ardamax | fa50081f6416668ab65e3a9b200aedb80776e8ad18d8a9eeba7b8750216126f1

Analysis

max time kernel
141s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2025 18:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
Size

1019KB
MD5

146cee63d2e8985c1dad99791b0835c1
SHA1

e5dbdc51abbdd9515e48ea263be99f81a18797ee
SHA256

fa50081f6416668ab65e3a9b200aedb80776e8ad18d8a9eeba7b8750216126f1
SHA512

e8146c89fe032f59532947fb745e25c78e3d79abda4c12c6d988a95f79ee5d581c1acee179e877c019e706d412ae4b22238208dade68947b113436fc431854e9
SSDEEP

24576:CTP2F99HPBWHc1OtA4+TVBDvz8eFvPcss3d+OUCxb9:/Qc0tKrzBpAt+cZ

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0008000000023cb6-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000\Control Panel\International\Geo\Nation	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe

Executes dropped EXE 1 IoCs

pid	Process
4972	LJKO.exe

Loads dropped DLL 4 IoCs

pid	Process
2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
4972	LJKO.exe
4972	LJKO.exe
4972	LJKO.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LJKO Agent = "C:\\Windows\\SysWOW64\\28463\\LJKO.exe"	LJKO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 9 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\28463\key.bin	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
File created	C:\Windows\SysWOW64\28463\LJKO.009	LJKO.exe
File opened for modification	C:\Windows\SysWOW64\28463\LJKO.009	LJKO.exe
File created	C:\Windows\SysWOW64\28463\LJKO.exe	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
File created	C:\Windows\SysWOW64\28463\AKV.exe	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
File opened for modification	C:\Windows\SysWOW64\28463	LJKO.exe
File created	C:\Windows\SysWOW64\28463\LJKO.001	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
File created	C:\Windows\SysWOW64\28463\LJKO.006	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
File created	C:\Windows\SysWOW64\28463\LJKO.007	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LJKO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\ProgID	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\UIAutomationCore.dll"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\TypeLib\	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\Version	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\ = "UIAutomationClient"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\win64\ = "C:\\Windows\\SysWow64\\UIAutomationCore.dll"	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\VersionIndependentProgID	LJKO.exe
Key created	\REGISTRY\USER\S-1-5-21-1479699283-3000499823-2337359760-1000_Classes\Local Settings	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\InProcServer32\ = "%SystemRoot%\\SysWow64\\wbem\\wbemdisp.dll"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\ProgID\	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\Programmable\	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\FLAGS\ = "0"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\Version\ = "1.0"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\VersionIndependentProgID\ = "WbemScripting.SWbemRefresher"	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\win32\	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\ = "Nimege.Hahepkah"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\InProcServer32\	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\win64	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\FLAGS\	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\win32	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\0\win64\	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\TypeLib	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\InProcServer32	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\ProgID\ = "WbemScripting.SWbemRefresher.1"	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\Programmable	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}\1.0\FLAGS	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\TypeLib\ = "{B79C3029-F03C-B474-6C6C-EE6AFCD1C398}"	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\Version\	LJKO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}	LJKO.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9153D76A-1946-4E95-6584-97F348D087B3}\VersionIndependentProgID\	LJKO.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1944	POWERPNT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4972	LJKO.exe
Token: SeIncBasePriorityPrivilege	4972	LJKO.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1944	POWERPNT.EXE
4972	LJKO.exe
4972	LJKO.exe
4972	LJKO.exe
4972	LJKO.exe
4972	LJKO.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4972	2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe	84
PID 2508 wrote to memory of 4972	2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe	84
PID 2508 wrote to memory of 4972	2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe	84
PID 2508 wrote to memory of 1944	2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe	85
PID 2508 wrote to memory of 1944	2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe	85
PID 2508 wrote to memory of 1944	2508	JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe	85

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_146cee63d2e8985c1dad99791b0835c1.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\28463\LJKO.exe
  "C:\Windows\system32\28463\LJKO.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4972
- C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\_ALERTA_NUEVA_DROGA.pps" /ou ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@7C44.tmp

Filesize
4KB

MD5
ccf39f70a662f70e7cae4cfc81255c44

SHA1
00177d41252c2a5322be8e54567a845217072e2c

SHA256
4c9cca81f2f2d91b636c0ec747e96821749788368c48981bf04accfeb5c2e5d0

SHA512
2cc006d3bd6af737f31707b457caaa267ee1361cfd0afab0be8b74be8587d02b20909962d138e137fe79252e0d112bd3be091a98ba50863520b5bbf21bb9501d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ALERTA_NUEVA_DROGA.pps

Filesize
277KB

MD5
8cdfba9bbc04072d0ced1497ac4f4509

SHA1
f778af20afe510b79bb7b63d69e18249ef55604f

SHA256
9610bfa6d021b735b56e556e600d2ad09b58a1b5db3bc312ad6197592f5417b0

SHA512
6b1c2f5d62308d77ff2ef22db9cfa5c4da8bd6566726aac65b61a2526c9c5641115e3b42f753d7a22d2000bd5648d5abb5726824ebf04a8dd903e5081d2df75b

Download Submit
C:\Windows\SysWOW64\28463\AKV.exe

Filesize
457KB

MD5
828586f5f9fd7e6bd99401fe7cece954

SHA1
8eb70f4af2cec3c3dd3ec1491913369e99b7b874

SHA256
02b8379b1838ea70f7f17e0785aaaedb7c721d9b6e262577723bba9492748d0c

SHA512
16b64be59cf9ae403fb3b7e1fc8da98cb2a5db84aef0e352910172796ecf96dcf86a7e16afe78fa7e22b7b6948e8a1fa027da7161d5a0ad98e76175d764ed6a7

Download Submit
C:\Windows\SysWOW64\28463\LJKO.001

Filesize
428B

MD5
9b04d804133c8a88c03470c66ddcfb16

SHA1
6480cc4f4039c7ee22a5ddf9ebb1c6d958c7c219

SHA256
0c58bfc5978632232267aa0667057ff2750c036066265667e983c69b625e1fdf

SHA512
29d43b625d97613dd5508c9b7460d06a4b2c9dddd80ae9e860fea80549d58869bf4b17e7c0691b4cbde1873decb448483cfd20f6b24a4693083b7e77cfce73ce

Download Submit
C:\Windows\SysWOW64\28463\LJKO.006

Filesize
8KB

MD5
69db8c925f2dd8136d956a086ed1ee41

SHA1
9d0f653cc7ab881eb45fe93490a9c096f2dec6cf

SHA256
984da5476c2c69a779bc99d0901569347cc605a36499e2284706cda3ed6e13f3

SHA512
fa5cedd539dca3631511488aea8bcb7821db1d53452c1b61ee663cb5700bb9919b092593a7f5eb7a3c3a75f801b2980f817de4a66bf8aa51093ced4b30ffd068

Download Submit
C:\Windows\SysWOW64\28463\LJKO.007

Filesize
5KB

MD5
9e9da4c851850726c789bb4b94a41bb3

SHA1
1e2fd71f1d1a3ac15d3c820d8459635cd775cf24

SHA256
94f6502a4e94de0301ae07befd63767a4de35d9b2d2d00687a3130e883ab1963

SHA512
4c60e951056c5773d769a9c88245fc4a597949deb72a1a7546991488e85ffc4ff2a34840ad227595bcdc105cf187207721b57c457ac832ee0159dd0e1d9be063

Download Submit
C:\Windows\SysWOW64\28463\LJKO.exe

Filesize
648KB

MD5
c5ca2c96edc99cf9edf0f861d784209a

SHA1
6cb654b3eb20c85224a4849c4cc30012cabbdbaa

SHA256
0ca27dfe22971bfb19c7f3d6fe03cd398816a88fc50943ba9821fa6b91be7807

SHA512
aeb36bbbf68c7b733ddd856f8f0cdd9548ff597843a22611757c98f69a589035410fecfa692bb83c740823ddae6432d3be5cb66f4309a9d0f5fedeb7b017ff36

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
106B

MD5
639d75ab6799987dff4f0cf79fa70c76

SHA1
be2678476d07f78bb81e8813c9ee2bfff7cc7efb

SHA256
fc42ab050ffdfed8c8c7aac6d7e4a7cad4696218433f7ca327bcfdf9f318ac98

SHA512
4b511d0330d7204af948ce7b15615d745e8d4ea0a73bbece4e00fb23ba2635dd99e4fa54a76236d6f74bdbcdba57d32fd4c36b608d52628e72d11d5ed6f8cde2

Download Submit
memory/1944-35-0x00007FFDFCA10000-0x00007FFDFCA20000-memory.dmp

Filesize
64KB

Download
memory/1944-41-0x00007FFDFA0B0000-0x00007FFDFA0C0000-memory.dmp

Filesize
64KB

Download
memory/1944-40-0x00007FFDFA0B0000-0x00007FFDFA0C0000-memory.dmp

Filesize
64KB

Download
memory/1944-38-0x00007FFDFCA10000-0x00007FFDFCA20000-memory.dmp

Filesize
64KB

Download
memory/1944-39-0x00007FFDFCA10000-0x00007FFDFCA20000-memory.dmp

Filesize
64KB

Download
memory/1944-36-0x00007FFDFCA10000-0x00007FFDFCA20000-memory.dmp

Filesize
64KB

Download
memory/1944-37-0x00007FFDFCA10000-0x00007FFDFCA20000-memory.dmp

Filesize
64KB

Download
memory/4972-28-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/4972-52-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/4972-23-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4972-24-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/4972-25-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/4972-26-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/4972-27-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/4972-29-0x0000000003340000-0x0000000003343000-memory.dmp

Filesize
12KB

Download
memory/4972-51-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/4972-22-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4972-50-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/4972-31-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/4972-32-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/4972-20-0x00000000022B0000-0x000000000230A000-memory.dmp

Filesize
360KB

Download
memory/4972-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4972-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4972-66-0x00000000022B0000-0x000000000230A000-memory.dmp

Filesize
360KB

Download
memory/4972-67-0x0000000003390000-0x0000000003391000-memory.dmp

Filesize
4KB

Download
memory/4972-505-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4972-511-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads