267c724a4894be505c43a9ce41df17473561074dbadc7f318ac8ecd8de4d

SHA512
56474a985beebce75c4cbb317a4227046e7032120b41f9e59c0cf9a98dd3a3acc61ee3d6914dbc5dead6257ab273daeb19e5700532eb64b383b3fd6f7ebf68f2

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__12_00_02.jpg

Filesize
72KB

MD5
62214267da10c0a59a5fea5f5044f7ce

SHA1
06f6313ef391795ca41afe2c84b446216428bbb7

SHA256
d735e4a40c665a76d2a2cddd2acbb7066c87dd0b02f61d02596b4d3109613561

SHA512
985845c0f6e59dd8c7bd86f08a998ebed66ee74322d77c3d0c8e3d25a2f491785882a8ed97a22f88c92ff0de4f106c5cf6de76ad96654283413fb6e36fa62e5d

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_04.jpg

Filesize
73KB

MD5
f3ebf9a21de6e8ab9f88ed4fa25b87f2

SHA1
a917d8c7ea92051063023bd6ced430b106fdcae0

SHA256
d76abb204c9b31e945ec3fc5d366acbff5bd2b23e623b3d238aa40ffefae7ae1

SHA512
022cf2f0e78fe4bfa3e372bfc3528f99593beea0ffd3ee3666968d10a94c05bb667cd7f9137fb44d1f43b8cfd99fd2c0cef99cd36633c0a7f7bb05fc4724882e

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__12_01_07.jpg

Filesize
72KB

MD5
c2c7ef9ce6adbaafaa86e99079b90716

SHA1
e8a7f83e09949cbc9065eac8d0927a02ad7e5581

SHA256
8ae155be1f274f7a73a12d751993c67535a4c23bd8f0322d3ea0ae99f6ccf426

SHA512
b3a819b31899790f2b0c0af4eec0357bdd1e002375995989ee5e4bbe034ab2cb4b6353f14511b6b4d04f523ebba9b2b938b6c29252f018fdbf3bdc2711930b38

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@E0AE.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
memory/516-58-0x00000000024E0000-0x00000000025BF000-memory.dmp

Filesize
892KB

Download
memory/516-16-0x00000000024E0000-0x00000000025BF000-memory.dmp

Filesize
892KB

Download
memory/2556-29-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-38-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2556-43-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2556-59-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-41-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-44-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2556-308-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-21-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/2556-22-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/2556-140-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2556-139-0x0000000001D50000-0x0000000001DAA000-memory.dmp

Filesize
360KB

Download
memory/2556-23-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2556-24-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/2556-166-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2556-25-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2556-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-27-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-30-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-20-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/2556-42-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2556-28-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-31-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-32-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2556-393-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-419-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-33-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2556-34-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2556-35-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2556-37-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2556-630-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-39-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2556-647-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-40-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2556-673-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-46-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2556-761-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-19-0x0000000001D50000-0x0000000001DAA000-memory.dmp

Filesize
360KB

Download
memory/2556-18-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2556-45-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2556-925-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads