ardamax | 8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75

Resubmissions

25-11-2024 11:59

241125-n5vrcsvrax 10

25-11-2024 11:53

241125-n2k3ravpfy 10

25-11-2024 11:39

241125-nstcrs1mfr 10

25-11-2024 11:34

241125-npnywa1ldp 10

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Size

783KB
MD5

e33af9e602cbb7ac3634c2608150dd18
SHA1

8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
SHA256

8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
SHA512

2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
SSDEEP

12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000018b89-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2468	DPBJ.exe

Loads dropped DLL 6 IoCs

pid	Process
2792	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
2792	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
2468	DPBJ.exe
2468	DPBJ.exe
2824	EXCEL.EXE
2824	EXCEL.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe"	DPBJ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_03.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_16.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_29.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_34.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_52.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_08.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_44.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_58.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_45.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\key.bin	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_48.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_07.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_51.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_46.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_56.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_57.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_59.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_17.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_41.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_22.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_35.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_03.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_15.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_36.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_57.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_31.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_28.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_32.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_39.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_00.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_04.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_29.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_14.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_18.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_23.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_42.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_11.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_02.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.006	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_05.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_26.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_09.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_25.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_53.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.001	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
File created	C:\Windows\SysWOW64\28463\DPBJ.002.tmp	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_20.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_55.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_16.jpg	DPBJ.exe
File opened for modification	C:\Windows\SysWOW64\28463\DPBJ.002	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_13.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_12.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_24.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_27.jpg	DPBJ.exe
File created	C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_10.jpg	DPBJ.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DPBJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8241038-0551-4B27-6D8F-6BC791EF67DB}	DPBJ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E8241038-0551-4B27-6D8F-6BC791EF67DB}\ = "Relij Ojedogim Owalase Object"	DPBJ.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	DPBJ.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2468	DPBJ.exe
Token: SeIncBasePriorityPrivilege	2468	DPBJ.exe
Token: SeDebugPrivilege	2444	firefox.exe
Token: SeDebugPrivilege	2444	firefox.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2444	firefox.exe
2444	firefox.exe
2444	firefox.exe
2444	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2444	firefox.exe
2444	firefox.exe
2444	firefox.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2468	DPBJ.exe
2468	DPBJ.exe
2468	DPBJ.exe
2468	DPBJ.exe
2468	DPBJ.exe
2824	EXCEL.EXE
2824	EXCEL.EXE
2824	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2468	2792	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	29
PID 2792 wrote to memory of 2468	2792	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	29
PID 2792 wrote to memory of 2468	2792	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	29
PID 2792 wrote to memory of 2468	2792	ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe	29
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2032 wrote to memory of 2444	2032	firefox.exe	34
PID 2444 wrote to memory of 1772	2444	firefox.exe	35
PID 2444 wrote to memory of 1772	2444	firefox.exe	35
PID 2444 wrote to memory of 1772	2444	firefox.exe	35
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 472	2444	firefox.exe	36
PID 2444 wrote to memory of 2448	2444	firefox.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\28463\DPBJ.exe
  "C:\Windows\system32\28463\DPBJ.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2468

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.0.623284521\224050671" -parentBuildID 20221007134813 -prefsHandle 1204 -prefMapHandle 1196 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {64aceef9-65b7-4f97-9128-cfb0643b9403} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 1296 41f7b58 gpu
    3⤵
    PID:1772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.1.1715008979\287507851" -parentBuildID 20221007134813 -prefsHandle 1484 -prefMapHandle 1480 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1601cad6-a333-434a-99d7-1df7edae7ad2} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 1496 40fb258 socket
    3⤵
    PID:472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.2.1213224458\1837012448" -childID 1 -isForBrowser -prefsHandle 2204 -prefMapHandle 2200 -prefsLen 21031 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e7f7912-c0d2-4698-98ed-a5d8eb13edfb} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 2252 192c0a58 tab
    3⤵
    PID:2448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.3.1902991116\851260228" -childID 2 -isForBrowser -prefsHandle 2808 -prefMapHandle 2804 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1212b4e-235a-4e47-9e85-08bcfd3a218b} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 2820 1be6a858 tab
    3⤵
    PID:1292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.4.148517250\48816583" -childID 3 -isForBrowser -prefsHandle 3020 -prefMapHandle 3016 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b161bf4-0140-4d91-b76e-0240c3f25fc0} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 3032 1be6cc58 tab
    3⤵
    PID:2352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.5.1123110842\87105174" -childID 4 -isForBrowser -prefsHandle 3840 -prefMapHandle 3836 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e048619-7c46-4ecb-a979-35ed950d3523} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 3856 1eaade58 tab
    3⤵
    PID:2944
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.6.1634857451\1289009424" -childID 5 -isForBrowser -prefsHandle 4008 -prefMapHandle 3836 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {43ac35c9-265d-4d43-9fd9-daf92d8e2c6c} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 3476 1f090358 tab
    3⤵
    PID:1600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.7.154230617\1186936734" -childID 6 -isForBrowser -prefsHandle 4208 -prefMapHandle 4212 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c38757c5-0804-45f9-995e-87c5b39ea880} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 4196 1f090658 tab
    3⤵
    PID:236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.8.79313563\504243955" -childID 7 -isForBrowser -prefsHandle 3608 -prefMapHandle 4068 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e33d613-c579-47a7-aa31-671830b97a45} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 3632 1068cc58 tab
    3⤵
    PID:2680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.9.958300471\440318343" -childID 8 -isForBrowser -prefsHandle 3024 -prefMapHandle 3544 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 788 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cef9576b-0da1-4049-945b-467c425787ea} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 3160 1ea6db58 tab
    3⤵
    PID:2088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.10.2038424576\309135615" -parentBuildID 20221007134813 -prefsHandle 3100 -prefMapHandle 3248 -prefsLen 26796 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {822caef4-0cb4-4a63-b8a8-39a194cf7de1} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 4656 1ea6ae58 rdd
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2444.11.345669640\32760992" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 3520 -prefMapHandle 2704 -prefsLen 26796 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {90e59bc7-1a51-4a8e-8445-c6bf359ac398} 2444 "\\.\pipe\gecko-crash-server-pipe.2444" 2500 f243b58 utility
    3⤵
    PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
29KB

MD5
0bbda2dc4d382521a50ccf38e85b6a8d

SHA1
40d34c192cfbea2de5f97c8afaac14ece4fefa07

SHA256
458584a8d880bfc068bed0d4256158965218c919b197aa1b7208df66dc8b36aa

SHA512
b63993d403135a12f6bcb03ffca62dd82adf6627813804976b8932b593e00544b790e48ff45d92097784a13f25f68852183f120e1d6cad462eda1f2f7a91f5f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bhzluvd5.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
13KB

MD5
f99b4984bd93547ff4ab09d35b9ed6d5

SHA1
73bf4d313cb094bb6ead04460da9547106794007

SHA256
402571262fd1f6dca336f822ceb0ec2a368a25dfe2f4bfa13b45c983e88b6069

SHA512
cd0ed84a24d3faae94290aca1b5ef65eef4cfba8a983da9f88ee3268fc611484a72bd44ca0947c0ca8de174619debae4604e15e4b2c364e636424ba1d37e1759

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
3KB

MD5
83b86383d340cd8cab9f4d74bb235e33

SHA1
82d6a5b912a01ab514e77b1443f76d0b676b572f

SHA256
51ce01a268c25efc0d8f148bce7fe90f7b08591bf158cb52a694d19072649250

SHA512
49acf6c9c11a45af2addbe0b7586907a44ae8d46a90b110ff950c2bad31d922b0b947d0f3bb45799122f6d3d51e090a07932fb8e32cb425c7743c312de5fffa5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
7db563e5e3e29400fafe6cf998b3f6d3

SHA1
9fbaed7c292c7c75d5c844ad64af3f8fbf869aa0

SHA256
a9770382141a81cfcf3b85feaefb78ad5f56b802fcea9486b1733f31033edccf

SHA512
ee7e88cfc6cd67a5d92570c2cbd332cafc2ea7054f3eeed8c40e7fe2ed6baa52a5d672b5203291106d2daab684a360aaba95e9e947678f3ea8fb08276558e610

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\228d732a-6b49-40a4-a12f-1bec8c5f34d9

Filesize
745B

MD5
ce302437193563d796dd714605fa3fdc

SHA1
f053be09d853ef2fa345eac3b8ac4d7824f7cca5

SHA256
af1b7dced8d9fb110f20ab0c3e007bc2506da2343822e755b5c766a72854f247

SHA512
f079ca09c543cb9bdb5177a36f90bdcb973b2df1eaa654f143b7a75469fb8f80a87886f23f08bbc14f58d582bd14f0c9bb93f4990203101e98eff5bea5ac67c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\datareporting\glean\pending_pings\83bafc6e-f7b6-4f84-947f-bbfefbbead24

Filesize
12KB

MD5
a8e8d876a5049cea49ac6eafc93a16c8

SHA1
d18dec88d03323b8741408ee4ab292ddd1659519

SHA256
5700a0dea671b45fcc3640da6e620d1a2c150c1557333f0be4466ddc66ab378b

SHA512
03542c418d6578dff3e3f2ad6ce5f862b7df580b090fc95e5b061e60b3bdbec53e53660f243522623983aacad4682b858b2c023eb1373057d156e3f9ccfe533e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
2df48b24730026586d6ed482f20d35f8

SHA1
42e8e19aa08c7cd37b45685227118964bac36447

SHA256
497630f76fb347f8a4c44831e4c60d71ac484ba9fcf8c672bc9203d3f0520050

SHA512
c21ec25d492779deda609355c89f1799a0f528c6feadf0567cbbe21095adb2bea0dea34bf17425b12fbbeb45bfbafc8b742c57c829e66ef4a14020523669e459

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs-1.js

Filesize
6KB

MD5
b425b1f15a2c380032d3f36462d8a588

SHA1
e6860213f17b0dfc4d0d63d9496029be468c82c3

SHA256
c54a10d792081190825f0f52d7784180bbd73cacbecd1de2b433f2125011f389

SHA512
03b188770d31dbffad1e038acd6a6137141a70c6d72c89476a08ba5cd56f35bbfea7be87f6f7ab23a88525dcbaba453da9e8fbdc3f5c4283b7f2d81f91ab45e5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\prefs.js

Filesize
6KB

MD5
b38789ffa1756688c4371721a3fa39bc

SHA1
981633c6d41b3325cb2be16b4eddb555fd184351

SHA256
3ff29f6e3729b6c313e4771f413b4108cf94cdbf5898008b69f6b84a9f8dc28c

SHA512
0c52bee934b69e86bfebaf734b96646db8bc946fd3eb0f048388262528bbcd8475cc7f94def3d5fe002455b66979920c19692c5dbcd4b84ec06330cda5d89a57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
f7cc5ada9363be85a542f01bc6dff74e

SHA1
022dd09be36d63ebb3dd94d533cd4fd2e6d72773

SHA256
63f36d167a4db34dd1870bf5291caacb37c9c3aece90fe0ba6b90a4db6610505

SHA512
6bcb9f0280724e457f6b366a0bc894c5154a2a48b75eb8fea58cd94dbe1fe2ce6d5420c89437e70560f1183c76cb2f943813ad1d63d876c7274b23b54d8c94e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
8KB

MD5
ead6ca007cd7fa1f865b1ac70e033d40

SHA1
aa261aeee3c416ff34390ab33dea646de2c09d86

SHA256
8b5a59df06c4dca3b718cd4439ac87bbff133f47a4057a5f704dec75b4fbb0bd

SHA512
ff125bb40e64a4ec84c0292950357a640801ddba27c34ce78e7864e3670b1c420f0901d528a37b929d9c36b6779897038d6afaae24fff04ecc4926f21bd13bb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
b68a3731930c77863aeead74343000ed

SHA1
519d7c9d9403e7d98fba6f838ea15e427628d2aa

SHA256
fbddbab667a2fd94d741091268aa5f5712ebb44c4785b9d9930eda3da4eeb349

SHA512
532ee50689af8c868e5b63b64120d10e0869430c907c29fbe6f7e3acfc40e230a37790f7c109903d7e7de0b8ec33294a5cfe0db6235a39dfbe81cfaaf86e5ef8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
f3e02c48c8487b0985408d1123bf4720

SHA1
b1cc18b0c3c7f4a9f6c99b61f339c0a4d59d1cee

SHA256
3d367280da73ec380c68ad240b4dadfb33ed1c0f8a82722c2e838b8803a5e999

SHA512
5514b9ff2a19fda866bbc1d2cce2fddd934a33e26effbfc0ab990885e29f9515a2c24a0cbb0a4f63ff4be61f334f6df5e77fde3d6b4592ebfc007788c0a1dd61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
2290a3e3b6a08649563d649dc62cceb0

SHA1
26dbdbbb8e82e8d674af9e9d215d34508e909701

SHA256
051b4540ffcd3694ad8302ae77c40c415d5878eafbf4f41b37c8bd954bada23b

SHA512
16d0fe9c254f563b2f90a5f342e2e8d53fa4fe6c87f8523f1acadb0254043c8d59fee7bc75a15008291e7853d7cb25a3b0b13588f3576b5c20be8aa97c6b7267

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
7KB

MD5
2d4b7acd82632d2164505c83ccbfd304

SHA1
010a7c39e42063ed2b20bb8d3e847fce858f6914

SHA256
fd2d47d2e044353180345eba84c8f7b2bf9a05c57bd385a7e8e3d5f474c91a88

SHA512
0c9cb19db9baeb6b46e0efaa3331bcb8a57af2ef6818264039a167e0ef212a6a71546d35f101344d11144ddfb84549e783e8a9df37a1dbbed55afd12610065e3

Download Submit
C:\Users\Admin\Desktop\TraceEnable.xlsx

Filesize
10KB

MD5
85ac1a0495617814ac9484fc0e35b34f

SHA1
25f98adb4df8d34d3b08e75143e3ff4a85334977

SHA256
77f3e269c31a1e199dc1d446bb799b1b37c523bd351fc7032065ad363ea1d22b

SHA512
cec01516a9bb118d39b3eb05eed24a9307953fda85f0cbb8a8cdf3d3beeccf706fae0fd2f77e4c223307ed829adeb762a1fca14dc9ff500b31721b985be990bb

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
97eee85d1aebf93d5d9400cb4e9c771b

SHA1
26fa2bf5fce2d86b891ac0741a6999bff31397de

SHA256
30df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24

SHA512
8cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.001

Filesize
492B

MD5
7a0f1fa20fd40c047b07379da5290f2b

SHA1
e0fb8305de6b661a747d849edb77d95959186fca

SHA256
b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6

SHA512
bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.006

Filesize
8KB

MD5
35b24c473bdcdb4411e326c6c437e8ed

SHA1
ec1055365bc2a66e52de2d66d24d742863c1ce3d

SHA256
4530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617

SHA512
32722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.007

Filesize
5KB

MD5
a8e19de6669e831956049685225058a8

SHA1
6d2546d49d92b18591ad4fedbc92626686e7e979

SHA256
34856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564

SHA512
5c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8

Download Submit
C:\Windows\SysWOW64\28463\DPBJ.009

Filesize
2.2MB

MD5
c82ec50799b0102430e52e1cccb1fd50

SHA1
4f804ad3abc90be7dfa35ad424fb0dcd37fb86fa

SHA256
191d3de2612b3b47cbd19d0d40f6f690b72123ff1f06fa46eb5d36955d878cfe

SHA512
f7a8881e4dd9a2fc46d0dde4943d77acdee1bf78fa6b0d9ffaf891348ffcc7718cde5e5a2967ca0787c9905606d3ac301ff54f4a20dbd590d4cdc86337b34e04

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_52.jpg

Filesize
202KB

MD5
128951a6d103043b3f3db01c87213f86

SHA1
20bea73bdd03daa8d205d508a5cf47cfdc359e11

SHA256
fab0a70a7a02f555f6e7eb67bc597e21c05dfa8e478f24e2adcf5549ccee0ce3

SHA512
bb7411cfb907f22927bfeba28d5e89a1b8b248e3c382f4be82b258ef1addb71dacda6ba8ac0b89e61e5a75ca5deb46bca8def60e79e0e161ede2f05606057a16

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_34_59.jpg

Filesize
199KB

MD5
a427714ac0921787cbfd3400fb5e6bdd

SHA1
e3865809c078b50b9f99338ef645e3637985a60a

SHA256
656631458360df1de8660c1a7693892c53c593c9daa15dc28ec2a643184cb6dd

SHA512
08d803c84291ee2d8549a234a7cb8077d62d5371c1548959676270780dd8bab06c3dc002aacd4a0b7747d1c7cadd52e4444f19c28eb15be596a1b679982b07a8

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_02.jpg

Filesize
203KB

MD5
a15d87f6cf2bc5152c6793c36d45c0c9

SHA1
fbd1d7544d53655dbdae412170eaf93dc7cb473c

SHA256
b4fae5f8fdb6a0a566eef5f45e7d8dd4ac87ceb3c9e88d1d89fac863cf1df702

SHA512
a6c65b483ec5e02d0d8a940d7213a25c98029efeb45aea0f36f36bc9673975c61be5d1c46c9e6f8d478380fa0c1c8c6e6a0ce47f7840f55a3f2c00a7f3c7f74d

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_08.jpg

Filesize
114KB

MD5
51aa6f181c3962936d04f9ed32940529

SHA1
2f87b556cda9decb01f0172c64a0cfd206d632a3

SHA256
e21eac5cd918a28e931ea6077984c01e617351a1b43264977d30f3e03537015b

SHA512
ca0e1fbcd332c1826179b5290e1a3fe1300014effc9c2cb365cb10cd21859790eb765ae8ebb8ce79a26e2fee833504ef61b1a87a5aa659c8e5b9925ab4de77d6

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_09.jpg

Filesize
115KB

MD5
dabd4fb1b8cdbe7a3406b4cd23aefb1e

SHA1
8d8475722d39a58d458e2f175d59030039f9ccfb

SHA256
afeded7f397340c6966fc29abffc16ae51bf7f175a794d2f5d36bbee05cfef26

SHA512
b77acec93caa3ed534d0732a398e1cba054cef40337f39dbc8ef7abf30b5280212a6c58b045b88ae994eadc7746bb12776377be807b34f3e64a2042f0770a5e9

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_26.jpg

Filesize
40KB

MD5
19201441a71bacbcb847ae7199ce3e92

SHA1
56d643800fd499febfa13b821c16bed303186c5c

SHA256
caea370c49095126c3f342c230e738d8de63f82ed9a0da96aefeebd80780bd1a

SHA512
11d980d023c1cb24f93c70b448f2ffc0c0dc0bf9fd1e3b69cae5d0b493a95d5e9934feae20bc9e97624b3832f72b14b34c44a1b4938349b5dba449f552e547e8

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_41.jpg

Filesize
40KB

MD5
5513ef7ead6c25ad38cbda1eff60f31b

SHA1
4ff9c502931f509ba0c0a1cf60acbb8eea118441

SHA256
10e2049f7b0e7e24671a14b5d35bc649d0c0bae876956895f11b51dd583cc2f6

SHA512
5e80886d9dfffb662b0675781a764ae5ed6efb9eb41611327e91e2604a37b22dbc76bc391ab582b5f3bd467583961248b8cf886854e43f17ac23b03686fa8d93

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_35_43.jpg

Filesize
40KB

MD5
f36f21dde2bf327c8ef511d162b46ee0

SHA1
b4f9fc4b5c24cafa9f71040e45cc93a491be7f76

SHA256
6e5e35bb069b44dabf1bcbc35a0d7fe923362f5f40cb85d4f0d91295086126db

SHA512
4cdf6b3f4ea2593b15aa21da09870ff9c0f99458e64e244d2bd628ea6164e34176744e4c855c0003e8e1bed7e8ffe5f88eb6cc66ed119223bc6d50c61774dd1b

Download Submit
C:\Windows\SysWOW64\28463\Nov_25_2024__11_36_04.jpg

Filesize
67KB

MD5
76740c3ce57c07744cd30c308c7832b0

SHA1
42f87cb93637839aed4a0b5e3df77b8bf30655ac

SHA256
a2cc002127faed9c7df0423ae58b6599f97ece6029d01ee9efd1ceb70ed6c3e3

SHA512
29ea7bf3b8a7d806b9327a9659032829b8716b665b4c5d5117f09b3a962c8e32440d145448dddfc1592cbc4b7e74bc6067f510f5d127d28a7a4069a03c2870c2

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
\Users\Admin\AppData\Local\Temp\@2EBE.tmp

Filesize
4KB

MD5
d73d89b1ea433724795b3d2b524f596c

SHA1
213514f48ece9f074266b122ee2d06e842871c8c

SHA256
8aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6

SHA512
8b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41

Download Submit
\Windows\SysWOW64\28463\DPBJ.exe

Filesize
646KB

MD5
b863a9ac3bcdcde2fd7408944d5bf976

SHA1
4bd106cd9aefdf2b51f91079760855e04f73f3b0

SHA256
0fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0

SHA512
4b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a

Download Submit
memory/2468-21-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2468-24-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2468-85-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-64-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2468-52-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2468-897-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-49-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-33-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2468-34-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2468-241-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-35-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2468-36-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/2468-289-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-32-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2468-22-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2468-327-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-23-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/2468-19-0x0000000000350000-0x00000000003AA000-memory.dmp

Filesize
360KB

Download
memory/2468-25-0x0000000000520000-0x0000000000521000-memory.dmp

Filesize
4KB

Download
memory/2468-435-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-26-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2468-485-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-27-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2468-510-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-28-0x00000000030B0000-0x00000000030B3000-memory.dmp

Filesize
12KB

Download
memory/2468-591-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-620-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2468-29-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2468-30-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2468-31-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2468-18-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2792-17-0x0000000002650000-0x000000000272F000-memory.dmp

Filesize
892KB

Download
memory/2824-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2824-51-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads