ctblocker | 88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

General

Target

88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
Size

654KB
MD5

2452df8493c85994e7fe0f42e664999e
SHA1

0ed37c982134aa703837f38bea0549e70c29bccb
SHA256

88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e
SHA512

132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. WZIEFFP-UZSWJ46-MXEJKAE-V7KDE6A-QEYRAVG-ZEYDM57-LBJCJQY-6M4CLIU CPG6TD6-JDMQ4VD-A72HULJ-H6HAEXE-KVDKOGE-OB63HCX-T4G5CYZ-GM6VPOC 7KSAZSZ-JWVSBC3-GQ2DN4R-PVKUL2Y-LA7OKWF-WZEXW6A-4CIB4BY-QUAZBMY Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-tixksrn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. WZIEFFP-UZSWJ46-MXEJKAE-V7KDE6A-QEYRAVG-ZEYDM57-LBJCJQY-6M4CLIU CPG6TD6-JDMQ4VD-A72HULJ-H6HAEXE-KVDKOGE-OB63HCX-T4G5CYZ-GM6VPOC 7KSAZSZ-JWVSBC3-GQ2DN4R-PVKUL2Y-LA7OREF-YCEXW6A-4CIB4BY-QUAZ6QV Follow the instructions on the server.

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion/

Extracted

Path

C:\ProgramData\sctpnha.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://jssestaew3e7ao3q.onion.cab or http://jssestaew3e7ao3q.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://jssestaew3e7ao3q.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://jssestaew3e7ao3q.onion.cab

http://jssestaew3e7ao3q.tor2web.org

http://jssestaew3e7ao3q.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

sdfkjhe.exesdfkjhe.exe

pid process

1664 sdfkjhe.exe
1536 sdfkjhe.exe

pid	process
1664	sdfkjhe.exe
1536	sdfkjhe.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\BlockRevoke.CRW.tixksrn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\GetSkip.RAW.tixksrn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\BackupClose.CRW.tixksrn	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

sdfkjhe.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	sdfkjhe.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

Processes:

sdfkjhe.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	sdfkjhe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-tixksrn.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-tixksrn.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

756 vssadmin.exe

pid	process
756	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

sdfkjhe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	sdfkjhe.exe
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	sdfkjhe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	sdfkjhe.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640065003900650062006100650034002d0039003800390064002d0031003100650062002d0062003400650036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{de9ebae4-989d-11eb-b4e6-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{de9ebae4-989d-11eb-b4e6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exesdfkjhe.exe

pid	process
1972	88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe
1664	sdfkjhe.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE

pid	process
1352	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

sdfkjhe.exeExplorer.EXEAUDIODG.EXE

description	pid	process
Token: SeDebugPrivilege	1664	sdfkjhe.exe
Token: SeDebugPrivilege	1664	sdfkjhe.exe
Token: SeShutdownPrivilege	1352	Explorer.EXE
Token: 33	1228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1228	AUDIODG.EXE
Token: 33	1228	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1228	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

sdfkjhe.exe

pid process

1536 sdfkjhe.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

sdfkjhe.exe

pid process

1536 sdfkjhe.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

sdfkjhe.exe

pid process

1536 sdfkjhe.exe
1536 sdfkjhe.exe

pid	process
1536	sdfkjhe.exe

pid	process
1536	sdfkjhe.exe

pid	process
1536	sdfkjhe.exe
1536	sdfkjhe.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

taskeng.exesdfkjhe.exesvchost.exe

description	pid	process	target process
PID 832 wrote to memory of 1664	832	taskeng.exe	sdfkjhe.exe
PID 832 wrote to memory of 1664	832	taskeng.exe	sdfkjhe.exe
PID 832 wrote to memory of 1664	832	taskeng.exe	sdfkjhe.exe
PID 832 wrote to memory of 1664	832	taskeng.exe	sdfkjhe.exe
PID 1664 wrote to memory of 584	1664	sdfkjhe.exe	svchost.exe
PID 584 wrote to memory of 928	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 928	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 928	584	svchost.exe	DllHost.exe
PID 1664 wrote to memory of 1352	1664	sdfkjhe.exe	Explorer.EXE
PID 1664 wrote to memory of 756	1664	sdfkjhe.exe	vssadmin.exe
PID 1664 wrote to memory of 756	1664	sdfkjhe.exe	vssadmin.exe
PID 1664 wrote to memory of 756	1664	sdfkjhe.exe	vssadmin.exe
PID 1664 wrote to memory of 756	1664	sdfkjhe.exe	vssadmin.exe
PID 1664 wrote to memory of 1536	1664	sdfkjhe.exe	sdfkjhe.exe
PID 1664 wrote to memory of 1536	1664	sdfkjhe.exe	sdfkjhe.exe
PID 1664 wrote to memory of 1536	1664	sdfkjhe.exe	sdfkjhe.exe
PID 1664 wrote to memory of 1536	1664	sdfkjhe.exe	sdfkjhe.exe
PID 584 wrote to memory of 1240	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1240	584	svchost.exe	DllHost.exe
PID 584 wrote to memory of 1240	584	svchost.exe	DllHost.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:928

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:1240

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe
"C:\Users\Admin\AppData\Local\Temp\88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e.sample.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1972

C:\Windows\system32\taskeng.exe
taskeng.exe {AE5E5EE5-E5B7-40A9-8F55-1D91AE8E4012} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:832

C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
3⤵
- Interacts with shadow copies
PID:756

C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe
"C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe" -u
3⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x220
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1228

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Defacement

1

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\retmfqf
MD5
131163676e8a6bcef5b3b3498c7571a8

SHA1
d7496acbfdb7dc0aab9dea2010474d47a32c4e53

SHA256
cdbcf04e52ed123c0a06208e6e475673697604e432690d68cb259c99f633c449

SHA512
38b7f97e387b45cf28cd238fad29f91d22fe6097e932ff7bd367a81015e26bed863b840ad1771213de6a63459d2caefa21165eec7c1b548907d53c65d44d1314

Download Submit
C:\ProgramData\Microsoft Help\retmfqf
MD5
131163676e8a6bcef5b3b3498c7571a8

SHA1
d7496acbfdb7dc0aab9dea2010474d47a32c4e53

SHA256
cdbcf04e52ed123c0a06208e6e475673697604e432690d68cb259c99f633c449

SHA512
38b7f97e387b45cf28cd238fad29f91d22fe6097e932ff7bd367a81015e26bed863b840ad1771213de6a63459d2caefa21165eec7c1b548907d53c65d44d1314

Download Submit
C:\ProgramData\Microsoft Help\retmfqf
MD5
8291f1544199cfa53fb2d9c0dc6e81a8

SHA1
2cf09f4488841419c97fdcb3cb6a567715fff2af

SHA256
c5cb2792960bef3c280afb22f489c0d7d5b0785f6c8329dc8e1dbae9cc701b26

SHA512
939191ebb60bdad7a75663a9a37c86e385cf609b898b29d59549323917ff95f307871033869defb917d2663ef97219674192e008ce987eb983fc49957c884482

Download Submit
C:\ProgramData\Microsoft Help\retmfqf
MD5
8291f1544199cfa53fb2d9c0dc6e81a8

SHA1
2cf09f4488841419c97fdcb3cb6a567715fff2af

SHA256
c5cb2792960bef3c280afb22f489c0d7d5b0785f6c8329dc8e1dbae9cc701b26

SHA512
939191ebb60bdad7a75663a9a37c86e385cf609b898b29d59549323917ff95f307871033869defb917d2663ef97219674192e008ce987eb983fc49957c884482

Download Submit
C:\ProgramData\sctpnha.html
MD5
35a84d47704ec85c8ca6374692b57c5a

SHA1
259f5d122055ef77ddbe072118c23af8e163d747

SHA256
14cfb801c0038568373722117706be032360bc9b9fd1c91bbca144f31af522be

SHA512
3e212ea34e45e96cd9242c18b7a86b140b128e2e0bc32bcc041f514ef97320ebff16fadcd58fe29da56724937abd2e439b54d206f3b245312655477269dee846

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe
MD5
2452df8493c85994e7fe0f42e664999e

SHA1
0ed37c982134aa703837f38bea0549e70c29bccb

SHA256
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

SHA512
132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe
MD5
2452df8493c85994e7fe0f42e664999e

SHA1
0ed37c982134aa703837f38bea0549e70c29bccb

SHA256
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

SHA512
132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\sdfkjhe.exe
MD5
2452df8493c85994e7fe0f42e664999e

SHA1
0ed37c982134aa703837f38bea0549e70c29bccb

SHA256
88ae30e10e2db871b9f5f986837c184a386ed58805fb066effed90f4619ec46e

SHA512
132ff8871e8fac09512760766c8c4dd25ee9bfd695885354e64f02dd6d3615f621f34c3e410b5ac981181ca7635608367b72e60d5422f96d1d907ed926cb80bb

Download Submit
memory/584-69-0x00000000003D0000-0x0000000000447000-memory.dmp

Filesize
476KB

Download
memory/584-73-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp

Filesize
8KB

Download
memory/756-77-0x0000000000000000-mapping.dmp

Download
memory/928-72-0x0000000000000000-mapping.dmp

Download
memory/1240-85-0x0000000000000000-mapping.dmp

Download
memory/1536-78-0x0000000000000000-mapping.dmp

Download
memory/1536-82-0x00000000006A0000-0x00000000008EB000-memory.dmp

Filesize
2.3MB

Download
memory/1536-83-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1664-68-0x0000000000AC0000-0x0000000000D0B000-memory.dmp

Filesize
2.3MB

Download
memory/1664-64-0x0000000000000000-mapping.dmp

Download
memory/1972-60-0x00000000005E0000-0x00000000007FA000-memory.dmp

Filesize
2.1MB

Download
memory/1972-62-0x0000000000800000-0x0000000000A4B000-memory.dmp

Filesize
2.3MB

Download
memory/1972-61-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads