ardamax | e09e9d0b0930dcfc7c3f4f03ab779d7991ef932907d296ddf9787ddd055f815f

Analysis

max time kernel
148s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
Size

568KB
MD5

7bedc7ec247b28d896c99e8b561fa19a
SHA1

313c53259b494096a9cadc1281f59931d0d6acf3
SHA256

e09e9d0b0930dcfc7c3f4f03ab779d7991ef932907d296ddf9787ddd055f815f
SHA512

9f72de04f7603bbdf8e851f54f583bcd6525bd28c8cc0e796cf48cc33416d88e47b4a84416ffeb69f9fed8f32e4a76a1e828f7402b34d947ed0a09022410e2b9
SSDEEP

12288:REjybmXO57JLMAagZumjZjTNBpJqjKVj8im/AnWgg8IR3N6nMzjPbnKDSTFiRl:JEcFMAasFjIKVjxm/AWgfIa6yDOF8l

Score

10^/10

ardamax discovery keylogger persistence stealer

Malware Config

Signatures

Ardamax
A keylogger first seen in 2013.
keylogger stealer ardamax
Ardamax family
ardamax

Ardamax main executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000600000001e107-12.dat	family_ardamax

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-869607583-2483572573-2297019986-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe

Executes dropped EXE 1 IoCs

pid	Process
2752	SJIM.exe

Loads dropped DLL 4 IoCs

pid	Process
4916	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
2752	SJIM.exe
2752	SJIM.exe
2752	SJIM.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SJIM Agent = "C:\\Windows\\SysWOW64\\28463\\SJIM.exe"	SJIM.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\28463\SJIM.009	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_34_42.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_03.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_17.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_38.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_14.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_35.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\SJIM.007	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_34_49.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_34_56.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_24.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_00.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_07.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_28.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\SJIM.006	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
File created	C:\Windows\SysWOW64\28463\SJIM.009.tmp	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_10.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_53.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\SJIM.001	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
File created	C:\Windows\SysWOW64\28463\SJIM.exe	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
File opened for modification	C:\Windows\SysWOW64\28463	SJIM.exe
File created	C:\Windows\SysWOW64\28463\SJIM.009	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_31.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_35_46.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_21.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\Mar_16_2025__22_36_42.jpg	SJIM.exe
File created	C:\Windows\SysWOW64\28463\key.bin	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SJIM.exe

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\VersionIndependentProgID\ = "SAPI.SpPhoneConverter"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\HELPDIR	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\ProgID	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\FLAGS\	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\ProgID\ = "SAPI.SpPhoneConverter.1"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\0\win32\	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\HELPDIR\	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\HELPDIR\ = "%CommonProgramFiles%\\System\\ado\\"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\TypeLib\	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\Version\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\VersionIndependentProgID	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\VersionIndependentProgID\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\InprocServer32\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\TypeLib	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\Version	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\0	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msjro.dll"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\Version\ = "5.4"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech_OneCore\\Common\\sapi_onecore.dll"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\ = "Microsoft Jet and Replication Objects 2.6 Library"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\ = "Vewegov.Atedakbow.Bafoda"	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\InprocServer32	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\ProgID\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{58264AB4-8929-431D-5992-260FD5F377B8}\TypeLib\ = "{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}"	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\0\	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\0\win32	SJIM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\FLAGS	SJIM.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7C00DF41-4475-8F82-8B28-CAC5B15FF9A5}\2.6\FLAGS\ = "0"	SJIM.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2752	SJIM.exe
Token: SeIncBasePriorityPrivilege	2752	SJIM.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2752	SJIM.exe
2752	SJIM.exe
2752	SJIM.exe
2752	SJIM.exe
2752	SJIM.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2752	4916	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe	90
PID 4916 wrote to memory of 2752	4916	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe	90
PID 4916 wrote to memory of 2752	4916	JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7bedc7ec247b28d896c99e8b561fa19a.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\SysWOW64\28463\SJIM.exe
  "C:\Windows\system32\28463\SJIM.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\@8184.tmp

Filesize
4KB

MD5
4b8ed89120fe8ddc31ddba07bc15372b

SHA1
181e7ac3d444656f50c1cd02a6832708253428e6

SHA256
2ae6b0e14465338be0bc5ad10703f5c823d092ebb8cff7e5a05b7d79c8459b93

SHA512
49269b71270b3eda0ddcb399021de9c88f6fd2086cf54fa4898a91e64afe109d44b635d47a5ea9bae7f53a5e968af97fa13bdf699ba00ce879ecadd7bbc8af23

Download Submit
C:\Windows\SysWOW64\28463\Mar_16_2025__22_34_42.jpg

Filesize
120KB

MD5
fa657595dbf1ca6ed10930a3403c7786

SHA1
abd7dab537ef10d36e9d1a50f06bfeccc8407ea2

SHA256
1a868cc7ccbcee5470441b2771d083983b669f5afeb6e84f378002b92b04598b

SHA512
deb988132fe9b3274c98507f8766b74b150d23fb38f53f3420c69b1cff09deffc8d3d4b0d4053163a4951396fefe066a469dbe0b26c57ae160a7fe90444e9fac

Download Submit
C:\Windows\SysWOW64\28463\SJIM.001

Filesize
342B

MD5
3184e04a591f5ad89ec6b06a565cd1d9

SHA1
7e45e2d04cb6b2813603ab9902c553516b0a9006

SHA256
80ab49d47e557ae4978441f8b457bcda3d71bb30278a495f3a51fa0f96f38be3

SHA512
479aabd6ccf89328790ef3bf25c81f063a619fbf20e5c5319a1c056ee95fdc5f638df69665674945d0e4cd61a603831eb48065d317cbe9196cde70e43eca56d3

Download Submit
C:\Windows\SysWOW64\28463\SJIM.006

Filesize
8KB

MD5
395bbef326fa5ad1216b23f5debf167b

SHA1
aa4a7334b5a693b3f0d6f47b568e0d13a593d782

SHA256
7c1c4ba8978d3ec53bc6da4d8f9e5e1ca52edf5ccf5ec19ef06b02055ff3b3d1

SHA512
dc3f3d7501feb10623807e89f28a0e38bdbbd4a7e2ad964c8ab33c392bde61896fe40bb7773f6309cd59ad9a686decbd81c15b588ac8d311fd2a273ac9410679

Download Submit
C:\Windows\SysWOW64\28463\SJIM.007

Filesize
5KB

MD5
1b5e72f0ebd49cf146f9ae68d792ffe5

SHA1
1e90a69c12b9a849fbbac0670296b07331c1cf87

SHA256
8f4485675fe35b14276f5c8af8a6b42f03cf1b5de638355e4c4b28397385e87e

SHA512
6364f5581de5aaec09b5d1c4e5745193f981ff93cf91e20c6c9ff56566b5d182ccbdacf9aeed1d7a01460eb21619e14ac4ab31b083a951b45b3b7f9d93a62ffc

Download Submit
C:\Windows\SysWOW64\28463\SJIM.009

Filesize
1.3MB

MD5
d7eeed69066f81b4f5cdf9cd52aaafb7

SHA1
57be7916b6e76ab5a3fa427b9c366707a1ef0637

SHA256
7b1e23d20d467a1a82603976b2c24f7664223cbb5d49dc703835bfaf5af89d7d

SHA512
7a45a8a287e48a4a079e5e6cc93df7799471f3858c608013e8846f82456595f19abd2c6b7ca4662558c595becc6b047c6f9ea1ba680c664b3851860793c688d6

Download Submit
C:\Windows\SysWOW64\28463\SJIM.exe

Filesize
649KB

MD5
2bff0c75a04401dada0adfab933e46a7

SHA1
364d97f90b137f8e359d998164fb15d474be7bbb

SHA256
2aa53bc5da3294817f95d8806effdf28e5af49661a955256c46db2b67cb6e6da

SHA512
88b82973d3c042bceb75e12297111fa7b8bd4e2a7a37d26b698c595d8d75ec670cc7aebfa2572206c1b2a4ecbbfa3103affb8bee6d7ef47428a225e2cd1bea3f

Download Submit
C:\Windows\SysWOW64\28463\key.bin

Filesize
107B

MD5
c731b2bab9ad164954ed8e71d9290f26

SHA1
8dc060dbffeb094fd343ba46ba5af8bf19d962ea

SHA256
76ae0208b1d00a5c782fe49bb8b2aea2e3577b8526720e6a241b8832dbf47dca

SHA512
03e1cf2a851720ad6e59429fb9a5b5d941f3571b935136dae5c8943038a4cb243d28da9b61a6c6255e859d9ef66cd9e5688e3276aa57c64046ba95168a751f73

Download Submit
memory/2752-25-0x00000000023D0000-0x00000000023D1000-memory.dmp

Filesize
4KB

Download
memory/2752-34-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-27-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-26-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2752-29-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-24-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/2752-23-0x00000000023F0000-0x00000000023F1000-memory.dmp

Filesize
4KB

Download
memory/2752-22-0x0000000002400000-0x0000000002401000-memory.dmp

Filesize
4KB

Download
memory/2752-21-0x00000000023A0000-0x00000000023A1000-memory.dmp

Filesize
4KB

Download
memory/2752-46-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2752-45-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-30-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-43-0x0000000003250000-0x0000000003252000-memory.dmp

Filesize
8KB

Download
memory/2752-42-0x0000000003250000-0x0000000003252000-memory.dmp

Filesize
8KB

Download
memory/2752-41-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-40-0x0000000003200000-0x0000000003203000-memory.dmp

Filesize
12KB

Download
memory/2752-39-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-38-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-37-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-36-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-35-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-28-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-47-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-51-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2752-50-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2752-49-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/2752-48-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2752-31-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-32-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-33-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2752-58-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-59-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/2752-60-0x0000000003200000-0x0000000003201000-memory.dmp

Filesize
4KB

Download
memory/2752-61-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2752-62-0x0000000003250000-0x0000000003252000-memory.dmp

Filesize
8KB

Download
memory/2752-65-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-20-0x00000000021B0000-0x000000000220A000-memory.dmp

Filesize
360KB

Download
memory/2752-78-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-87-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-19-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-107-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-123-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2752-150-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads