ardamax | ef1dac65d328cc6074e8d639970c19e516078ae63a379f1e5496cf9ce403c92f

Analysis

max time kernel
142s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-09-2024 18:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
Size

565KB
MD5

dafbe70a0e0c355d3b38a06671d0f3fa
SHA1

0c90933be0af2e852c7cfa247bef6c5f31a64df8
SHA256

ef1dac65d328cc6074e8d639970c19e516078ae63a379f1e5496cf9ce403c92f
SHA512

20878cb551a3d000c2a7acff7c3d299a876d3a71e9f85651672a3fb00f71e5c3fcaff661fc78f0c5fb76af307a26f446ab6a7962bb6b49f037b2a6a901df3a45
SSDEEP

12288:nEeFO2rpBZZUJojSR55ogstIvS5Q0L0pTPUGcH7JA1EhbYkYmpUDgoSMIi0CP:To21BPUh5mI/04p7BcbJA1EBs5Ii5P

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000193d5-9.dat	family_ardamax

Executes dropped EXE 1 IoCs

pid	Process
2336	YCLH.exe

Loads dropped DLL 4 IoCs

pid	Process
2068	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
2068	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
2336	YCLH.exe
2336	YCLH.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\YCLH Agent = "C:\\Windows\\SysWOW64\\28463\\YCLH.exe"	YCLH.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\28463	YCLH.exe
File created	C:\Windows\SysWOW64\28463\YCLH.001	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\YCLH.006	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\YCLH.007	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\28463\YCLH.exe	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YCLH.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\InprocServer32\ = "C:\\Windows\\SysWOW64\\FM20.DLL"	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\0	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\0\win32\	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\HELPDIR	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\HELPDIR\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\TypeLib\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\HTMLControl\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\MiscStatus\ = "657809"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\FLAGS	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\Version	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\FLAGS\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\TypeLib\ = "{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\Version\	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\InprocServer32	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\MiscStatus	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ToolboxBitmap32	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ToolboxBitmap32\	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ = "Okavovaf.Ojoco object"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\MiscStatus\	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\0\win32	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\HTMLControl	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\"	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\TypeLib	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\Version\ = "2.0"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\0\win32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\GROOVE.EXE\\70"	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\DefaultIcon	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\Implemented Categories	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\Implemented Categories\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\InprocServer32\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ProgID\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\DefaultIcon\ = "C:\\Windows\\SysWOW64\\FM20.DLL,0"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\FM20.DLL, 265"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\0\	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\FLAGS\ = "4"	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\DefaultIcon\	YCLH.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ProgID	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B111CC8-9507-44CE-F0B3-8970CC8D0A69}\ProgID\ = "Forms.HTML:Submitbutton.1"	YCLH.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8949A1F4-F530-E1B4-C4BD-869536F8AE7E}\1.0\ = "GrooveContactServicesAlpha"	YCLH.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2336	YCLH.exe
Token: SeIncBasePriorityPrivilege	2336	YCLH.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2336	YCLH.exe
2336	YCLH.exe
2336	YCLH.exe
2336	YCLH.exe
2336	YCLH.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2336	2068	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2336	2068	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2336	2068	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe	30
PID 2068 wrote to memory of 2336	2068	dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dafbe70a0e0c355d3b38a06671d0f3fa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\SysWOW64\28463\YCLH.exe
  "C:\Windows\system32\28463\YCLH.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\28463\YCLH.001

Filesize
298B

MD5
dbeb839788d3834c37238cb460fc23bb

SHA1
4ff9b9a697ef8ed6aa95a2d7c21f6e4c7f1b2c59

SHA256
1a97cf95d45d519264e6dadc260bae0ba91373458ef821b0ceb86069dac4e76d

SHA512
24fe3c43de00f020dceb150dcafa196d6316a7754cc8269588278c2ea09052d2a4d9521ed8a50a6108d3960cca0275adc1feaf9ec01af48f44c4096697e7ed8a

Download Submit
C:\Windows\SysWOW64\28463\YCLH.006

Filesize
8KB

MD5
3da3041787b72a7909d9f6184ce6bc5e

SHA1
fc7f00b8a1341b5341e2ba6f94ba85364bc90843

SHA256
18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

SHA512
150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

Download Submit
C:\Windows\SysWOW64\28463\YCLH.007

Filesize
5KB

MD5
50d0bcf6b5a6b11d9e274ccefba3f02e

SHA1
57acf2a1236b7534f2db661a9d95aeadcd41aa2a

SHA256
a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

SHA512
c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@CB79.tmp

Filesize
4KB

MD5
cb07753c45624238b4403480372be5db

SHA1
10af5bfbed599165d996470278f011728e866df7

SHA256
63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

SHA512
2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

Download Submit
\Windows\SysWOW64\28463\YCLH.exe

Filesize
647KB

MD5
a7b322839cedf8d56cb0a7dcdb50ab59

SHA1
d27855e65f5d9e87666f39d2af694a0d75330a75

SHA256
ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

SHA512
86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

Download Submit
memory/2068-11-0x0000000002520000-0x00000000025FF000-memory.dmp

Filesize
892KB

Download
memory/2336-36-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-32-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-54-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-53-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-52-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-51-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-56-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-49-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-48-0x00000000030B0000-0x00000000030B2000-memory.dmp

Filesize
8KB

Download
memory/2336-47-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-46-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-45-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-44-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-43-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-42-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-41-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-40-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-39-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-37-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-57-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-35-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-34-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-33-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-55-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-31-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-30-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-29-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-28-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2336-27-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2336-26-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2336-25-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2336-24-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/2336-23-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/2336-22-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2336-21-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2336-20-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/2336-19-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2336-58-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2336-61-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2336-60-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2336-59-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/2336-38-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2336-18-0x00000000003A0000-0x00000000003FA000-memory.dmp

Filesize
360KB

Download
memory/2336-17-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2336-68-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2336-69-0x00000000003A0000-0x00000000003FA000-memory.dmp

Filesize
360KB

Download
memory/2336-70-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/2336-71-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads