ardamax | dc8a14ceb1a4ef2aa2bde3e18e91c7f1d2e6e2545080034f7ebde286fe5acf62

Analysis

max time kernel
142s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05/02/2025, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe
Size

3.6MB
MD5

99aff53fab95a70ee39be4ec0b21b2d5
SHA1

26acdefec57536ddb22f90fb9faf90f78a666140
SHA256

dc8a14ceb1a4ef2aa2bde3e18e91c7f1d2e6e2545080034f7ebde286fe5acf62
SHA512

9528eaeeb2b7814a73601fdd68cd4c0de471d46ce405ce6460cbe83aeb0f9f6cd68be5d533e4680a18c32a02d26e74adc8476acfec5db8e5e4d77e640f911e05
SSDEEP

98304:ovjxjYZZooPiqRY0ycdO1J/SkhRbFYzh4O1:ovjd56dxk3agRYzh4O1

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000a000000023b1e-35.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	murkrow.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000\Control Panel\International\Geo\Nation	JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe

Executes dropped EXE 5 IoCs

pid	Process
5112	murkrow.exe
3332	svchost.exe
3032	murkrow.exe
3868	svchost.exe
2656	MDPU.exe

Loads dropped DLL 6 IoCs

pid	Process
3032	murkrow.exe
2656	MDPU.exe
3032	murkrow.exe
3032	murkrow.exe
2656	MDPU.exe
2656	MDPU.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MDPU Agent = "C:\\Windows\\SysWOW64\\28463\\MDPU.exe"	MDPU.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\MDPU.001	murkrow.exe
File created	C:\Windows\SysWOW64\28463\MDPU.006	murkrow.exe
File created	C:\Windows\SysWOW64\28463\MDPU.007	murkrow.exe
File created	C:\Windows\SysWOW64\28463\MDPU.exe	murkrow.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	murkrow.exe
File opened for modification	C:\Windows\SysWOW64\28463	MDPU.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	murkrow.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	murkrow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MDPU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	murkrow.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1121399784-3202166597-3503557106-1000_Classes\Local Settings	murkrow.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4040	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4040	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	2656	MDPU.exe
Token: SeIncBasePriorityPrivilege	2656	MDPU.exe
Token: 33	4560	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4560	AUDIODG.EXE
Token: 33	4040	vlc.exe
Token: SeIncBasePriorityPrivilege	4040	vlc.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe
4040	vlc.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3100	JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe
2656	MDPU.exe
2656	MDPU.exe
2656	MDPU.exe
2656	MDPU.exe
2656	MDPU.exe
4040	vlc.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3100 wrote to memory of 5112	3100	JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe	86
PID 3100 wrote to memory of 5112	3100	JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe	86
PID 3100 wrote to memory of 5112	3100	JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe	86
PID 5112 wrote to memory of 3332	5112	murkrow.exe	87
PID 5112 wrote to memory of 3332	5112	murkrow.exe	87
PID 5112 wrote to memory of 3332	5112	murkrow.exe	87
PID 3332 wrote to memory of 3032	3332	svchost.exe	88
PID 3332 wrote to memory of 3032	3332	svchost.exe	88
PID 3332 wrote to memory of 3032	3332	svchost.exe	88
PID 3032 wrote to memory of 2656	3032	murkrow.exe	90
PID 3032 wrote to memory of 2656	3032	murkrow.exe	90
PID 3032 wrote to memory of 2656	3032	murkrow.exe	90
PID 3032 wrote to memory of 4040	3032	murkrow.exe	91
PID 3032 wrote to memory of 4040	3032	murkrow.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99aff53fab95a70ee39be4ec0b21b2d5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3100
- C:\murkrow.exe
  "C:\murkrow.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\svchost.exe
    "C:\Windows\svchost.exe" "C:\murkrow.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3332
  - - C:\murkrow.exe
      "C:\murkrow.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3032
    - - C:\Windows\SysWOW64\28463\MDPU.exe
        
        "C:\Windows\system32\28463\MDPU.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2656
    - - C:\Program Files\VideoLAN\VLC\vlc.exe
        
        "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Local\Temp\cbjr.mp3"
        5⤵
        Suspicious behavior: AddClipboardFormatListener
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:4040

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3868

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0 0x32c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@6B7B.tmp

Filesize
4KB

MD5
c3679c3ff636d1a6b8c65323540da371

SHA1
d184758721a426467b687bec2a4acc80fe44c6f8

SHA256
d4eba51c616b439a8819218bddf9a6fa257d55c9f04cf81441cc99cc945ad3eb

SHA512
494a0a32eef4392ecb54df6e1da7d93183473c4e45f4ac4bd6ec3b0ed8c85c58303a0d36edec41420d05ff624195f08791b6b7e018419a3251b7e71ec9b730e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\cbjr.mp3

Filesize
3.1MB

MD5
709b0fe0a0f984a1fb6f1fec5e109253

SHA1
b743771c7ad7fe1702efc8847368592bc8e6a5f2

SHA256
7a5a94004068d307b76e10aaba89c93265c1de5cb80573bc401def18dbbfef5a

SHA512
cb312ce62ff14eae8cc1f123485d389e128b35cd1f2679536ec847f5eb907040b7ed20af337cf8589a93609391ec418c4e7ba22fe05ca91ba883aa507ff053dd

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
395KB

MD5
b8fa30233794772b8b76b4b1d91c7321

SHA1
0cf9561be2528944285e536f41d502be24c3aa87

SHA256
14116fa79ccc105fabd312b4dff74933f8684c6b27db37e5e3a79d159092d29a

SHA512
10ce8b18e7afb8c7e30bb90b0a1f199ef0b77873fa7a9efc596606e151be6b516c0ec6222a9032bdcc527e80964f53d20a28fa1881a08b4df303b2e28204549d

Download Submit
C:\Windows\SysWOW64\28463\MDPU.001

Filesize
526B

MD5
121ca44673a95b4f4e9c321a05c6e243

SHA1
8d22d12aebb0e0e9dbfac8e08070ac8cf7f67281

SHA256
d13c847dcd7971fcbd4aabe25db8f2d3f9dd73c4fa7549b0fcf0c3e7adef15dd

SHA512
a9afe3f1c5b44608892c06ed8f9a8492976375997fd93ead1fe2d2f51cb5894eea97941087248de416c34b707bc036a540a2a8de0daba881b78adf529f18be74

Download Submit
C:\Windows\SysWOW64\28463\MDPU.006

Filesize
8KB

MD5
43f02e9974b1477c1e6388882f233db0

SHA1
f3e27b231193f8d5b2e1b09d05ae3a62795cf339

SHA256
3c9e56e51d5a7a1b9aefe853c12a98bf246039aa46db94227ea128f6331782ba

SHA512
e22d14735606fe75ee5e55204807c3f5531d3e0c4f63aa4a3b2d4bb6abda6128c7e2816753f2e64400ac6dae8f8ef1e013a7a464dff2a79ad9937c48821a067f

Download Submit
C:\Windows\SysWOW64\28463\MDPU.007

Filesize
5KB

MD5
b5a87d630436f958c6e1d82d15f98f96

SHA1
d3ff5e92198d4df0f98a918071aca53550bf1cff

SHA256
a895ad4d23e8b2c2dc552092f645ca309e62c36d4721ebfe7afd2eee7765d4b2

SHA512
fd7bae85a86bdaa12fec826d1d38728a90e2037cb3182ad7652d8a9f54c4b322734c587b62221e6f907fce24fcf2e0ae4cce1f5e3d8861661064b4da24bd87ce

Download Submit
C:\Windows\SysWOW64\28463\MDPU.exe

Filesize
473KB

MD5
17535dddecf8cb1efdba1f1952126547

SHA1
a862a9a3eb6c201751be1038537522a5281ea6cb

SHA256
1a3d28ac6359e58aa656f4734f9f36b6c09badadcf9fb900b9b118d90c38a9dd

SHA512
b4f31b552ab3bb3dafa365aa7a31f58674ae7ee82ce1d23457f2e7047431430b00abb3b5498491725639daf583b526b278a737168cfdc4e9ec796dfbc14a53d8

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\murkrow.exe

Filesize
3.5MB

MD5
9555e80fcea50d414650ef5fc425d87a

SHA1
47d6d7bd573c4bae2ef558f09aeb62c1a16f3035

SHA256
a8e819060d606b14b3c775ffab5df24ba23f4564be972fb255a705e85a633067

SHA512
658e2c216fd18d08ae3f8f4a8f83999b41d1bd18c34c7dbd4934a3c418deeb4377f230d74359db30c4c37ac67b06d2491c305b7c43fdb0a06770a58b697f839d

Download Submit
C:\murkrow.exe

Filesize
3.5MB

MD5
4b8e1c77e658e78c92b61a7692e5fa93

SHA1
31b7e09f6ad6d4e6d5f44f5fcdd8c11d3d4c10b7

SHA256
010acb325d1b11f88143cefcfcf292d5b59b3ce20cce8896658cce0b8a1edd34

SHA512
4ab22f09b1d12b96b42fa794f9f3392334fb6986bc7c7d6dd388ae5be71ab2408b94619cb730055bd139b1ab53a4a8be1a2c34fd591f9a495978a379dfca0808

Download Submit
C:\murkrow.exe

Filesize
3.5MB

MD5
9656d3f7499a0adcc7777d15cb928783

SHA1
5af0b7153515175f3eb0c2ca3c70291d2b451fc8

SHA256
075719a3e7affa8328885631dfe6a914802fb748bc9aa7dd900c8fb373747501

SHA512
c011b15094eec8f87c9df10ea5580c5f5d8b6e829ce9308eb60af149077fcc081805a0c560c51175fd39b5ffbd6f135cfde7e1caa5150f39827445d799f7e3f9

Download Submit
memory/3332-23-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3868-81-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3868-62-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4040-72-0x00007FF82BD70000-0x00007FF82BD81000-memory.dmp

Filesize
68KB

Download
memory/4040-80-0x00007FF82B920000-0x00007FF82B931000-memory.dmp

Filesize
68KB

Download
memory/4040-63-0x00007FF6ACA80000-0x00007FF6ACB78000-memory.dmp

Filesize
992KB

Download
memory/4040-73-0x00007FF81BCE0000-0x00007FF81BEEB000-memory.dmp

Filesize
2.0MB

Download
memory/4040-65-0x00007FF81C410000-0x00007FF81C6C6000-memory.dmp

Filesize
2.7MB

Download
memory/4040-71-0x00007FF82BD90000-0x00007FF82BDAD000-memory.dmp

Filesize
116KB

Download
memory/4040-70-0x00007FF82BDB0000-0x00007FF82BDC1000-memory.dmp

Filesize
68KB

Download
memory/4040-69-0x00007FF82BEC0000-0x00007FF82BED7000-memory.dmp

Filesize
92KB

Download
memory/4040-68-0x00007FF82F5A0000-0x00007FF82F5B1000-memory.dmp

Filesize
68KB

Download
memory/4040-67-0x00007FF831620000-0x00007FF831637000-memory.dmp

Filesize
92KB

Download
memory/4040-66-0x00007FF8332E0000-0x00007FF8332F8000-memory.dmp

Filesize
96KB

Download
memory/4040-64-0x00007FF82BDD0000-0x00007FF82BE04000-memory.dmp

Filesize
208KB

Download
memory/4040-79-0x00007FF82BA00000-0x00007FF82BA11000-memory.dmp

Filesize
68KB

Download
memory/4040-78-0x00007FF82BA20000-0x00007FF82BA31000-memory.dmp

Filesize
68KB

Download
memory/4040-74-0x00007FF81AC30000-0x00007FF81BCE0000-memory.dmp

Filesize
16.7MB

Download
memory/4040-77-0x00007FF82BD50000-0x00007FF82BD68000-memory.dmp

Filesize
96KB

Download
memory/4040-76-0x00007FF82BA40000-0x00007FF82BA61000-memory.dmp

Filesize
132KB

Download
memory/4040-75-0x00007FF82BA70000-0x00007FF82BAB1000-memory.dmp

Filesize
260KB

Download
memory/4040-112-0x00007FF81AC30000-0x00007FF81BCE0000-memory.dmp

Filesize
16.7MB

Download
memory/4040-93-0x00007FF81AC30000-0x00007FF81BCE0000-memory.dmp

Filesize
16.7MB

Download
memory/5112-14-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads