ctblocker | 21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

General

Target

21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe
Size

1019KB
MD5

1ea130f39d90ae08b289a13406410ec3
SHA1

f87fcf3b7becd3ada883a42f79e05943abb21c09
SHA256

21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd
SHA512

3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017
SSDEEP

24576:fslszepLtFECEBMM4Zf40Pzm+XRtdaBVQIOaZf8P2r:fFepRFEXu4Gyc+J8P2r

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-vmuizxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. DPSWFLH-RIPMF3C-JBUSVVR-QL7IKNG-KNCRLAT-HDZYSGM-FFFPRL4-LW6WN22 4HMTI3B-XLLKW6C-PW3ZDZX-Y5G6ZQ2-SA6C3JB-FRZQTGH-VLKQ4JS-F3C4QCB BF3MZNE-4YOJ2V5-AXZYHPJ-VSUS7ML-3QYNM4B-RQHXTVM-YNZ6TFD-EJ7LCG4 Follow the instructions on the server.

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-vmuizxi.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. DPSWFLH-RIPMF3C-JBUSVVR-QL7IKNG-KNCRLAT-HDZYSGM-FFFPRL4-LW6WN22 4HMTI3B-XLLKW6C-PW3ZDZX-Y5G6ZQ2-SA6C3JB-FRZQTGH-VLKQ4JS-F3C4QCB BF3MZNE-4YOJ2V5-AXZYHPJ-VSUS7ML-3QYNOPB-TJHXTVM-YNZ6TFD-EJ73J57 Follow the instructions on the server.

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion/

Extracted

Path

C:\ProgramData\zlwdkgg.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Executes dropped EXE 2 IoCs

pid	Process
1248	pdfisga.exe
2024	pdfisga.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PushUnregister.RAW.vmuizxi	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MountGrant.RAW.vmuizxi	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\International\Geo\Nation	pdfisga.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	pdfisga.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-vmuizxi.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-vmuizxi.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-vmuizxi.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1900	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	pdfisga.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	pdfisga.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	pdfisga.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{dae07ae4-2a34-11ed-86c6-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00640061006500300037006100650034002d0032006100330034002d0031003100650064002d0038003600630036002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1376	21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe
1248	pdfisga.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1248	pdfisga.exe
Token: SeDebugPrivilege	1248	pdfisga.exe
Token: SeShutdownPrivilege	1240	Explorer.EXE
Token: SeShutdownPrivilege	1240	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2024	pdfisga.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2024	pdfisga.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2024	pdfisga.exe
2024	pdfisga.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1240	Explorer.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 1248	1168	taskeng.exe	27
PID 1168 wrote to memory of 1248	1168	taskeng.exe	27
PID 1168 wrote to memory of 1248	1168	taskeng.exe	27
PID 1168 wrote to memory of 1248	1168	taskeng.exe	27
PID 1248 wrote to memory of 588	1248	pdfisga.exe	20
PID 588 wrote to memory of 832	588	svchost.exe	28
PID 588 wrote to memory of 832	588	svchost.exe	28
PID 588 wrote to memory of 832	588	svchost.exe	28
PID 1248 wrote to memory of 1240	1248	pdfisga.exe	6
PID 1248 wrote to memory of 1900	1248	pdfisga.exe	29
PID 1248 wrote to memory of 1900	1248	pdfisga.exe	29
PID 1248 wrote to memory of 1900	1248	pdfisga.exe	29
PID 1248 wrote to memory of 1900	1248	pdfisga.exe	29
PID 1248 wrote to memory of 2024	1248	pdfisga.exe	31
PID 1248 wrote to memory of 2024	1248	pdfisga.exe	31
PID 1248 wrote to memory of 2024	1248	pdfisga.exe	31
PID 1248 wrote to memory of 2024	1248	pdfisga.exe	31
PID 588 wrote to memory of 396	588	svchost.exe	32
PID 588 wrote to memory of 396	588	svchost.exe	32
PID 588 wrote to memory of 396	588	svchost.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1240
- C:\Users\Admin\AppData\Local\Temp\21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe
  "C:\Users\Admin\AppData\Local\Temp\21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:832
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:396

C:\Windows\system32\taskeng.exe
taskeng.exe {D10B0B53-EB33-4DC7-96D0-F8D7E4BA9C21} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - Interacts with shadow copies
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\pdfisga.exe
    "C:\Users\Admin\AppData\Local\Temp\pdfisga.exe" -u
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
5b81d8391c76dcb0039318a1d6962589

SHA1
45fdc8b4ce3f1f6fe5a81a3edd90eea901837af5

SHA256
8778f68d5e684bf81772952ddb8be1af3b4439524deecfd29a3b2b7f326f972a

SHA512
2c82559615bdc92e7de8485fedd4892f97aed49939f689839e6be77a87d7b346a8f0eb71e9f7aa7e5b629b6efd7822b17d87aea73065b4b8b5500758f75b96a3

Download Submit
C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
5b81d8391c76dcb0039318a1d6962589

SHA1
45fdc8b4ce3f1f6fe5a81a3edd90eea901837af5

SHA256
8778f68d5e684bf81772952ddb8be1af3b4439524deecfd29a3b2b7f326f972a

SHA512
2c82559615bdc92e7de8485fedd4892f97aed49939f689839e6be77a87d7b346a8f0eb71e9f7aa7e5b629b6efd7822b17d87aea73065b4b8b5500758f75b96a3

Download Submit
C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
add42dde22cf24594624dfd4cf099469

SHA1
028c77d83224735dd5e431f303ac7a422bc943bf

SHA256
e230c0d69753cfa4bc3bc8b4f9b65f21a43076898c9fc951a6ccd8a03465b252

SHA512
029c9c35aaf16e97116fe32ff663b79a91122ebf03bc3e66ef21bdd097cb7744f5645d46f887cbbce4c663dd6bff83a2a19a428a89d173f68641d046497311f7

Download Submit
C:\ProgramData\Adobe\xptppml

Filesize
654B

MD5
add42dde22cf24594624dfd4cf099469

SHA1
028c77d83224735dd5e431f303ac7a422bc943bf

SHA256
e230c0d69753cfa4bc3bc8b4f9b65f21a43076898c9fc951a6ccd8a03465b252

SHA512
029c9c35aaf16e97116fe32ff663b79a91122ebf03bc3e66ef21bdd097cb7744f5645d46f887cbbce4c663dd6bff83a2a19a428a89d173f68641d046497311f7

Download Submit
C:\ProgramData\zlwdkgg.html

Filesize
64KB

MD5
bc9561f255b0b9d6d5310c0b5ed11d56

SHA1
738a13448eaa70d9630a443fd0aa4b5037010c10

SHA256
dcdb47426cdda560672929b1723544b1a80ac8055cd4283651b01f74732f6b7b

SHA512
72315ab9eabb8fa15795def4fd82e60acff49c400fc60c02568a000d43dfc2275caa3bb08895b440eeb468ffecdaadc063acd92fc511e160e5b32c364647822b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
1019KB

MD5
1ea130f39d90ae08b289a13406410ec3

SHA1
f87fcf3b7becd3ada883a42f79e05943abb21c09

SHA256
21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

SHA512
3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
1019KB

MD5
1ea130f39d90ae08b289a13406410ec3

SHA1
f87fcf3b7becd3ada883a42f79e05943abb21c09

SHA256
21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

SHA512
3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

Download Submit
C:\Users\Admin\AppData\Local\Temp\pdfisga.exe

Filesize
1019KB

MD5
1ea130f39d90ae08b289a13406410ec3

SHA1
f87fcf3b7becd3ada883a42f79e05943abb21c09

SHA256
21a1575646d545219ba6813d316cdf388f05c2d45d0b0011a5bfb77b1e2ca2cd

SHA512
3acadb8b2f9062f4c77c6056995f587b6828305ea9583917bd93105fa4233157fc9049271520ade6b69f93707d4bddc1c0aabfd8b15f04dd90a95c266074d017

Download Submit
memory/588-75-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

Filesize
8KB

Download
memory/588-71-0x0000000000D50000-0x0000000000DC7000-memory.dmp

Filesize
476KB

Download
memory/588-69-0x0000000000D50000-0x0000000000DC7000-memory.dmp

Filesize
476KB

Download
memory/1248-66-0x0000000001BC0000-0x0000000001E0B000-memory.dmp

Filesize
2.3MB

Download
memory/1248-63-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/1248-62-0x0000000001740000-0x0000000001765000-memory.dmp

Filesize
148KB

Download
memory/1248-68-0x0000000001740000-0x0000000001765000-memory.dmp

Filesize
148KB

Download
memory/1376-56-0x0000000002D80000-0x0000000002F9A000-memory.dmp

Filesize
2.1MB

Download
memory/1376-67-0x0000000002A20000-0x0000000002A45000-memory.dmp

Filesize
148KB

Download
memory/1376-54-0x0000000002A20000-0x0000000002A45000-memory.dmp

Filesize
148KB

Download
memory/1376-58-0x0000000002FA0000-0x00000000031EB000-memory.dmp

Filesize
2.3MB

Download
memory/1376-57-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1376-55-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2024-88-0x00000000030A0000-0x00000000032EB000-memory.dmp

Filesize
2.3MB

Download
memory/2024-85-0x0000000000400000-0x0000000000505000-memory.dmp

Filesize
1.0MB

Download
memory/2024-90-0x0000000002B20000-0x0000000002B45000-memory.dmp

Filesize
148KB

Download
memory/2024-84-0x0000000002B20000-0x0000000002B45000-memory.dmp

Filesize
148KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads