ctblocker | 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

Analysis

max time kernel
159s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Size

1.2MB
MD5

1aad30f76693aa8ec2fd2a9314b02125
SHA1

a199494ac4f065578323c1058e0f0cd5df563bc2
SHA256

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1
SHA512

fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c
SSDEEP

24576:ADqBNB/RLKAlkmrTgCQgoB/7nhYfxknKBCXzOvERcd8Gu7q:ADkpRkmvQgo9zS6nMv7+1u

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OUEJXPR-ABCDQMF-CFO2DA6-XASYKFN-DSV6FF5-OLSLC5Q-7UI6EIP-SEWPBDS FUV46FQ-EFTERKW-PQPK3HV-RQF64PI-XI5BUJM-OGH4E3Y-6XWMPTG-TKOGF4M GHZDVN3-UK46UQG-I4WSN4J-YOCAKMA-GUOPKJ5-55AFMZB-Y7F7DOY-F5A3CEI Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-eaublmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. OUEJXPR-ABCDQMF-CFO2DA6-XASYKFN-DSV6FF5-OLSLC5Q-7UI6EIP-SEWPBDS FUV46FQ-EFTERKW-PQPK3HV-RQF64PI-XI5BUJM-OGH4E3Y-6XWMPTG-TKOGF4M GHZDVN3-UK46UQG-I4WSN4J-YOCAKMA-GUOPT35-JKAFMZB-Y7F7DOY-F5A35PY Follow the instructions on the server.

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 5 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepcrcyge.exepcrcyge.exepcrcyge.exepcrcyge.exe

pid process

1628 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
1444 pcrcyge.exe
1492 pcrcyge.exe
1568 pcrcyge.exe
948 pcrcyge.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ExitImport.CRW.eaublmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ClearRequest.RAW.eaublmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\DisableRegister.CRW.eaublmn	svchost.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

pcrcyge.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation pcrcyge.exe
Loads dropped DLL 1 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe

pid process

1340 8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	pcrcyge.exe

pid	process
1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-eaublmn.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepcrcyge.exepcrcyge.exe

description	pid	process	target process
PID 1340 set thread context of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1444 set thread context of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1568 set thread context of 948	1568	pcrcyge.exe	pcrcyge.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-eaublmn.bmp	svchost.exe

Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1900 vssadmin.exe

pid	process
1900	vssadmin.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exepcrcyge.exe

pid	process
1628	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe
1492	pcrcyge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

pcrcyge.exepcrcyge.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1492	pcrcyge.exe
Token: SeDebugPrivilege	1492	pcrcyge.exe
Token: SeDebugPrivilege	1568	pcrcyge.exe
Token: SeShutdownPrivilege	1256	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

pcrcyge.exe

pid process

948 pcrcyge.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

pcrcyge.exe

pid process

948 pcrcyge.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE

pid	process
948	pcrcyge.exe

pid	process
948	pcrcyge.exe

pid	process
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 38 IoCs

Processes:

8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exetaskeng.exepcrcyge.exepcrcyge.exesvchost.exepcrcyge.exe

description	pid	process	target process
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1340 wrote to memory of 1628	1340	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe	8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
PID 1640 wrote to memory of 1444	1640	taskeng.exe	pcrcyge.exe
PID 1640 wrote to memory of 1444	1640	taskeng.exe	pcrcyge.exe
PID 1640 wrote to memory of 1444	1640	taskeng.exe	pcrcyge.exe
PID 1640 wrote to memory of 1444	1640	taskeng.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1444 wrote to memory of 1492	1444	pcrcyge.exe	pcrcyge.exe
PID 1492 wrote to memory of 600	1492	pcrcyge.exe	svchost.exe
PID 600 wrote to memory of 1740	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1740	600	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1740	600	svchost.exe	DllHost.exe
PID 1492 wrote to memory of 1256	1492	pcrcyge.exe	Explorer.EXE
PID 1492 wrote to memory of 1900	1492	pcrcyge.exe	vssadmin.exe
PID 1492 wrote to memory of 1900	1492	pcrcyge.exe	vssadmin.exe
PID 1492 wrote to memory of 1900	1492	pcrcyge.exe	vssadmin.exe
PID 1492 wrote to memory of 1900	1492	pcrcyge.exe	vssadmin.exe
PID 1492 wrote to memory of 1568	1492	pcrcyge.exe	pcrcyge.exe
PID 1492 wrote to memory of 1568	1492	pcrcyge.exe	pcrcyge.exe
PID 1492 wrote to memory of 1568	1492	pcrcyge.exe	pcrcyge.exe
PID 1492 wrote to memory of 1568	1492	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe
PID 1568 wrote to memory of 948	1568	pcrcyge.exe	pcrcyge.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1256

C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
"C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340

C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
"C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:600

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1740

C:\Windows\system32\taskeng.exe
taskeng.exe {15080C1B-E824-4AFB-ABD5-46633D7546BB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\vssadmin.exe
vssadmin delete shadows all
4⤵
- Interacts with shadow copies
PID:1900

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe" -u
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
"C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe"
5⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:948

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
0bfa64e0a33137b1b96bdb118473c2b6

SHA1
f1fa515f9dbce398c709299e9a09e463be159e84

SHA256
6184978a72e79edc5e35584fc25548f8845663fbb53f9a2736b7c476cccfed80

SHA512
d8481ba5365d358a943870ac20247fb8ff74de8f60f6ff4f4841dbc3560942b5592ab279c9c161ea20def86315fa9430c88b07625aff676b87afc44f51f47929

Download Submit
C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
0bfa64e0a33137b1b96bdb118473c2b6

SHA1
f1fa515f9dbce398c709299e9a09e463be159e84

SHA256
6184978a72e79edc5e35584fc25548f8845663fbb53f9a2736b7c476cccfed80

SHA512
d8481ba5365d358a943870ac20247fb8ff74de8f60f6ff4f4841dbc3560942b5592ab279c9c161ea20def86315fa9430c88b07625aff676b87afc44f51f47929

Download Submit
C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
6eee66ef77dad342e4c5e375856a4c47

SHA1
09e9d246c5a40b2ca78e5295e5b0d38f8dc1943a

SHA256
41157593b748de031e9562b1b3094958428aa02aa4835473120e802cb0d0387b

SHA512
842995a99cb9a6769a270522985d4db442e0f58815eba7ddbc028954eadc79d9cc7e4c306f6a09e138ee28ff96437a6c2abbc66f9baa4ab05d86242f20e3e347

Download Submit
C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
d3f34dccff9b6b3787495b459930ac0a

SHA1
bb49977527e74c36657d4d3a74b214ee3e7e5755

SHA256
a1fa250ed84315421c70abd148bc99b881af0575c5125cf79488e94457c4ba9d

SHA512
a3fdf4354d754363f536ba7fbec3b4174d2749455cf51ea1d98eff439eb08726e1a83c587acbf22e6aee75174da9631438bd16b9bc7cc817ca56e78e2ff8f2e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
\Users\Admin\AppData\Local\Temp\8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1.exe
Filesize
1.2MB

MD5
1aad30f76693aa8ec2fd2a9314b02125

SHA1
a199494ac4f065578323c1058e0f0cd5df563bc2

SHA256
8f9751146aa82a867fc19fdeade6a1c86f68c569b98ef177d4f712e46166f9d1

SHA512
fa2d623b0b33c1f7506209980f4699aa8efb4dc18b25cf97f6871fee209d0de7a79f7b3c63458aa0e49d868446e03d2a0cf59ca47c2eee74c67eeac21d03b31c

Download Submit
memory/600-93-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download
memory/600-87-0x00000000000E0000-0x0000000000157000-memory.dmp

Filesize
476KB

Download
memory/600-89-0x00000000000E0000-0x0000000000157000-memory.dmp

Filesize
476KB

Download
memory/948-115-0x0000000000BF0000-0x0000000000E3B000-memory.dmp

Filesize
2.3MB

Download
memory/948-108-0x0000000000401FA3-mapping.dmp

Download
memory/1340-55-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1340-54-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1340-65-0x0000000074500000-0x0000000074AAB000-memory.dmp

Filesize
5.7MB

Download
memory/1444-71-0x0000000000000000-mapping.dmp

Download
memory/1444-81-0x00000000743F0000-0x000000007499B000-memory.dmp

Filesize
5.7MB

Download
memory/1492-86-0x00000000009B0000-0x0000000000BFB000-memory.dmp

Filesize
2.3MB

Download
memory/1492-79-0x0000000000401FA3-mapping.dmp

Download
memory/1568-112-0x00000000743A0000-0x000000007494B000-memory.dmp

Filesize
5.7MB

Download
memory/1568-100-0x0000000000000000-mapping.dmp

Download
memory/1628-62-0x0000000000401FA3-mapping.dmp

Download
memory/1628-58-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1628-60-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1628-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1628-69-0x0000000000A30000-0x0000000000C7B000-memory.dmp

Filesize
2.3MB

Download
memory/1628-66-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1628-67-0x0000000000610000-0x000000000082A000-memory.dmp

Filesize
2.1MB

Download
memory/1740-92-0x0000000000000000-mapping.dmp

Download
memory/1900-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads