njrat | f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

Analysis

max time kernel
233s
max time network
244s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10-02-2025 13:37

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

lmlmdos.exe
Size

23KB
MD5

5eb67cac2f9ef8a548ba327896909cda
SHA1

b8f3612f2d00c581387b02a615ad178874b51329
SHA256

f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d
SHA512

40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f
SSDEEP

384:XweXCQIreJig/8Z7SS1fEBpng6tgL2IBPZVmRvR6JZlbw8hqIusZzZQy:oLq411eRpcnuI

Score

10^/10

njrat bootkit defense_evasion discovery persistence privilege_escalation trojan

Malware Config

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 2 IoCs

flow	pid	Process
29	1516	Process not Found
42	4496	Process not Found

Modifies Windows Firewall 2 TTPs 1 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1376	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-28130017-4025710482-1759186147-1000\Control Panel\International\Geo\Nation	MBR2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-28130017-4025710482-1759186147-1000\Control Panel\International\Geo\Nation	MatrixMBR.exe
Key value queried	\REGISTRY\USER\S-1-5-21-28130017-4025710482-1759186147-1000\Control Panel\International\Geo\Nation	lmlmdos.exe
Key value queried	\REGISTRY\USER\S-1-5-21-28130017-4025710482-1759186147-1000\Control Panel\International\Geo\Nation	server.exe
Key value queried	\REGISTRY\USER\S-1-5-21-28130017-4025710482-1759186147-1000\Control Panel\International\Geo\Nation	tmpC41.tmp.COM

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\052a8691abcf06ff30b5f4c68922a91f.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\052a8691abcf06ff30b5f4c68922a91f.exe	server.exe

Executes dropped EXE 8 IoCs

pid	Process
3976	server.exe
1588	tmpC41.tmp.COM
3208	MBR2.exe
4852	TROLL5.exe
2128	TROLL2.exe
4716	MatrixMBR.exe
2676	GDI.exe
1528	MBR.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-28130017-4025710482-1759186147-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\052a8691abcf06ff30b5f4c68922a91f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\052a8691abcf06ff30b5f4c68922a91f = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MBR.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\MatrixMBR.exe	MBR2.exe
File opened for modification	C:\Windows\System32\MatrixMBR.exe	MBR2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TROLL2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GDI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MBR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lmlmdos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3416	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3276	AUDIODG.EXE
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: 33	3976	server.exe
Token: SeIncBasePriorityPrivilege	3976	server.exe
Token: SeShutdownPrivilege	1528	MBR.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 3976	1288	lmlmdos.exe	85
PID 1288 wrote to memory of 3976	1288	lmlmdos.exe	85
PID 1288 wrote to memory of 3976	1288	lmlmdos.exe	85
PID 3976 wrote to memory of 1376	3976	server.exe	86
PID 3976 wrote to memory of 1376	3976	server.exe	86
PID 3976 wrote to memory of 1376	3976	server.exe	86
PID 3976 wrote to memory of 1588	3976	server.exe	93
PID 3976 wrote to memory of 1588	3976	server.exe	93
PID 1588 wrote to memory of 3208	1588	tmpC41.tmp.COM	94
PID 1588 wrote to memory of 3208	1588	tmpC41.tmp.COM	94
PID 1588 wrote to memory of 4852	1588	tmpC41.tmp.COM	95
PID 1588 wrote to memory of 4852	1588	tmpC41.tmp.COM	95
PID 1588 wrote to memory of 4852	1588	tmpC41.tmp.COM	95
PID 1588 wrote to memory of 2128	1588	tmpC41.tmp.COM	96
PID 1588 wrote to memory of 2128	1588	tmpC41.tmp.COM	96
PID 1588 wrote to memory of 2128	1588	tmpC41.tmp.COM	96
PID 3208 wrote to memory of 4716	3208	MBR2.exe	98
PID 3208 wrote to memory of 4716	3208	MBR2.exe	98
PID 4716 wrote to memory of 2676	4716	MatrixMBR.exe	99
PID 4716 wrote to memory of 2676	4716	MatrixMBR.exe	99
PID 4716 wrote to memory of 2676	4716	MatrixMBR.exe	99
PID 4716 wrote to memory of 1528	4716	MatrixMBR.exe	100
PID 4716 wrote to memory of 1528	4716	MatrixMBR.exe	100
PID 4716 wrote to memory of 1528	4716	MatrixMBR.exe	100

C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe
"C:\Users\Admin\AppData\Local\Temp\lmlmdos.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\server.exe
  "C:\Users\Admin\AppData\Local\Temp\server.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1376
- - C:\Users\Admin\AppData\Local\Temp\tmpC41.tmp.COM
    "C:\Users\Admin\AppData\Local\Temp\tmpC41.tmp.COM"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\MBR2.exe
      "C:\Users\Admin\AppData\Local\Temp\MBR2.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:3208
    - - C:\Windows\System32\MatrixMBR.exe
        
        "C:\Windows\System32\MatrixMBR.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Users\Admin\AppData\Local\Temp\GDI.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GDI.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2676
      - C:\Users\Admin\AppData\Local\Temp\MBR.exe
        
        "C:\Users\Admin\AppData\Local\Temp\MBR.exe"
        6⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\TROLL5.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL5.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4852
  - - C:\Users\Admin\AppData\Local\Temp\TROLL2.exe
      "C:\Users\Admin\AppData\Local\Temp\TROLL2.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2128

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NzNGNERCQ0UtOUM3OC00Q0FDLThCM0MtNENBRTIyNDY5M0YyfSIgdXNlcmlkPSJ7OTI1QzUyRTItRTI1Ri00Qzk0LUFCRUItMTUxMTJGQjczOENBfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QjkxODBEOTUtOThDRi00QjA3LUI2QTEtNjdFMjYxRUE4ODMyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NjE1IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDc5NTE4NzcwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTA4NDAyNTMyMSIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3416

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x170 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GDI.exe

Filesize
11KB

MD5
c08ae6d9c6ecd7e13f827bf68767785f

SHA1
e71c2ec8d00c1e82b8b07baee0688b0a28604454

SHA256
e153def894c867923dd56a7025b7b0b7bd3ee37c801a5957201d39f999bb28bf

SHA512
c28bbe8abc66ad2433e5a3b93a4601b28225e86cb4bff077fd3224adfa63164bebfa3002a42b1cb4cb3c7ccad0208f8b143b8a17099bea04fcb964e667c7a1c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR.exe

Filesize
93KB

MD5
d2fc66cf781a2497fceb4041a93cc676

SHA1
480b1aa31b0b31fc0e0833afbba06533ab9a90ee

SHA256
acddde9514e3b9d5c40b3d1750af5f4187c99f8987b027d6da44fb6bcf79b3ca

SHA512
6c4cb42f786301be7614d4cb0b32601fea151351b0877e2371632435eb2c54bd4cd04d6b23bf4f49017ccaf679331162aac7329a1ed2409e3c2e02d0326e3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\MBR2.exe

Filesize
205KB

MD5
3dc0e225f886bae3b655cd9d738ed32f

SHA1
abda127fd477bd9d051cd57b16ac13f44030a9ae

SHA256
c22e2419f04fe03a92255a139ca8814697962e86d191a1d4171788fd0c903f68

SHA512
c8a6c0bfa96defde6f83d847583ff2ec065a43f80f9886259a2d1fe7df306ef6ed7aeed61b7dcf0bdc111fc67419eb66cf1ca44e831711dd4ea7d25ed9aed09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL2.exe

Filesize
105KB

MD5
52a2a5517deb1a06896891a35299ce20

SHA1
badcbdfef312bd71de997a7416ee20cee5d66af6

SHA256
dcdf5140bc51db27f3aec80ae9a66a57aad446a2522904d288770e8d8cde8cee

SHA512
7cb0de412c0508f5af522aeaf3731dda418f72f7cae8dd3f21b34d5cdbc08f9dea8699d59878610496c68d687227a0269739221490d70d03b8e4b84dfd29d5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TROLL5.exe

Filesize
712KB

MD5
542a4e400ff233b21a1a3c27751ac783

SHA1
000a67f00b0003531d65a6ed6f16488ae5dcd0fe

SHA256
79f00c7dab0891824136539fabd542c74e26cbed94b9add3f1aa7f793d653de6

SHA512
8335118ca0c268635d9495b331fb65800a32a0631f132cd34ce84ca3b523d0a9e23eee6d76539d0c81d86fda534da56c936914012d8bad35040b15cc8caaf645

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
23KB

MD5
5eb67cac2f9ef8a548ba327896909cda

SHA1
b8f3612f2d00c581387b02a615ad178874b51329

SHA256
f5c542679e18756fcaaf434a1df9ecee261c8fa6788b75dc64c458e4eef15f2d

SHA512
40665518a5451f7bd86ca1e3ad58cec178566c0f45fde647e76c2bb8d81611ca61fe1974cb97988065239005ca63fc9de0c449d45357ee90a8a99ccd30a5415f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC41.tmp.COM

Filesize
921KB

MD5
d0ae6aea701de9f127f91e7efdb50252

SHA1
cb9ef64cbcb999372fb4046e99fe89a03df9bc81

SHA256
c1aeab35f61f12db28274d82713bff400b808625854a18e49504022f92805e31

SHA512
505d11808e9923ff0ec1a51acd51509711f8c5c42da81b47a97249954b06f6f45ddda4655446daeb7f231785cd484ebc6e9ada92b857ad3a8d7ce04276536f13

Download Submit
C:\Windows\System32\MatrixMBR.exe

Filesize
250KB

MD5
24c441662c09b94e14a4096a8e59c316

SHA1
11576cad137bd8ed76efecd711c0390fe5c85292

SHA256
339fe94164952a8454e6ec5fc75e2c38baade2c14b231e47bf41989ffbb55ee4

SHA512
7f6ca1366733c5fb4925001c0846510732031a9e5f1b16291ff596187c20a88f41193389cedcb73e3928c318fc972be4f03e3cb71f1487c34642897ff9a2b590

Download Submit
memory/1288-1-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-2-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-17-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/1288-0-0x0000000073F02000-0x0000000073F03000-memory.dmp

Filesize
4KB

Download
memory/1588-31-0x0000000000A50000-0x0000000000B3C000-memory.dmp

Filesize
944KB

Download
memory/1588-32-0x000000001B7F0000-0x000000001B8D4000-memory.dmp

Filesize
912KB

Download
memory/2128-98-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/2676-125-0x0000000000290000-0x0000000000298000-memory.dmp

Filesize
32KB

Download
memory/3208-55-0x00000000007D0000-0x000000000080A000-memory.dmp

Filesize
232KB

Download
memory/3976-16-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/3976-22-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/3976-21-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/3976-19-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/3976-18-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/3976-15-0x0000000073F00000-0x00000000744B1000-memory.dmp

Filesize
5.7MB

Download
memory/4716-97-0x0000000000C60000-0x0000000000CA6000-memory.dmp

Filesize
280KB

Download
memory/4852-77-0x0000000000330000-0x00000000003E8000-memory.dmp

Filesize
736KB

Download
memory/4852-78-0x00000000052D0000-0x0000000005876000-memory.dmp

Filesize
5.6MB

Download
memory/4852-79-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/4852-80-0x0000000004CA0000-0x0000000004CAA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads