ardamax | 51e6aebe4c253fb39aae33880847c92ae69487739e78152006a0fb840cacccb0

Analysis

max time kernel
148s
max time network
120s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
02/02/2025, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

guia del AMORRRRRRRR.exe
Size

4.3MB
MD5

d876fdc6818190fc7ecc1e849cb6b3c0
SHA1

ca964ab6263ef213b0e865dd4a30b31776e78744
SHA256

e423ed04c23696b1463447e89aa2b8084aea4746dd5e039f4a8218f59675f7c6
SHA512

80cba59de560e1168e31a0e053b99c53aee9afd841284bf0717426df773f7ff59de3b0454da74e528f3751c798ba5f01c5e91875c133f41261fb1c47e6ca29dc
SSDEEP

98304:F1dl23qOyYd6oHKzh9CNs8142z6VVegllWP2QN/rK5OfpFE:myYYoqUH1/zCvG2QtW8+

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral3/files/0x0006000000019242-36.dat	family_ardamax

Executes dropped EXE 2 IoCs

pid	Process
2936	Install.exe
2596	HBMK.exe

Loads dropped DLL 10 IoCs

pid	Process
2256	guia del AMORRRRRRRR.exe
2936	Install.exe
2936	Install.exe
2936	Install.exe
2936	Install.exe
2936	Install.exe
2596	HBMK.exe
2596	HBMK.exe
2596	HBMK.exe
2596	HBMK.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HBMK Agent = "C:\\Windows\\SysWOW64\\28463\\HBMK.exe"	HBMK.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\HBMK.001	Install.exe
File created	C:\Windows\SysWOW64\28463\HBMK.006	Install.exe
File created	C:\Windows\SysWOW64\28463\HBMK.007	Install.exe
File created	C:\Windows\SysWOW64\28463\HBMK.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	Install.exe
File created	C:\Windows\SysWOW64\28463\HBMK.009	HBMK.exe
File opened for modification	C:\Windows\SysWOW64\28463\HBMK.009	HBMK.exe
File created	C:\Windows\SysWOW64\28463\key.bin	Install.exe
File opened for modification	C:\Windows\SysWOW64\28463	HBMK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	guia del AMORRRRRRRR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HBMK.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\TypeLib\	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\VersionIndependentProgID	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ = "Xamana Object"	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\ = "WinBioPolicy 1.0 Type Library"	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\HELPDIR	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ProgID\	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\VersionIndependentProgID\ = "PortableDeviceWMDRM.PortableDeviceWMDRM"	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\win32\ = "%SystemRoot%\\SysWow64\\biocpl.dll"	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\FLAGS	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\InprocServer32\	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ProgID	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\ProgID\ = "PortableDeviceWMDRM.PortableDeviceWMDRM.1"	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\win32	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\win32\	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\TypeLib\ = "{E7569642-1547-1568-5629-B8E5A6814EB7}"	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\VersionIndependentProgID\	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\InprocServer32	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\TypeLib	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\Version	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0\	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\HELPDIR\	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\HELPDIR\ = "%SystemRoot%\\system32"	HBMK.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\0	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\Version\ = "1.0"	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\InprocServer32\ = "C:\\Windows\\SysWOW64\\portabledevicewmdrm.dll"	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\FLAGS\	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E7569642-1547-1568-5629-B8E5A6814EB7}\1.0\FLAGS\ = "0"	HBMK.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DF37876-0D3B-42FB-51AF-9FC09CD088F8}\Version\	HBMK.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2864	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2864	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2596	HBMK.exe
Token: SeIncBasePriorityPrivilege	2596	HBMK.exe
Token: 33	2864	vlc.exe
Token: SeIncBasePriorityPrivilege	2864	vlc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe
2864	vlc.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2596	HBMK.exe
2596	HBMK.exe
2596	HBMK.exe
2596	HBMK.exe
2596	HBMK.exe
2864	vlc.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2256 wrote to memory of 2936	2256	guia del AMORRRRRRRR.exe	30
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2936 wrote to memory of 2596	2936	Install.exe	31
PID 2256 wrote to memory of 2864	2256	guia del AMORRRRRRRR.exe	32
PID 2256 wrote to memory of 2864	2256	guia del AMORRRRRRRR.exe	32
PID 2256 wrote to memory of 2864	2256	guia del AMORRRRRRRR.exe	32
PID 2256 wrote to memory of 2864	2256	guia del AMORRRRRRRR.exe	32

C:\Users\Admin\AppData\Local\Temp\guia del AMORRRRRRRR.exe
"C:\Users\Admin\AppData\Local\Temp\guia del AMORRRRRRRR.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\28463\HBMK.exe
    "C:\Windows\system32\28463\HBMK.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2596
- C:\Program Files\VideoLAN\VLC\vlc.exe
  "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\3-cuando.mp3"
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3-cuando.mp3

Filesize
3.2MB

MD5
966999a7762c93404988e186372196b2

SHA1
4be609785a55bd53ffe4773f4f203869f394ec25

SHA256
c11cd70f089d7fe02808f7729434100d84b77091d6df39a6d21ecceab17d9143

SHA512
820807f07d9f7e0067c4c1b595f9e951faf93120fd2e2f9ec6c2855bfa3b8c2b6f0c588019b8de717c16dcd729b8bac6babcc4d85ffe25b6896131b16403cf4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\sfx.ini

Filesize
198B

MD5
0f1cae3280963a60c4625e18fc1b7c22

SHA1
3d2b70780fa54274229d78c970bb0c6a632a1337

SHA256
905f02023807d7e9e335a800b7be29ee89699438ab6071e034e398739927593e

SHA512
5e015d4165d6cc2a3232640cf2c54f82a6c9bd583db3569ab7e9c096e8b7c4fab7bfd54725232b62d86d9687d2fc17ba6946ce72fa8ca86b94e060215168e13a

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
46ccfd974518e5849738449034a05a17

SHA1
d391108816aed7ba8f7beb205ad7171c74eae6b2

SHA256
571aae1f8a260909dbc45c67b4c547fc573c07097b36d4e18db0e36d91deccfe

SHA512
773a40a37ebc54cbde7c40ca98001150e78da43726e475f1ee25ef869a39682c0fcd46fb57cf6130151cd8115aa6f2c196e57414affe464fd3b137eb5b317a7a

Download Submit
C:\Windows\SysWOW64\28463\HBMK.001

Filesize
624B

MD5
7bfd3b9de4a6b14eccef8fa67b32c021

SHA1
75636b19b8e6ee04e08282232c06c18ffbf07be3

SHA256
7461e839232322955ad4c4cfa045868356adccf1f93206c154abc07ebfe42316

SHA512
13b66816a442a6dd5fbd352e1f95aedc2b15e50e1db18594581eb9ef57d46091176b60bef34274aebd36e00620f9677ba595f7a9e00e638ca27d515d7d569693

Download Submit
C:\Windows\SysWOW64\28463\HBMK.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\HBMK.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
\Users\Admin\AppData\Local\Temp\@48E2.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
\Users\Admin\AppData\Local\Temp\Install.exe

Filesize
787KB

MD5
d06ded340770bb22e613ef7e7dfc3de0

SHA1
1c2be300320e9cecbba81b94e96bdbb12012c101

SHA256
f0cc11b7493de36b4ef0aa3a90aa2acdc71521577bcadaa931673365e2ecd0d9

SHA512
c8841d2f1be82ed064e3334dcc8912b98b26f0cd9d07f70a52a7dc119353b9aba5fa12acd508ae43f30282ca3d170736c9c15751af9f76a9bb2ca16c33429e77

Download Submit
\Windows\SysWOW64\28463\HBMK.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
memory/2596-49-0x0000000000493000-0x0000000000494000-memory.dmp

Filesize
4KB

Download
memory/2596-63-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2596-48-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2864-77-0x000007FEF6460000-0x000007FEF64A1000-memory.dmp

Filesize
260KB

Download
memory/2864-96-0x000007FEF4740000-0x000007FEF4805000-memory.dmp

Filesize
788KB

Download
memory/2864-66-0x000007FEF74E0000-0x000007FEF7514000-memory.dmp

Filesize
208KB

Download
memory/2864-69-0x000007FEF74C0000-0x000007FEF74D7000-memory.dmp

Filesize
92KB

Download
memory/2864-70-0x000007FEF74A0000-0x000007FEF74B1000-memory.dmp

Filesize
68KB

Download
memory/2864-71-0x000007FEF68F0000-0x000007FEF6907000-memory.dmp

Filesize
92KB

Download
memory/2864-72-0x000007FEF68D0000-0x000007FEF68E1000-memory.dmp

Filesize
68KB

Download
memory/2864-73-0x000007FEF68B0000-0x000007FEF68CD000-memory.dmp

Filesize
116KB

Download
memory/2864-74-0x000007FEF6890000-0x000007FEF68A1000-memory.dmp

Filesize
68KB

Download
memory/2864-67-0x000007FEF5CD0000-0x000007FEF5F86000-memory.dmp

Filesize
2.7MB

Download
memory/2864-68-0x000007FEFA680000-0x000007FEFA698000-memory.dmp

Filesize
96KB

Download
memory/2864-101-0x000007FEF2710000-0x000007FEF288A000-memory.dmp

Filesize
1.5MB

Download
memory/2864-88-0x000007FEF4920000-0x000007FEF499C000-memory.dmp

Filesize
496KB

Download
memory/2864-92-0x000007FEF4880000-0x000007FEF48D7000-memory.dmp

Filesize
348KB

Download
memory/2864-91-0x000007FEF48E0000-0x000007FEF48F1000-memory.dmp

Filesize
68KB

Download
memory/2864-93-0x000007FEF4850000-0x000007FEF487F000-memory.dmp

Filesize
188KB

Download
memory/2864-95-0x000007FEF4810000-0x000007FEF4821000-memory.dmp

Filesize
68KB

Download
memory/2864-94-0x000007FEF4830000-0x000007FEF4843000-memory.dmp

Filesize
76KB

Download
memory/2864-90-0x000007FEF4900000-0x000007FEF4918000-memory.dmp

Filesize
96KB

Download
memory/2864-65-0x000000013F2B0000-0x000000013F3A8000-memory.dmp

Filesize
992KB

Download
memory/2864-97-0x000007FEF2AC0000-0x000007FEF2B17000-memory.dmp

Filesize
348KB

Download
memory/2864-100-0x000007FEF2890000-0x000007FEF28A2000-memory.dmp

Filesize
72KB

Download
memory/2864-99-0x000007FEF28B0000-0x000007FEF28C1000-memory.dmp

Filesize
68KB

Download
memory/2864-98-0x000007FEF2A90000-0x000007FEF2AB8000-memory.dmp

Filesize
160KB

Download
memory/2864-89-0x000007FEF6300000-0x000007FEF6311000-memory.dmp

Filesize
68KB

Download
memory/2864-86-0x000007FEF6320000-0x000007FEF6350000-memory.dmp

Filesize
192KB

Download
memory/2864-87-0x000007FEF49A0000-0x000007FEF4A07000-memory.dmp

Filesize
412KB

Download
memory/2864-85-0x000007FEF6350000-0x000007FEF6368000-memory.dmp

Filesize
96KB

Download
memory/2864-84-0x000007FEF6370000-0x000007FEF6381000-memory.dmp

Filesize
68KB

Download
memory/2864-83-0x000007FEF6390000-0x000007FEF63AB000-memory.dmp

Filesize
108KB

Download
memory/2864-75-0x000007FEF4C20000-0x000007FEF5CD0000-memory.dmp

Filesize
16.7MB

Download
memory/2864-82-0x000007FEF63B0000-0x000007FEF63C1000-memory.dmp

Filesize
68KB

Download
memory/2864-81-0x000007FEF63D0000-0x000007FEF63E1000-memory.dmp

Filesize
68KB

Download
memory/2864-80-0x000007FEF63F0000-0x000007FEF6401000-memory.dmp

Filesize
68KB

Download
memory/2864-79-0x000007FEF6410000-0x000007FEF6428000-memory.dmp

Filesize
96KB

Download
memory/2864-78-0x000007FEF6430000-0x000007FEF6451000-memory.dmp

Filesize
132KB

Download
memory/2864-76-0x000007FEF4A10000-0x000007FEF4C1B000-memory.dmp

Filesize
2.0MB

Download
memory/2936-43-0x00000000032D0000-0x00000000033AF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads