ardamax | 699303fc0c44779671aff362f24b588017349ac24ad8b045f4cb68a54718df7f

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20-02-2025 22:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe
Size

1013KB
MD5

0ea4db93035fd9094e1075f873bcf204
SHA1

712c206b9bb85323b10fdb24a58705729f4dce7b
SHA256

699303fc0c44779671aff362f24b588017349ac24ad8b045f4cb68a54718df7f
SHA512

694660c1b8a632b0fb6be67eee757b98a539a353d37fb55c91dd02d147b58a22c1ad4f8e38cee600807169332424891e84da22cff6382846be5d4f2ac904881d
SSDEEP

24576:dEML4ErSE8AzigPaohIFWH3tymBeQt8MiokEwexJ:dEmrSEZz7PaAIFi3tzTME/J

Score

10^/10

ardamax defense_evasion discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000300000001ea67-18.dat	family_ardamax

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	Temp]®6-pOæ]
Key value queried	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Control Panel\International\Geo\Nation	VDEE.exe

Executes dropped EXE 3 IoCs

pid	Process
3468	Temp]®6-pOæ]
1524	VDEE.exe
4720	TCPOptimizer.exe

Loads dropped DLL 8 IoCs

pid	Process
3468	Temp]®6-pOæ]
1524	VDEE.exe
1524	VDEE.exe
1524	VDEE.exe
4720	TCPOptimizer.exe
4720	TCPOptimizer.exe
4720	TCPOptimizer.exe
5040	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VDEE Agent = "C:\\Windows\\SysWOW64\\28463\\VDEE.exe"	VDEE.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\VDEE.exe	Temp]®6-pOæ]
File created	C:\Windows\SysWOW64\28463\key.bin	Temp]®6-pOæ]
File opened for modification	C:\Windows\SysWOW64\28463	VDEE.exe
File created	C:\Windows\SysWOW64\28463\VDEE.001	Temp]®6-pOæ]
File created	C:\Windows\SysWOW64\28463\VDEE.006	Temp]®6-pOæ]
File created	C:\Windows\SysWOW64\28463\VDEE.007	Temp]®6-pOæ]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	1524	WerFault.exe	89

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp]®6-pOæ]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VDEE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TCPOptimizer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\TypeLib	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\Version	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\Version\	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\InprocServer32	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\ProgID\ = "Sapi.SpInprocRecognizer.1"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\win32\	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\wshext.dll"	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\win64	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\TypeLib\	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\TypeLib\ = "{816B6325-2ECA-CC2D-3893-02CD0410855F}"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\Version\ = "5.4"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\ = "Hixag Joraqcos Acomocin object"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\FLAGS\ = "0"	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\VersionIndependentProgID	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\InprocServer32\	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\ProgID	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\wshext.dll"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\win64\	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\FLAGS	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\FLAGS\	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll"	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\ = "ScriptSigner"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\VersionIndependentProgID\	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\VersionIndependentProgID\ = "Sapi.SpInprocRecognizer"	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0439AA7E-FA86-42BD-439F-F855E859E051}\ProgID\	VDEE.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\	VDEE.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{816B6325-2ECA-CC2D-3893-02CD0410855F}\1.0\0\win32	VDEE.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	1524	VDEE.exe
Token: SeIncBasePriorityPrivilege	1524	VDEE.exe
Token: SeIncBasePriorityPrivilege	1524	VDEE.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
456	JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe
4720	TCPOptimizer.exe
4720	TCPOptimizer.exe
1524	VDEE.exe
1524	VDEE.exe
1524	VDEE.exe
1524	VDEE.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 3468	456	JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe	88
PID 456 wrote to memory of 3468	456	JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe	88
PID 456 wrote to memory of 3468	456	JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe	88
PID 3468 wrote to memory of 1524	3468	Temp]®6-pOæ]	89
PID 3468 wrote to memory of 1524	3468	Temp]®6-pOæ]	89
PID 3468 wrote to memory of 1524	3468	Temp]®6-pOæ]	89
PID 3468 wrote to memory of 4720	3468	Temp]®6-pOæ]	90
PID 3468 wrote to memory of 4720	3468	Temp]®6-pOæ]	90
PID 3468 wrote to memory of 4720	3468	Temp]®6-pOæ]	90
PID 1524 wrote to memory of 4880	1524	VDEE.exe	99
PID 1524 wrote to memory of 4880	1524	VDEE.exe	99
PID 1524 wrote to memory of 4880	1524	VDEE.exe	99

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0ea4db93035fd9094e1075f873bcf204.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp]®6-pOæ]
  C:\Users\Admin\AppData\Local\Temp]®6-pOæ]
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3468
- - C:\Windows\SysWOW64\28463\VDEE.exe
    "C:\Windows\system32\28463\VDEE.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 1096
      4⤵
      Loads dropped DLL
      Program crash
      PID:5040
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Windows\SysWOW64\28463\VDEE.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4880
- - C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe
    "C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1524 -ip 1524
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@BDD2.tmp

Filesize
4KB

MD5
d5456446c39c8c55dbd2b96fc3db832c

SHA1
29170d2a36967d7221f4be4880b91a7ac39694fa

SHA256
954225a0073664a8630c6397073d2a95ddc05fc42c6df67fa9c93cd88a3c250d

SHA512
73e2e6a7486f9888086821a80f43dedafb36411327b1fa939b7cf10d79d0edbe3b6e8ffc8653dbf7bd91d9f1891cb0a138966b72435008f551610da7906eb508

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCPOptimizer.exe

Filesize
596KB

MD5
16f0e71de1039bd4994f4b616a8277cd

SHA1
b00c3c27719036a1fee877351d673e39b143fa03

SHA256
fac566abfbfae5d64dff118eefe6d411374337a7bf0368e5ac548a1a391470ce

SHA512
ce52b66bab0f1fe9a97db55c8658a3566820d95b32d6d4d5af1cd149ed9c61850ca6dc4ff6aba1ee57754cdbedb001cf191249e5e3fba3833d88d93ad93c69f2

Download Submit
C:\Users\Admin\AppData\Local\Temp]®6-pOæ]

Filesize
821KB

MD5
2fff1df35aefd0ee7d4909dd6ac8a874

SHA1
24b4a014909e7c016deef74b23d9a80816ff4d57

SHA256
30fd0b5e9d36b91110456b83fbc5cd47b5312b8210ead86cbedf789348214479

SHA512
ad6552230b86a305d328167188fc56d1f989565103a7168db063a44b4ad0eb6287d5aafc61e0e4e612cb38b68aca71b5d09e31ea5927316e356a45a9cc792bce

Download Submit
C:\Windows\SysWOW64\28463\VDEE.001

Filesize
392B

MD5
76da4b5060e11fbcd58f9011fcb7fdc3

SHA1
8fe496171010b84aa90ab1e261370ebd098f9240

SHA256
da2e7a65345416b1afacca87ac8c0e6a5d7703bff5148b74a154a81f65ed7f37

SHA512
1bd6edb7dcf3491614ca0dcb8a40c3a76581953022d4e707f1e932537c7dd7215a259757c770466c9c53494326d55af4a077356f29e3fa1a5b7244fd398a8f5d

Download Submit
C:\Windows\SysWOW64\28463\VDEE.006

Filesize
8KB

MD5
ba8459868e395dec4cc2885877f2b8f2

SHA1
11fd7512269764e97fa5a255d2b48b4a38f9c556

SHA256
29e51eb35517943254213cb110d750a39de8767d7b5e2e87e53c88ef360a5e25

SHA512
6052a789cba2ad980a45d3cdf2e6da8ada4ead32599610c3c03325f2c986e77561eb6507ef3c84085f93c8149cb126fde06aba916dede73868a799491f16a009

Download Submit
C:\Windows\SysWOW64\28463\VDEE.007

Filesize
5KB

MD5
64b9577b7fc43cb891865e5a06a2589d

SHA1
3ce4d64477d31bcbac456e711f0263672f4d1fd9

SHA256
52949d0ae8c840a41254afa02155cf9b6647ac9df13d6a20cbcab787c42ae01f

SHA512
1f16f81674d2e6688243280dbabd50ad958061558e71e9d5425011ab943b4073b01e4181abfcb7c5051d7ef0419900acfb14652f4c3ada564e45178b02c4e4f0

Download Submit
C:\Windows\SysWOW64\28463\VDEE.exe

Filesize
648KB

MD5
4c5175d7b877a344e2b864dbd1d8a0ab

SHA1
6d8691610ee3d98293eb9b23db7ad8571267e535

SHA256
53660357b82c4db447ae1dc50d23d986235616eae3cfffe95550af8499e601da

SHA512
54712d8291d52a315ab3b1fb1802f5e9fe31eaafe4bbaee0071ab6ab7bc85fcf825b4213ce040a31792954e227626dd3fc3c0e8510696e53875a0e80ccf50555

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
105B

MD5
27c90d4d9b049f4cd00f32ed1d2e5baf

SHA1
338a3ea8f1e929d8916ece9b6e91e697eb562550

SHA256
172d6f21165fb3ca925e5b000451fd8946920206f7438018c28b158b90cf5ffb

SHA512
d73dadb3cf74c647ce5bad5b87d3fb42a212defcba8afb8cf962020b61a0369c0a2b1005797583daf1f1ae88b29b7288bc544a53d643f3519cf604aa0ffd6dae

Download Submit
memory/1524-39-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-34-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/1524-53-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1524-52-0x0000000003340000-0x0000000003343000-memory.dmp

Filesize
12KB

Download
memory/1524-55-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1524-56-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1524-45-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1524-44-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-43-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-42-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-41-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-40-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-57-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1524-38-0x0000000000C10000-0x0000000000C11000-memory.dmp

Filesize
4KB

Download
memory/1524-37-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/1524-36-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/1524-35-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1524-54-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1524-33-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/1524-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1524-64-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/1524-63-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1524-62-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/1524-61-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/1524-60-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1524-58-0x00000000033B0000-0x00000000033B1000-memory.dmp

Filesize
4KB

Download
memory/1524-27-0x0000000000B50000-0x0000000000BAA000-memory.dmp

Filesize
360KB

Download
memory/1524-23-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1524-72-0x0000000000B50000-0x0000000000BAA000-memory.dmp

Filesize
360KB

Download
memory/1524-73-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1524-77-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/1524-78-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1524-81-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1524-85-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/1524-86-0x0000000000B50000-0x0000000000BAA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads