Resubmissions
26-11-2024 02:17
241126-cqtd7svrgn 1026-11-2024 02:15
241126-cpqxpavrcq 1026-11-2024 02:08
241126-ckh2aayles 10Analysis
-
max time kernel
105s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
Resource
win10v2004-20241007-en
General
-
Target
ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe
-
Size
783KB
-
MD5
e33af9e602cbb7ac3634c2608150dd18
-
SHA1
8f6ec9bc137822bc1ddf439c35fedc3b847ce3fe
-
SHA256
8c870eec48bc4ea1aca1f0c63c8a82aaadaf837f197708a7f0321238da8b6b75
-
SHA512
2ae5003e64b525049535ebd5c42a9d1f6d76052cccaa623026758aabe5b1d1b5781ca91c727f3ecb9ac30b829b8ce56f11b177f220330c704915b19b37f8f418
-
SSDEEP
12288:0E9uQlDTt8c/wtocu3HhGSrIilDhlPnRq/iI7UOvqF8dtbcZl36VBqWPH:FuqD2cYWzBGZohlE/zUD8/bgl2qW/
Malware Config
Signatures
-
Ardamax family
-
Ardamax main executable 1 IoCs
resource yara_rule behavioral1/files/0x0007000000017403-13.dat family_ardamax -
Executes dropped EXE 1 IoCs
pid Process 2832 DPBJ.exe -
Loads dropped DLL 4 IoCs
pid Process 3060 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe 3060 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe 2832 DPBJ.exe 2832 DPBJ.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DPBJ Agent = "C:\\Windows\\SysWOW64\\28463\\DPBJ.exe" DPBJ.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_31.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_35.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_38.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_44.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_12.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_35.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_47.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_48.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_26.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_46.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_32.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_34.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\DPBJ.007 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe File opened for modification C:\Windows\SysWOW64\28463\DPBJ.009 DPBJ.exe File created C:\Windows\SysWOW64\28463\DPBJ.009.tmp DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_55.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_09.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_27.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_29.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_43.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_55.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_57.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_00.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_02.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_27.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\DPBJ.exe ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_45.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_06.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_21.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_39.jpg DPBJ.exe File opened for modification C:\Windows\SysWOW64\28463 DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_38.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_28.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_36.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_47.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_52.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_53.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_58.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_10.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_15.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_36.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_44.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_34.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_49.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_14.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_23.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_41.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_50.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_56.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_04.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_28.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_30.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_33.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_37.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_40.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_48.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_51.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_13.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_19.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_42.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_43.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_45.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_17_32.jpg DPBJ.exe File created C:\Windows\SysWOW64\28463\Nov_26_2024__02_18_08.jpg DPBJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DPBJ.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies registry class 32 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\TypeLib\ = "{963CF9FC-1CC9-2ABA-83C4-7346120F0058}" DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\ = "Beben" DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\ProgID\ DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\VersionIndependentProgID DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\FLAGS\ = "0" DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\InprocServer32\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\VVIEWER.DLL" DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\FLAGS DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\ProgID\ = "Msshed.ShedDSO.1" DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\0\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\" DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\VersionIndependentProgID\ = "Msshed.ShedDSO" DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058} DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\ = "Microsoft Visio Viewer 14.0 Type Library" DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\TypeLib DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\0\win32 DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\0\win32\ DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\HELPDIR DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D} DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\InprocServer32 DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\Programmable DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4 DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\FLAGS\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\HELPDIR\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\TypeLib\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\VersionIndependentProgID\ DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\ProgID DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\Programmable\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\ DPBJ.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13835586-4401-4C0E-EA95-E6D77B393B9D}\InprocServer32\ = "C:\\PROGRA~2\\COMMON~1\\MICROS~1\\MSCLIE~1\\MSCDM.DLL" DPBJ.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{963CF9FC-1CC9-2ABA-83C4-7346120F0058}\1.4\0 DPBJ.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1860 chrome.exe 1860 chrome.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2832 DPBJ.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: 33 2832 DPBJ.exe Token: SeIncBasePriorityPrivilege 2832 DPBJ.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe Token: SeShutdownPrivilege 1860 chrome.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe 1860 chrome.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2832 DPBJ.exe 2832 DPBJ.exe 2832 DPBJ.exe 2832 DPBJ.exe 2832 DPBJ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3060 wrote to memory of 2832 3060 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe 31 PID 3060 wrote to memory of 2832 3060 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe 31 PID 3060 wrote to memory of 2832 3060 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe 31 PID 3060 wrote to memory of 2832 3060 ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe 31 PID 1860 wrote to memory of 2300 1860 chrome.exe 34 PID 1860 wrote to memory of 2300 1860 chrome.exe 34 PID 1860 wrote to memory of 2300 1860 chrome.exe 34 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1364 1860 chrome.exe 36 PID 1860 wrote to memory of 1636 1860 chrome.exe 37 PID 1860 wrote to memory of 1636 1860 chrome.exe 37 PID 1860 wrote to memory of 1636 1860 chrome.exe 37 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38 PID 1860 wrote to memory of 1096 1860 chrome.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"C:\Users\Admin\AppData\Local\Temp\ArdamaxKeylogger_E33AF9E602CBB7AC3634C2608150DD18.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\28463\DPBJ.exe"C:\Windows\system32\28463\DPBJ.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b09758,0x7fef6b09768,0x7fef6b097782⤵PID:2300
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1184 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:22⤵PID:1364
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1532 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:82⤵PID:1636
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1628 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:82⤵PID:1096
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2296 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:12⤵PID:848
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2320 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:12⤵PID:2196
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1568 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:22⤵PID:2748
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1396,i,7487848171243804678,18425143369946414021,131072 /prefetch:12⤵PID:2848
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:2892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
457KB
MD597eee85d1aebf93d5d9400cb4e9c771b
SHA126fa2bf5fce2d86b891ac0741a6999bff31397de
SHA25630df6c8cbd255011d80fa6e959179d47c458bc4c4d9e78c4cf571aa611cd7d24
SHA5128cecc533c07c91c67b93a7ae46102a0aae7f4d3d88d04c250231f0bcd8e1f173daf06e94b5253a66db3f2a052c51e62154554368929294178d2b3597c1cca7e6
-
Filesize
492B
MD57a0f1fa20fd40c047b07379da5290f2b
SHA1e0fb8305de6b661a747d849edb77d95959186fca
SHA256b0ad9e9d3d51e8434cc466bec16e2b94fc2d03bab03b48ccf57db86ae8e2c9b6
SHA512bb5b3138b863811a8b9dcba079ac8a2828dae73943a1cc1d107d27faca509fda9f03409db7c23d5d70b48d299146de14b656314a24b854f3ae4fdb6ef6770346
-
Filesize
8KB
MD535b24c473bdcdb4411e326c6c437e8ed
SHA1ec1055365bc2a66e52de2d66d24d742863c1ce3d
SHA2564530fcc91e4d0697a64f5e24d70e2b327f0acab1a9013102ff04236841c5a617
SHA51232722f1484013bbc9c1b41b3fdaf5cd244ec67facaa2232be0e90455719d664d65cae1cd670adf5c40c67f568122d910b30e3e50f7cc06b0350a6a2d34d371de
-
Filesize
5KB
MD5a8e19de6669e831956049685225058a8
SHA16d2546d49d92b18591ad4fedbc92626686e7e979
SHA25634856528d8b7e31caa83f350bc4dbc861120dc2da822a9eb896b773bc7e1f564
SHA5125c407d4aa5731bd62c2a1756127f794382dc5e2b214298acfa68698c709fbbe3f2aa8dbdcbef02ed2a49f8f35969959946e9f727895bdca4500d16e84f4ef2e8
-
Filesize
1.3MB
MD58d5f2392eb03381a2a04141f646e09ef
SHA11af32a3f6b6a1ae7b7ad8c5b712536ac2e561d20
SHA25601b51286fd4107a421da45966287b0170d26707ba0b84fc529cc3a8f096acdf8
SHA5123ba97a63b9ead9c68b6260f9ddd4c220bea8d934c5ed485a93cac537b9ca2bc53e5da0e8a1214a80fcc107746614f825bf1dbbaf9d037b907120b400731631a1
-
Filesize
646KB
MD5b863a9ac3bcdcde2fd7408944d5bf976
SHA14bd106cd9aefdf2b51f91079760855e04f73f3b0
SHA2560fe8e3cd44a89c15dec75ff2949bac1a96e1ea7e0040f74df3230569ac9e37b0
SHA5124b30c3b119c1e7b2747d2745b2b79c61669a33b84520b88ab54257793e3ed6e76378dea2b8ff048cb1822187ffdc20e921d658bb5b0482c23cfa7d70f4e7aa1a
-
Filesize
96KB
MD5d0ffddfa4c882ae680866b62c0dba51a
SHA18bbf91ec2a6c0595fd4d0c1d077f8ecbcdc75172
SHA256ff3fc2692142f5fe3b65c82f7c47767388445a45a932f987f8fa76c916bd5705
SHA512af5a4bf4bb6827880fc42d48173adb60cfa52028163aeda8c1efa5a00bc9af82dc017dc2510182945484c21c38d35e0bb03b00230128755690491af71f9b1f70
-
Filesize
106B
MD5639d75ab6799987dff4f0cf79fa70c76
SHA1be2678476d07f78bb81e8813c9ee2bfff7cc7efb
SHA256fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98
SHA5124b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2
-
Filesize
4KB
MD5d73d89b1ea433724795b3d2b524f596c
SHA1213514f48ece9f074266b122ee2d06e842871c8c
SHA2568aef975a94c800d0e3e4929999d05861868a7129b766315c02a48a122e3455d6
SHA5128b73be757ad3e0f2b29c0b130918e8f257375f9f3bf7b9609bac24b17369de2812341651547546af238936d70f38f050d6984afd16d47b467bcbba4992e42f41