ctblocker | 5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a

General

Target

5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
Size

674KB
MD5

1c0fbff0f6a18ce6d05e0026b7423b64
SHA1

f422c94cc824c175802df15408114b6284918e17
SHA256

5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a
SHA512

40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-oslhjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. HMFHACG-MTNJTH5-NO6MUR2-XR7XFUW-UGJJFDQ-JG3BBP7-7MBVB6V-WYWPP6N 6YWRN5U-43HO6OG-O4RJVJY-U5HHQGO-WMRWXLW-3CTVWLQ-EFEDTYD-CLXYFKI BCW56WT-QDMVU2M-TIHDHA7-GWJEYB2-SW7XTPV-LG2XYEQ-6E3MGFB-Z3AONYZ Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-oslhjrd.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. HMFHACG-MTNJTH5-NO6MUR2-XR7XFUW-UGJJFDQ-JG3BBP7-7MBVB6V-WYWPP6N 6YWRN5U-43HO6OG-O4RJVJY-U5HHQGO-WMRWXLW-3CTVWLQ-EFEDTYD-CLXYFKI BCW56WT-QDMVU2M-TIHDHA7-GWJEYB2-SW7XT5V-3R2XYEQ-6E3MGFB-Z3AOGXV Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\ummcbbc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

exusltb.exeexusltb.exe

pid process

1484 exusltb.exe
920 exusltb.exe

pid	process
1484	exusltb.exe
920	exusltb.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\SaveOptimize.CRW.oslhjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertResolve.CRW.oslhjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExportUnpublish.RAW.oslhjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\WatchRename.RAW.oslhjrd	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\CloseWatch.CRW.oslhjrd	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

exusltb.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation exusltb.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\International\Geo\Nation	exusltb.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

exusltb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	exusltb.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-oslhjrd.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-oslhjrd.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-oslhjrd.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1648 vssadmin.exe

pid	process
1648	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

exusltb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	exusltb.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	exusltb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	exusltb.exe

Modifies data under HKEY_USERS 19 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00650066006200360030006200650034002d0039006100300034002d0031003100650062002d0062006500300033002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{efb60be4-9a04-11eb-be03-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exeexusltb.exe

pid	process
1816	5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
1484	exusltb.exe
1484	exusltb.exe
1484	exusltb.exe
1484	exusltb.exe
1484	exusltb.exe
1484	exusltb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1220 Explorer.EXE

pid	process
1220	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

exusltb.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1484	exusltb.exe
Token: SeDebugPrivilege	1484	exusltb.exe
Token: SeShutdownPrivilege	1220	Explorer.EXE
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE
Token: 33	1052	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1052	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

920 exusltb.exe
1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

exusltb.exeExplorer.EXE

pid process

920 exusltb.exe
1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
1220 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

exusltb.exe

pid process

920 exusltb.exe
920 exusltb.exe

pid	process
920	exusltb.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
920	exusltb.exe
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE
1220	Explorer.EXE

pid	process
920	exusltb.exe
920	exusltb.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskeng.exeexusltb.exesvchost.exe

description	pid	process	target process
PID 1984 wrote to memory of 1484	1984	taskeng.exe	exusltb.exe
PID 1984 wrote to memory of 1484	1984	taskeng.exe	exusltb.exe
PID 1984 wrote to memory of 1484	1984	taskeng.exe	exusltb.exe
PID 1984 wrote to memory of 1484	1984	taskeng.exe	exusltb.exe
PID 1484 wrote to memory of 580	1484	exusltb.exe	svchost.exe
PID 580 wrote to memory of 336	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 336	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 336	580	svchost.exe	DllHost.exe
PID 1484 wrote to memory of 1220	1484	exusltb.exe	Explorer.EXE
PID 1484 wrote to memory of 1648	1484	exusltb.exe	vssadmin.exe
PID 1484 wrote to memory of 1648	1484	exusltb.exe	vssadmin.exe
PID 1484 wrote to memory of 1648	1484	exusltb.exe	vssadmin.exe
PID 1484 wrote to memory of 1648	1484	exusltb.exe	vssadmin.exe
PID 1484 wrote to memory of 920	1484	exusltb.exe	exusltb.exe
PID 1484 wrote to memory of 920	1484	exusltb.exe	exusltb.exe
PID 1484 wrote to memory of 920	1484	exusltb.exe	exusltb.exe
PID 1484 wrote to memory of 920	1484	exusltb.exe	exusltb.exe
PID 580 wrote to memory of 1792	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1792	580	svchost.exe	DllHost.exe
PID 580 wrote to memory of 1792	580	svchost.exe	DllHost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1220

C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe
"C:\Users\Admin\AppData\Local\Temp\5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a.sample.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:336

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1792

C:\Windows\system32\taskeng.exe
taskeng.exe {15241813-FF69-4180-9566-9FA9FAD25B98} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:1648

C:\Users\Admin\AppData\Local\Temp\exusltb.exe
"C:\Users\Admin\AppData\Local\Temp\exusltb.exe" -u
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\grnkdai
MD5
43381abd2a92b404ea858f0aacb3de83

SHA1
cacafa8eea51fdfaab175cd1fcdc4e6321d510c0

SHA256
a291a42e6244f0ba01a558c2584519c9aa920e7de7036dbae9b2795badf55505

SHA512
3b8f7b989324e20efd32670847c17de0ac6febba5c5eca34d889ef6a3c11728793e8072f23dd6d613f5923e423a256f98c2235e5c8a21383f066232016db2f7c

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
43381abd2a92b404ea858f0aacb3de83

SHA1
cacafa8eea51fdfaab175cd1fcdc4e6321d510c0

SHA256
a291a42e6244f0ba01a558c2584519c9aa920e7de7036dbae9b2795badf55505

SHA512
3b8f7b989324e20efd32670847c17de0ac6febba5c5eca34d889ef6a3c11728793e8072f23dd6d613f5923e423a256f98c2235e5c8a21383f066232016db2f7c

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
1ea7f97a7d1ab7bd0706443e1e9674a4

SHA1
308ecc110283eb25277951f0dc5816133b6dc70c

SHA256
84489e97db02f0db529a297c47cd64f09f28f216e96c20177db7673b80b8fb7b

SHA512
56fa6274350c409473cf69a759e81a19330cb0049512e4d4a0093fc8213baf810cca059551444433037ecd7b0c97d2f2db0b9b127ac088b9f9ea5d9cdd07748c

Download Submit
C:\ProgramData\Microsoft Help\grnkdai
MD5
a34fc9199bf3c86f771d5fb4775973c4

SHA1
420a290612f61f6b80a58475b500020aecaef80f

SHA256
ed2d489a88799110ba6f049b8f2efe836ff5a74cbdf3d433fd379a70a8f68a02

SHA512
09a295d3bf93ab5496c7b0b376fc784dd6ef85cf6e5bad87b4296ba4cd3911cf99f58b14c0d4ff28e5b2acf7a737c671fccba02f9f077d9b27854a5c65d24fa1

Download Submit
C:\ProgramData\ummcbbc.html
MD5
3b2f724231acdd1c1faaa7d0da536018

SHA1
6d3e29778c292a82c72dbc1e982dc5f13bb6f519

SHA256
313ffb5737f80e19b94043019e9681c155c91285aeda94b53eb6dd448a2f0d7a

SHA512
893b9a5993adafdf282c33eca7d277f3a814ed4d8b13eefede90e37640505bef49cf28eac747a2cfe6a901749e4dc070dc74c96c6470b63511f1c8abe714014a

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
1c0fbff0f6a18ce6d05e0026b7423b64

SHA1
f422c94cc824c175802df15408114b6284918e17

SHA256
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a

SHA512
40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
1c0fbff0f6a18ce6d05e0026b7423b64

SHA1
f422c94cc824c175802df15408114b6284918e17

SHA256
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a

SHA512
40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41

Download Submit
C:\Users\Admin\AppData\Local\Temp\exusltb.exe
MD5
1c0fbff0f6a18ce6d05e0026b7423b64

SHA1
f422c94cc824c175802df15408114b6284918e17

SHA256
5213f2db9add9fed538d3730ccafde120cf3822d7a4c17ec17eba6347e417f8a

SHA512
40574e3441267cefb672a10745a450e6147846af3bc6df1c7eb7eef4510f9f8876821c93ae0d2792fbc2c9d1e6ab37cc89bbe3b8c35d77fc28ab0c1aefbccf41

Download Submit
memory/336-72-0x0000000000000000-mapping.dmp

Download
memory/580-69-0x0000000000E00000-0x0000000000E77000-memory.dmp

Filesize
476KB

Download
memory/580-73-0x000007FEFB881000-0x000007FEFB883000-memory.dmp

Filesize
8KB

Download
memory/920-78-0x0000000000000000-mapping.dmp

Download
memory/920-82-0x0000000000640000-0x000000000088B000-memory.dmp

Filesize
2.3MB

Download
memory/920-83-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1484-68-0x00000000006F0000-0x000000000093B000-memory.dmp

Filesize
2.3MB

Download
memory/1484-64-0x0000000000000000-mapping.dmp

Download
memory/1648-77-0x0000000000000000-mapping.dmp

Download
memory/1792-85-0x0000000000000000-mapping.dmp

Download
memory/1816-60-0x00000000008C0000-0x0000000000ADA000-memory.dmp

Filesize
2.1MB

Download
memory/1816-62-0x0000000000AE0000-0x0000000000D2B000-memory.dmp

Filesize
2.3MB

Download
memory/1816-61-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads