ctblocker | 128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a

General

Target

128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
Size

1.1MB
MD5

446e594e266f5e52064fd69a333867f6
SHA1

5c94d21af50f54472cee2cbdb09ec5c7d3361916
SHA256

128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a
SHA512

8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yayejrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://6ubux6ppafr24izl.onion.cab or http://6ubux6ppafr24izl.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://6ubux6ppafr24izl.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YWLFAPM-BMPNZIY-37CU6MZ-I2W2CTN-SLCGSDV-T36CYUN-GT43FM5-AKYW6UG BHWNAFP-RUAMMCY-A3NCL26-HOSXJ3G-Z5UIGOY-RYK3YOU-7TWO5HK-W2AC25V 26XSCI5-ZQ2WZFG-XE3RKIN-OGUMYOU-O246AYE-ZAD3P2H-E7WOKUL-EJAE5NS Follow the instructions on the server.

URLs

http://6ubux6ppafr24izl.onion.cab

http://6ubux6ppafr24izl.tor2web.org

http://6ubux6ppafr24izl.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-yayejrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://6ubux6ppafr24izl.onion.cab or http://6ubux6ppafr24izl.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://6ubux6ppafr24izl.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. YWLFAPM-BMPNZIY-37CU6MZ-I2W2CTN-SLCGSDV-T36CYUN-GT43FM5-AKYW6UG BHWNAFP-RUAMMCY-A3NCL26-HOSXJ3G-Z5UIGOY-RYK3YOU-7TWO5HK-W2AC25V 26XSCI5-ZQ2WZFG-XE3RKIN-OGUMYOU-O246SKE-5ZD3P2H-E7WOKUL-EJAURHH Follow the instructions on the server.

URLs

http://6ubux6ppafr24izl.onion.cab

http://6ubux6ppafr24izl.tor2web.org

http://6ubux6ppafr24izl.onion/

Extracted

Path

C:\ProgramData\ummcbbc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://6ubux6ppafr24izl.onion.cab or http://6ubux6ppafr24izl.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://6ubux6ppafr24izl.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://6ubux6ppafr24izl.onion.cab

http://6ubux6ppafr24izl.tor2web.org

http://6ubux6ppafr24izl.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

exusltb.exeexusltb.exe

pid process

1812 exusltb.exe
1544 exusltb.exe
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
ransomware

Processes:

svchost.exe

description ioc process

File renamed C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GroupInstall.RAW.yayejrd svchost.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

exusltb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

pid	process
1812	exusltb.exe
1544	exusltb.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GroupInstall.RAW.yayejrd	svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	exusltb.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

exusltb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	exusltb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-yayejrd.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yayejrd.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-yayejrd.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

520 vssadmin.exe

pid	process
520	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

exusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exusltb.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	exusltb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	exusltb.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exeexusltb.exe

pid	process
788	128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
1812	exusltb.exe
1812	exusltb.exe
1812	exusltb.exe
1812	exusltb.exe
1812	exusltb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

exusltb.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1812 exusltb.exe
Token: SeDebugPrivilege 1812 exusltb.exe
Token: SeShutdownPrivilege 1256 Explorer.EXE
Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1544 exusltb.exe
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

1544 exusltb.exe
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exusltb.exe

pid process

1544 exusltb.exe
1544 exusltb.exe

pid	process
1256	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1812	exusltb.exe
Token: SeDebugPrivilege	1812	exusltb.exe
Token: SeShutdownPrivilege	1256	Explorer.EXE

pid	process
1544	exusltb.exe
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1544	exusltb.exe
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1544	exusltb.exe
1544	exusltb.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskeng.exeexusltb.exesvchost.exe

description	pid	process	target process
PID 1732 wrote to memory of 1812	1732	taskeng.exe	exusltb.exe
PID 1732 wrote to memory of 1812	1732	taskeng.exe	exusltb.exe
PID 1732 wrote to memory of 1812	1732	taskeng.exe	exusltb.exe
PID 1732 wrote to memory of 1812	1732	taskeng.exe	exusltb.exe
PID 1812 wrote to memory of 576	1812	exusltb.exe	svchost.exe
PID 576 wrote to memory of 1488	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 1488	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 1488	576	svchost.exe	DllHost.exe
PID 1812 wrote to memory of 1256	1812	exusltb.exe	Explorer.EXE
PID 1812 wrote to memory of 520	1812	exusltb.exe	vssadmin.exe
PID 1812 wrote to memory of 520	1812	exusltb.exe	vssadmin.exe
PID 1812 wrote to memory of 520	1812	exusltb.exe	vssadmin.exe
PID 1812 wrote to memory of 520	1812	exusltb.exe	vssadmin.exe
PID 1812 wrote to memory of 1544	1812	exusltb.exe	exusltb.exe
PID 1812 wrote to memory of 1544	1812	exusltb.exe	exusltb.exe
PID 1812 wrote to memory of 1544	1812	exusltb.exe	exusltb.exe
PID 1812 wrote to memory of 1544	1812	exusltb.exe	exusltb.exe
PID 576 wrote to memory of 108	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 108	576	svchost.exe	DllHost.exe
PID 576 wrote to memory of 108	576	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1256

C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe
"C:\Users\Admin\AppData\Local\Temp\128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a.sample.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1488

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:108

C:\Windows\system32\taskeng.exe
taskeng.exe {32E33CD3-2430-4E2D-8493-D17E78276520} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:520

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1544

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\grnkdai
MD5
47a671d2635585ff3ffecd257b2c37e1

SHA1
9cbc5197a3bbaa87b62314733074c8dd5e2105a7

SHA256
5f32de0fba7798cc5920090d62d71c5cfb8d4b574a799327025a07e52b6ce546

SHA512
92f98d3a06948826f3c42607f8cf86af7a5173875bb15e8a7a543f1d53e7745fdff441013f13dfbb3a7ef16363049f9cc60fcb1cd3551a8bd3c0b6091a6438a8

Download Submit
C:\ProgramData\Microsoft\grnkdai
MD5
47a671d2635585ff3ffecd257b2c37e1

SHA1
9cbc5197a3bbaa87b62314733074c8dd5e2105a7

SHA256
5f32de0fba7798cc5920090d62d71c5cfb8d4b574a799327025a07e52b6ce546

SHA512
92f98d3a06948826f3c42607f8cf86af7a5173875bb15e8a7a543f1d53e7745fdff441013f13dfbb3a7ef16363049f9cc60fcb1cd3551a8bd3c0b6091a6438a8

Download Submit
C:\ProgramData\Microsoft\grnkdai
MD5
e3baef087d8ff478a6fc1653a5ab4837

SHA1
0a090f0a812e2367399fb467f1e8178b2b961cfd

SHA256
a33fff7be2ef5925952f75c28cda6929004e546f78a546350ecd2be42a215f7d

SHA512
b793447a2d691d20e65dd8b9fe031bb59d6b67b948f6b1ba2bb91149a3b9a41f3f38b3d4648aced072a1263659ff9bda5a472ebd83cc80450d769a1810f16161

Download Submit
C:\ProgramData\Microsoft\grnkdai
MD5
e3baef087d8ff478a6fc1653a5ab4837

SHA1
0a090f0a812e2367399fb467f1e8178b2b961cfd

SHA256
a33fff7be2ef5925952f75c28cda6929004e546f78a546350ecd2be42a215f7d

SHA512
b793447a2d691d20e65dd8b9fe031bb59d6b67b948f6b1ba2bb91149a3b9a41f3f38b3d4648aced072a1263659ff9bda5a472ebd83cc80450d769a1810f16161

Download Submit
C:\ProgramData\ummcbbc.html
MD5
0c3baa2e2e1c29577212e17d4e69887c

SHA1
e0bc211efd9ce6ae817c2459071d85e17a085655

SHA256
4df63339103c66fda5be18588e6e2d9788a419cbf986f74a4132b6b4943b0925

SHA512
82ed7ff7979edcfd2248a380b2329cc6618ca248be2ff2b72dd6f91706db37888adcb6aed8e24f4b1cf33cd3087dec4f3153a8be111f5d574fd0351ea2a50a85

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
446e594e266f5e52064fd69a333867f6

SHA1
5c94d21af50f54472cee2cbdb09ec5c7d3361916

SHA256
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a

SHA512
8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
446e594e266f5e52064fd69a333867f6

SHA1
5c94d21af50f54472cee2cbdb09ec5c7d3361916

SHA256
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a

SHA512
8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
446e594e266f5e52064fd69a333867f6

SHA1
5c94d21af50f54472cee2cbdb09ec5c7d3361916

SHA256
128a0f0cd5d10f864d5a0741ba25996b2bf74f580ac7918dec6516215801e39a

SHA512
8f389d7f2b7fbf508a23b29ee4d282fbeedaf94cb3de182df8886680bdc752c35fdd0e94b0034ea3dbc440b1a5e87387bea3994241e3e4eb77af091000a57f05

Download Submit
memory/108-86-0x0000000000000000-mapping.dmp

Download
memory/520-78-0x0000000000000000-mapping.dmp

Download
memory/576-74-0x000007FEFB9A1000-0x000007FEFB9A3000-memory.dmp

Filesize
8KB

Download
memory/576-70-0x0000000000540000-0x00000000005B7000-memory.dmp

Filesize
476KB

Download
memory/788-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/788-63-0x0000000002390000-0x00000000025DB000-memory.dmp

Filesize
2.3MB

Download
memory/788-62-0x0000000000400000-0x000000000058C000-memory.dmp

Filesize
1.5MB

Download
memory/788-60-0x0000000002170000-0x000000000238A000-memory.dmp

Filesize
2.1MB

Download
memory/788-59-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/1488-73-0x0000000000000000-mapping.dmp

Download
memory/1544-79-0x0000000000000000-mapping.dmp

Download
memory/1544-83-0x0000000002320000-0x000000000256B000-memory.dmp

Filesize
2.3MB

Download
memory/1544-84-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1812-69-0x0000000000EC0000-0x000000000110B000-memory.dmp

Filesize
2.3MB

Download
memory/1812-65-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads