ctblocker | 743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

Analysis

max time kernel
150s
max time network
112s
platform
windows10_x64
resource
win10v20210410
submitted
26-07-2021 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
Size

653KB
MD5

b2e27e88dd895d90f19c8d0314662720
SHA1

cc69874f94ae42a274e4b3171e850ad2d3c02465
SHA256

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87
SHA512

85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-yeaixtg.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. FAERUVS-JE2VALG-G5QHALQ-TPGHPLV-OLRHPYY-GXLCRU6-NAL2PRF-4L2TQGU 4UHLFUU-SSWHCBT-CPA5KK6-CJUVS33-ZPZO3T5-XF2MDLV-PRF5RCV-5L3JAZ6 CKF4E7P-SGYYYLR-IDOFRCN-TP4HFTS-TNOBQSX-ERRZXC7-HGFHB7W-ORHKDEW Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\ProgramData\kwivvrl.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

pwqidta.exepwqidta.exe

pid process

2276 pwqidta.exe
2760 pwqidta.exe

pid	process
2276	pwqidta.exe
2760	pwqidta.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PingInstall.CRW.yeaixtg	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ConvertFromClear.RAW.yeaixtg	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PublishUnpublish.RAW.yeaixtg	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\UsePing.CRW.yeaixtg	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pwqidta.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation pwqidta.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	pwqidta.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

pwqidta.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\desktop.ini	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	pwqidta.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	pwqidta.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-yeaixtg.bmp"	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

3884 vssadmin.exe

pid	process
3884	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

pwqidta.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"6.2.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	pwqidta.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pwqidta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pwqidta.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\GPU	pwqidta.exe

Modifies data under HKEY_USERS 21 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\MaxCapacity = "15150"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00320036003600640031006300610034002d0030003000300030002d0030003000300030002d0030003000300030002d003500300030003600300030003000300030003000300030007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{266d1ca4-0000-0000-0000-500600000000}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exepwqidta.exe

pid	process
3908	743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
3908	743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
2276	pwqidta.exe
2276	pwqidta.exe
2276	pwqidta.exe
2276	pwqidta.exe
2276	pwqidta.exe
2276	pwqidta.exe
2276	pwqidta.exe
2276	pwqidta.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2996	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

pwqidta.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2276	pwqidta.exe
Token: SeDebugPrivilege	2276	pwqidta.exe
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE
Token: SeShutdownPrivilege	2996	Explorer.EXE
Token: SeCreatePagefilePrivilege	2996	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pwqidta.exe

pid process

2760 pwqidta.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pwqidta.exe

pid process

2760 pwqidta.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pwqidta.exe

pid process

2760 pwqidta.exe
2760 pwqidta.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2996 Explorer.EXE

pid	process
2760	pwqidta.exe

pid	process
2760	pwqidta.exe

pid	process
2760	pwqidta.exe
2760	pwqidta.exe

pid	process
2996	Explorer.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

pwqidta.exe

description	pid	process	target process
PID 2276 wrote to memory of 708	2276	pwqidta.exe	svchost.exe
PID 2276 wrote to memory of 2996	2276	pwqidta.exe	Explorer.EXE
PID 2276 wrote to memory of 3884	2276	pwqidta.exe	vssadmin.exe
PID 2276 wrote to memory of 3884	2276	pwqidta.exe	vssadmin.exe
PID 2276 wrote to memory of 3884	2276	pwqidta.exe	vssadmin.exe
PID 2276 wrote to memory of 2760	2276	pwqidta.exe	pwqidta.exe
PID 2276 wrote to memory of 2760	2276	pwqidta.exe	pwqidta.exe
PID 2276 wrote to memory of 2760	2276	pwqidta.exe	pwqidta.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:2996

C:\Users\Admin\AppData\Local\Temp\743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe
"C:\Users\Admin\AppData\Local\Temp\743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87.sample.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies data under HKEY_USERS
PID:708

C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
2⤵
- Interacts with shadow copies
PID:3884

C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
"C:\Users\Admin\AppData\Local\Temp\pwqidta.exe" -u
2⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft OneDrive\hmvkwmb
MD5
d69b5be30780a676f0c44f56826ac146

SHA1
95a0d7b8f1ff67d984401dd3b364619397fd7f6b

SHA256
f67c95e99576060bd9b3b38ea87f1460f0ec3fd480abf878313c07bf5bbfd46b

SHA512
e17be33c1c12dece2fb31fa84a9d0b281351a0114c40414c5beaeb23ab0f59078af80913f8579310a6a6352306101be192f0a9a0ae4bc3cef141b9ae0984ede3

Download Submit
C:\ProgramData\Microsoft OneDrive\hmvkwmb
MD5
d69b5be30780a676f0c44f56826ac146

SHA1
95a0d7b8f1ff67d984401dd3b364619397fd7f6b

SHA256
f67c95e99576060bd9b3b38ea87f1460f0ec3fd480abf878313c07bf5bbfd46b

SHA512
e17be33c1c12dece2fb31fa84a9d0b281351a0114c40414c5beaeb23ab0f59078af80913f8579310a6a6352306101be192f0a9a0ae4bc3cef141b9ae0984ede3

Download Submit
C:\ProgramData\Microsoft OneDrive\hmvkwmb
MD5
4a86a3399daa859c836cdcf94d26d1dd

SHA1
67fbb833d27af0d23ff631630ad6ca16183614b3

SHA256
56ef5d5bcddc324a33469c32139c6aa0751f5ceb4f0aa15a8a5c5645cd06e1d7

SHA512
69403c5ba43763b617a33a1610bdb772fb918f441fc9302a76400c64e53893ff306be82c9475033fd98ec27f5c812f9dd458652b8fbe4e5641a49d5196fb3807

Download Submit
C:\ProgramData\Microsoft OneDrive\hmvkwmb
MD5
cffd21c6ff96c05c7f52ae3225885cb0

SHA1
1ad82c11df31572b6efd083ae74dc5e9d0ee1ff0

SHA256
37a35c5dec93aea601867c3623593318d0227a4e7407c0b84eaf2a85469e8701

SHA512
68bc4fffcd1222c4efcda0248bf988542a8462d43b1cc9ce9a69d94443f19aa576b8823c896acddc4a913c527e9246a3385828c0ba8175704cb72dd793df86ca

Download Submit
C:\ProgramData\Microsoft OneDrive\hmvkwmb
MD5
61a432c0a78ffb436a4840196b7e341c

SHA1
4b3b62b38f2a1a9c9c180c44e3707d636174a103

SHA256
2a27ab7da24a797bb4dc967218cb50fb3efd214a2c7d5d1846bf5652d99823f1

SHA512
8b19a8a4f70dacdf85e5e37ab6631aae8764e8d8e9ac01bad604aa0405c6a646e4b028fc8c9c5c2b7c347163a5de02b73d5959a0ef1372c22acd9a0aa8bc0766

Download Submit
C:\ProgramData\kwivvrl.html
MD5
b6db18c1635b838c5f02b785965dae34

SHA1
c189fb3a0f8903a73c9cef48585d7f500b4d1f8a

SHA256
962a3ca3cf9243f35a472d247187ef5088502be95ffccf437734d21a471197d9

SHA512
54d6f57993bab1e1b8ac55ac11d34f0cb777eec8d2f25ab2739ae630946bfa42faa6f610d0da2f4e4db62cd4e28e0b1f51d21bfc3aa18684376e16fec237370e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\pwqidta.exe
MD5
b2e27e88dd895d90f19c8d0314662720

SHA1
cc69874f94ae42a274e4b3171e850ad2d3c02465

SHA256
743302a59617675c4f87a187156f94de2d9cae38026f30bab1b8607a25a70b87

SHA512
85c42f2d80fd16b81bad0f110e2c78eb2daa8cdedbbd6d2cc46cad03285b0103d7681d5420ece73ecb95b32c55f9f52934d0ea18bc5da46078a2d26b5d966ca2

Download Submit
memory/708-120-0x0000000037EF0000-0x0000000037F67000-memory.dmp

Filesize
476KB

Download
memory/2276-119-0x0000000000C80000-0x0000000000ECB000-memory.dmp

Filesize
2.3MB

Download
memory/2760-131-0x00000000007D0000-0x0000000000A1B000-memory.dmp

Filesize
2.3MB

Download
memory/2760-128-0x0000000000000000-mapping.dmp

Download
memory/2996-158-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-163-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-188-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-135-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2996-147-0x0000000000920000-0x0000000000930000-memory.dmp

Filesize
64KB

Download
memory/2996-149-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-151-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-152-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-150-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-148-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-146-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-154-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-153-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2996-156-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-159-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-187-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-157-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-155-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2996-160-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-162-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-164-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-185-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-161-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2996-165-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-171-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-170-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/2996-173-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-172-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-174-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-176-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-175-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-178-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-177-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/2996-180-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-181-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-183-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-182-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-184-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/2996-179-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/2996-186-0x0000000000910000-0x0000000000920000-memory.dmp

Filesize
64KB

Download
memory/3884-126-0x0000000000000000-mapping.dmp

Download
memory/3908-114-0x0000000000920000-0x0000000000B3A000-memory.dmp

Filesize
2.1MB

Download
memory/3908-115-0x0000000000B40000-0x0000000000D8B000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads