ardamax | 9107df88a4769554b7f49a7f10a79446c3c2e9769405b1a38522c48e2a0dd734

Analysis

max time kernel
141s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-09-2024 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aura Kasih.3gp.exe
Size

1.6MB
MD5

58488c76e6d0fd22564e21404013b5a5
SHA1

99490d02a265fca0b0bc9e872ad97692b0d15180
SHA256

381b23777603322ccaf6a8bfe5454f35aa6c8aba83b2d4a10a0f8634edeba592
SHA512

81d74d9816be07cbc0d0e9b8429b112d53c79dd230764333cfdcb159d11475eb6f881c0862c6b76f3d8e379139f89c80343222f05e8ab990d3311a478ae58112
SSDEEP

24576:3jqLBz+pKrlmMDRA7ELOh8iy0XYUlG2oBmyNE9PoH4xnJGmxW4fP2PgcBH:3GBiLMFAA+5X/zs+oTMW4fPu

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023476-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Aura Kasih.3gp.exe

Executes dropped EXE 1 IoCs

pid	Process
940	VLXX.exe

Loads dropped DLL 4 IoCs

pid	Process
4240	Aura Kasih.3gp.exe
940	VLXX.exe
940	VLXX.exe
940	VLXX.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VLXX Agent = "C:\\Windows\\SysWOW64\\28463\\VLXX.exe"	VLXX.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\VLXX.001	Aura Kasih.3gp.exe
File created	C:\Windows\SysWOW64\28463\VLXX.006	Aura Kasih.3gp.exe
File created	C:\Windows\SysWOW64\28463\VLXX.007	Aura Kasih.3gp.exe
File created	C:\Windows\SysWOW64\28463\VLXX.exe	Aura Kasih.3gp.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Aura Kasih.3gp.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Aura Kasih.3gp.exe
File opened for modification	C:\Windows\SysWOW64\28463	VLXX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aura Kasih.3gp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VLXX.exe

Modifies registry class 36 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\InprocServer32\ = "C:\\Windows\\SysWOW64\\wscapi.dll"	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\tsworkspace.dll"	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\VersionIndependentProgID\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\ProgID\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\win32\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\FLAGS\ = "0"	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\Version\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\ = "Tohaxix.Okoqi"	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\ProgID	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\tsworkspace.dll"	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\win64	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\FLAGS	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\FLAGS\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\ProgID\ = "wscAPI.WSCProductList.1"	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\ = "SSP Workspace 1.0 Type Library"	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\Version\ = "1.0"	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\InprocServer32\	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\Programmable	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\TypeLib\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\TypeLib\ = "{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}"	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\InprocServer32	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\TypeLib	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\Version	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\VersionIndependentProgID\ = "wscAPI.WSCProductList"	VLXX.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	Aura Kasih.3gp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\win32	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\VersionIndependentProgID	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4A8AA719-A824-4FAB-778A-776AFFBCE21E}\Programmable\	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\	VLXX.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0	VLXX.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E82BE22-C055-6E63-B205-2E4C96FD9D3E}\1.0\0\win64\	VLXX.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2836	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2836	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2668	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2668	AUDIODG.EXE
Token: 33	2836	vlc.exe
Token: SeIncBasePriorityPrivilege	2836	vlc.exe
Token: 33	940	VLXX.exe
Token: SeIncBasePriorityPrivilege	940	VLXX.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe

Suspicious use of SendNotifyMessage 7 IoCs

pid	Process
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe
2836	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2836	vlc.exe
2836	vlc.exe
940	VLXX.exe
940	VLXX.exe
940	VLXX.exe
940	VLXX.exe
940	VLXX.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4240 wrote to memory of 940	4240	Aura Kasih.3gp.exe	82
PID 4240 wrote to memory of 940	4240	Aura Kasih.3gp.exe	82
PID 4240 wrote to memory of 940	4240	Aura Kasih.3gp.exe	82
PID 4240 wrote to memory of 2836	4240	Aura Kasih.3gp.exe	83
PID 4240 wrote to memory of 2836	4240	Aura Kasih.3gp.exe	83

C:\Users\Admin\AppData\Local\Temp\Aura Kasih.3gp.exe
"C:\Users\Admin\AppData\Local\Temp\Aura Kasih.3gp.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4240
- C:\Windows\SysWOW64\28463\VLXX.exe
  "C:\Windows\system32\28463\VLXX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:940
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\Smu_Panas_Beredar (1).3gp"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@9366.tmp

Filesize
4KB

MD5
cb07753c45624238b4403480372be5db

SHA1
10af5bfbed599165d996470278f011728e866df7

SHA256
63c3ed8cbe11314a2f2cd6ff50305bad98075be9e09d22e45b47af557a3388e7

SHA512
2c72cca45ef924104c6892dd96f2e27a5d43bacc9f3eb0eeee24c871cc1bd1642d77734822d9d934f93a77c884fa1c682cf1ceddffe157a613978d9edd184312

Download Submit
C:\Users\Admin\AppData\Local\Temp\Smu_Panas_Beredar (1).3gp

Filesize
746KB

MD5
ad31960a1842bb649b7734cb576dbbb9

SHA1
385a4a78106fec539459edf87939f1e59709ab61

SHA256
1cf0cae32ded2f55359fbb2a28a92bc65f5f31bc66a70e91afb1da16c6008bd8

SHA512
e5a000d9397a0f011095529eef1650594e16a5fdefc046e3e305078e11089992ecb8a747da5aa4c1bc98dd7e8be21bb18c000e924f8ff44a682a4de5dae4ab27

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
42e2202ac32edb39ccf9979515018d85

SHA1
c1e07fbe2fa759e2775d4dcf7de23a66d2422a1a

SHA256
367b4028baf3df4a5f77169bd64c9ef8fd7968a4d6c852ae3f81a726f4b37222

SHA512
a97d9e968b1f63dedba74999aabe6fd150aae985c1143d29b183cc0d663a45252c57494c3457136c5e500050c6af6c819f9ba7070b7d62300ede2e9a7c792768

Download Submit
C:\Windows\SysWOW64\28463\VLXX.001

Filesize
412B

MD5
30480670dbede82c3e9fa67f4e642fec

SHA1
5d46c5eb221c7dbcd14a650f77a5107e39534ee8

SHA256
b868b691ac97168080c24afbbeec5acf31f0c51c1a11277dccb34d86c24d85b1

SHA512
ae9383687e9094c4f0dede8c9cee134666cf7c85b881eb705087caa1dfb18be39ddcaa96129b7e1d521008f470a9cfe59dfa6135880ed39712c88a427064474d

Download Submit
C:\Windows\SysWOW64\28463\VLXX.006

Filesize
8KB

MD5
3da3041787b72a7909d9f6184ce6bc5e

SHA1
fc7f00b8a1341b5341e2ba6f94ba85364bc90843

SHA256
18e06896cc71e99b717cff8d68cba86fea3eba5087b93734f6418e53cadab5b3

SHA512
150fa3f8eeec3621ac61eab0da3f2692dd776887ec0c1791404df3dd8784982563496e1e990217a99c4fd53c5d5d68e0574737879b72d78ab737033f1b08560a

Download Submit
C:\Windows\SysWOW64\28463\VLXX.007

Filesize
5KB

MD5
50d0bcf6b5a6b11d9e274ccefba3f02e

SHA1
57acf2a1236b7534f2db661a9d95aeadcd41aa2a

SHA256
a5e5cf8b3133031f25db37fd13b029cdfc9d1588ca7f68041e52349f46cbbf5c

SHA512
c0288f92c75f4a6ea45434e3960a3c5d8ed3d890121a3fd6da2449e1313db523224e301451d85a15ea8ee9b5c2fb3bf294ee90869a4d5608bcf48fa94458e938

Download Submit
C:\Windows\SysWOW64\28463\VLXX.exe

Filesize
647KB

MD5
a7b322839cedf8d56cb0a7dcdb50ab59

SHA1
d27855e65f5d9e87666f39d2af694a0d75330a75

SHA256
ba7362315c0608c9203c9d607fd85695fbc15f034ea40b3de7dd1abebd5859a3

SHA512
86a416ae639ca458e56093d5c04f3406ac0389cf9a1047f714424ba89ffd047ca58e6927bc941d285d4db9e8a95e91e0d578be3038a83945b6af90586ea9f649

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/940-55-0x00000000021A0000-0x00000000021FA000-memory.dmp

Filesize
360KB

Download
memory/940-27-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/940-26-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/940-25-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/940-24-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/940-23-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/940-22-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/940-28-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/940-46-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/940-45-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/940-44-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/940-29-0x0000000003210000-0x0000000003212000-memory.dmp

Filesize
8KB

Download
memory/940-30-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/940-31-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/940-20-0x00000000021A0000-0x00000000021FA000-memory.dmp

Filesize
360KB

Download
memory/940-54-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/940-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/940-56-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/940-114-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2836-67-0x00007FFCD8310000-0x00007FFCD8321000-memory.dmp

Filesize
68KB

Download
memory/2836-74-0x00007FFCD7E90000-0x00007FFCD7EA1000-memory.dmp

Filesize
68KB

Download
memory/2836-59-0x00007FFCD8590000-0x00007FFCD85C4000-memory.dmp

Filesize
208KB

Download
memory/2836-60-0x00007FFCD7A60000-0x00007FFCD7D16000-memory.dmp

Filesize
2.7MB

Download
memory/2836-66-0x00007FFCD8330000-0x00007FFCD834D000-memory.dmp

Filesize
116KB

Download
memory/2836-68-0x00007FFCD7660000-0x00007FFCD786B000-memory.dmp

Filesize
2.0MB

Download
memory/2836-65-0x00007FFCD8350000-0x00007FFCD8361000-memory.dmp

Filesize
68KB

Download
memory/2836-64-0x00007FFCD8370000-0x00007FFCD8387000-memory.dmp

Filesize
92KB

Download
memory/2836-63-0x00007FFCDC1B0000-0x00007FFCDC1C1000-memory.dmp

Filesize
68KB

Download
memory/2836-62-0x00007FFCDE450000-0x00007FFCDE467000-memory.dmp

Filesize
92KB

Download
memory/2836-75-0x00007FFCD7E70000-0x00007FFCD7E81000-memory.dmp

Filesize
68KB

Download
memory/2836-61-0x00007FFCE0010000-0x00007FFCE0028000-memory.dmp

Filesize
96KB

Download
memory/2836-73-0x00007FFCD8170000-0x00007FFCD8181000-memory.dmp

Filesize
68KB

Download
memory/2836-72-0x00007FFCD8190000-0x00007FFCD81A8000-memory.dmp

Filesize
96KB

Download
memory/2836-71-0x00007FFCD8270000-0x00007FFCD8291000-memory.dmp

Filesize
132KB

Download
memory/2836-70-0x00007FFCD82A0000-0x00007FFCD82E1000-memory.dmp

Filesize
260KB

Download
memory/2836-69-0x00007FFCC8670000-0x00007FFCC9720000-memory.dmp

Filesize
16.7MB

Download
memory/2836-79-0x00007FFCD7A60000-0x00007FFCD7D16000-memory.dmp

Filesize
2.7MB

Download
memory/2836-88-0x00007FFCC8670000-0x00007FFCC9720000-memory.dmp

Filesize
16.7MB

Download
memory/2836-107-0x00007FFCC8670000-0x00007FFCC9720000-memory.dmp

Filesize
16.7MB

Download
memory/2836-58-0x00007FF6F2A40000-0x00007FF6F2B38000-memory.dmp

Filesize
992KB

Download
memory/2836-117-0x00007FFCD7A60000-0x00007FFCD7D16000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads