ardamax | 4fe567fbfa19c25b7745aefd53641719f0fba29858fcc6afc62ed9c539f0776d

Analysis

max time kernel
142s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-07-2024 05:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
Size

928KB
MD5

7b63c6ed6a73618ca60d7f04a135a9a4
SHA1

370bf6e50f9ba2d5e6ae6f808460f94a2753db16
SHA256

4fe567fbfa19c25b7745aefd53641719f0fba29858fcc6afc62ed9c539f0776d
SHA512

b62b04ada19a33f77ced130a6f242d3718d3aac30eb6f49376194c8b39173bc1a360cc4e8582c78dd22ad0d66761a7a663e2764844226cfc6c93cc954e268b98
SSDEEP

12288:Jz6VcyuK5jBPYRMCYdpa35hwD2hKw+HDoxUgcT/NlgJOBQrM1B/3H/tImEBTPXL:JGVcyuKbPY4dovqqKw+rlwOBQrM1B/I

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0007000000016dd8-23.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
2904	PAAD.exe

Loads dropped DLL 7 IoCs

pid	Process
2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
2904	PAAD.exe
2904	PAAD.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\PAAD Agent = "C:\\Windows\\SysWOW64\\28463\\PAAD.exe"	PAAD.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\PAAD.006	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
File created	C:\Windows\SysWOW64\28463\PAAD.007	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
File created	C:\Windows\SysWOW64\28463\PAAD.exe	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
File created	C:\Windows\SysWOW64\28463\key.bin	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
File created	C:\Windows\SysWOW64\28463\AKV.exe	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
File opened for modification	C:\Windows\SysWOW64\28463	PAAD.exe
File created	C:\Windows\SysWOW64\28463\PAAD.001	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PAAD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE

Modifies registry class 37 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\0	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\TypeLib\	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\VersionIndependentProgID	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\ = "Ebowe Ebewatsa Class"	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Implemented Categories	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Implemented Categories\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\ProgID\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\ProgID\ = "MSVidCtl.MSVidStreamBufferSource.1"	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\140"	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\FLAGS\ = "0"	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\FLAGS	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Version	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Version\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\VersionIndependentProgID\ = "MSVidCtl.MSVidStreamBufferSource"	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll"	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\ProgID	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Programmable	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\0\win32\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\HELPDIR\	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\TypeLib	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\InprocServer32	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\ = "GrooveWebChatService"	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\0\win32	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\HELPDIR	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\InprocServer32\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Programmable\	PAAD.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\Version\ = "1.0"	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\VersionIndependentProgID\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\0\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}\1.0\FLAGS\	PAAD.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{67A37174-2A82-472D-B9B7-F149A11226B4}\TypeLib\ = "{FAFEB2EA-D7BD-B64F-D31F-4F97420174B7}"	PAAD.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
Token: 33	2904	PAAD.exe
Token: SeIncBasePriorityPrivilege	2904	PAAD.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2904	PAAD.exe
2904	PAAD.exe
2904	PAAD.exe
2904	PAAD.exe
2904	PAAD.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 2196 wrote to memory of 3016	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	30
PID 3016 wrote to memory of 2904	3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE	31
PID 3016 wrote to memory of 2904	3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE	31
PID 3016 wrote to memory of 2904	3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE	31
PID 3016 wrote to memory of 2904	3016	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE	31
PID 2196 wrote to memory of 2820	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	32
PID 2196 wrote to memory of 2820	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	32
PID 2196 wrote to memory of 2820	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	32
PID 2196 wrote to memory of 2820	2196	7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE
  "C:\Users\Admin\AppData\Local\Temp\7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\28463\PAAD.exe
    "C:\Windows\system32\28463\PAAD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2904
- C:\Users\Admin\AppData\Local\Temp\7B63C6~1.EXE
  C:\Users\Admin\AppData\Local\Temp\7B63C6~1.EXE CLEANUP=C:\Users\Admin\AppData\Local\Temp\7B63C6~2.EXE
  2⤵
  PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
19794a23edc7494063603d316165c04f

SHA1
6b5050be2ffa32cc3dd0d1e53fa2cfe355c59b4e

SHA256
20aa8a967c2982acf1afce320284de9b4749fd3326b63c08fad8921720764b3e

SHA512
8f782e06cd32844a336548083eeb50d818ba8acbbba042719da7505dd2d239dc133eedcf244c19901bba7424d2eef60a977b6d6795de9baa6d56ad13c3828774

Download Submit
C:\Windows\SysWOW64\28463\PAAD.001

Filesize
392B

MD5
29bd66e4c67fa151774afebbed76db7d

SHA1
c110469affa20bb75bcb11217e2e219a43094d3d

SHA256
39a25696a46e126e2d6cd23a835bd695e35fe75e192414a80c5ad675df7e557e

SHA512
0d53e736a058eae72f3d75eb74e85057d0532caab4a14f8fdf6a43d678215b412231a9a6aa59fcf7e8b59632c69ff523c426af6328b99ed214b4883f27d9f740

Download Submit
C:\Windows\SysWOW64\28463\PAAD.006

Filesize
8KB

MD5
bc5fd352bfe50a09ffd84c95f697f9b4

SHA1
847a869a2b789c2f5c9845340f133b8845976aaa

SHA256
1c1bd72088d746302e15ed63f343bdbabae5ff39f1633e8f60ccd8e20dc0863f

SHA512
b52e8a1507b037ec2c5704c495bb53f3275a60ea35f02928117cb9dfe4718a78f77077571cd75bbe70c2b8f993251350db832834c509d1af9a20d00cedb5a197

Download Submit
C:\Windows\SysWOW64\28463\PAAD.007

Filesize
5KB

MD5
110bdf91b758328b3f33b4ab7d9fd480

SHA1
29d9ea9f08248307ef20c63cd1f02e8a5256d90b

SHA256
9cd15a69297174a062f839ee86f2f583f09952475891683a042f56d04bd581b3

SHA512
53efa1f722045a4f446e38bd780af1e5212de6052677596a7628eac2aa4a562c9752ae9859ee92530f5b3ac9ab2717777edbabdcb09f3f9ede2ba6063fe4bec7

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\7b63c6ed6a73618ca60d7f04a135a9a4_JaffaCakes118.TMP0.EXE

Filesize
786KB

MD5
f240e6f80a5512cf6ecd4ac0e2573423

SHA1
17d9397a46e2ce51b283e1cbb836dfe86ae7d339

SHA256
c914bdcd3b2f4a5d339d322d0524f86913110f1c22a7c1ef797f33a2a0d1bfd3

SHA512
7b9343a599c57a62cfc78698f2d630ee0d5137fca99b1e7cdbdf72d44abdf7dcf30cda047a131c191764b62ff1612490cc8b16ffc727f8ddc56d21f37c5bef76

Download Submit
\Users\Admin\AppData\Local\Temp\@A92B.tmp

Filesize
4KB

MD5
70c6ae41897fd3fbc90821be9f6dcafd

SHA1
212294333e175cd4e647bd1738cf1e48de41fae2

SHA256
6e8e43f1ef95d0dce19434dbeb9576fdbafcfcd8ff2a1d0ada36516b1c11d634

SHA512
8822bc940cf1b64e2ec6b318a7f9702c056fcd45da025091609d9e1c455f6d00e2d9413433f827aad63c29212125d100027e43f4adcb235001b269ba0b6f54b3

Download Submit
\Users\Admin\AppData\Local\Temp\ArmA65D.tmp

Filesize
108KB

MD5
46acd2202f5ce96e8ef48499ef2ff6ce

SHA1
b1c73d8b5d17d4d2740adb8d21d5039beb662e35

SHA256
331d1c73eb030ca63dab76bf8e28d17b2f3c65c20250638d1835be585b3f94be

SHA512
4afad7352cecfe45ab0232f3df23e446c7f67706a4afa98222663fe490df38f95d975c715ddd1cb04627e224be7a81bf98b1c7d839783ae5b5ad8c5f740b4c23

Download Submit
\Windows\SysWOW64\28463\PAAD.exe

Filesize
648KB

MD5
ee07ce6e1da01ee9aa4a9cf523878dd7

SHA1
5d964e5919146fd2cd410909c03f3aab456cf062

SHA256
4ab1e4414b3659a21a5a39b0edd80e967e73140a809f6a8407e46df963ed8f7b

SHA512
487eade2e555e270536c1eeaf82ade3436cb8baef5476959a7de0b74df1082ce1b3917a66bc71965e1d4ba95e043706a543b29cfa485d65edc3102a98174e6b3

Download Submit
memory/2904-46-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-35-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-32-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-34-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-43-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-48-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-44-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-49-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2904-51-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3016-37-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3016-12-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3016-13-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3016-31-0x0000000002A40000-0x0000000002B1F000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads