ctblocker | e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004

General

Target

e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
Size

820KB
MD5

53efb689f9f56262b571f68b11a21839
SHA1

0d31c13c910cbb2dd2979a3762a9223aa12eceee
SHA256

e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004
SHA512

f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b
SSDEEP

24576:0tkyyQSspmUheMMyo+g7d9TEE4Zm36B5qbN8:0vSspFeMMDbd1F6BY

Score

10^/10

ctblocker ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-inlglmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. VO6XTIE-PPIWRDN-Z3GQVVE-CUDBL2F-HW7LWCR-UJZW6B6-KSKG36J-JNGEUIC J3DWLNQ-QYEKEEN-CWP5FS2-LXF5GIR-WBB37MU-O4T3AGE-WLP4J45-7LA6ED2 N5NBCNS-AYUQCLE-HSYPGZ2-OA23ORO-CS45AZG-QJNKANF-TYR2XDA-HEGIGDT Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Extracted

Path

C:\Users\Admin\Documents\!Decrypt-All-Files-inlglmn.txt

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://onja764ig6vah2jo.onion.cab or http://onja764ig6vah2jo.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org 2. In the Tor Browser open the http://onja764ig6vah2jo.onion/ Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. VO6XTIE-PPIWRDN-Z3GQVVE-CUDBL2F-HW7LWCR-UJZW6B6-KSKG36J-JNGEUIC J3DWLNQ-QYEKEEN-CWP5FS2-LXF5GIR-WBB37MU-O4T3AGE-WLP4J45-7LA6ED2 N5NBCNS-AYUQCLE-HSYPGZ2-OA23ORO-CS45BKG-27NKANF-TYR2XDA-HEGIEYO Follow the instructions on the server.

URLs

http://onja764ig6vah2jo.onion.cab

http://onja764ig6vah2jo.tor2web.org

http://onja764ig6vah2jo.onion/

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Executes dropped EXE 2 IoCs

Processes:

pcrcyge.exepcrcyge.exe

pid process

1164 pcrcyge.exe
600 pcrcyge.exe

pid	process
1164	pcrcyge.exe
600	pcrcyge.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	process
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\ResetConnect.CRW.inlglmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\PublishBackup.CRW.inlglmn	svchost.exe
File renamed	C:\Windows\Temp\laaaaaaa.tmp => C:\Users\Admin\Pictures\MoveResume.CRW.inlglmn	svchost.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini svchost.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exepcrcyge.exe

description	pid	process	target process
PID 1640 set thread context of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1164 set thread context of 600	1164	pcrcyge.exe	pcrcyge.exe

Drops file in Program Files directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-inlglmn.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-inlglmn.bmp	svchost.exe

Modifies data under HKEY_USERS 20 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00360061003200380062003200320034002d0031006100380032002d0031003100650064002d0062003900380066002d003800300036006500360066003600650036003900360033007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{6a28b224-1a82-11ed-b98f-806e6f6e6963}\MaxCapacity = "15140"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exepcrcyge.exe

pid	process
1820	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe
600	pcrcyge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

pcrcyge.exe

description pid process

Token: SeDebugPrivilege 600 pcrcyge.exe
Token: SeDebugPrivilege 600 pcrcyge.exe

description	pid	process
Token: SeDebugPrivilege	600	pcrcyge.exe
Token: SeDebugPrivilege	600	pcrcyge.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exetaskeng.exepcrcyge.exepcrcyge.exesvchost.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
3⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
3⤵
PID:1232

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
3⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
3⤵
PID:1324

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
3⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
"C:\Users\Admin\AppData\Local\Temp\e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:1616

C:\Windows\system32\taskeng.exe
taskeng.exe {32051033-E5A5-49DD-906C-5606686ECC95} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1164

C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:600

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
2695c05fb9ba210095b5634212dcdc4d

SHA1
c6e97b479efa66aecce662d15175364fe50d804d

SHA256
13b83d55a584a585f7cba26b7a9af5bffd4d6a007864adc3cc66bda096d68d73

SHA512
39ddf678b56d3098557aa375b1acdadd3b4b0ad4a272151325e012dd98f0453ca81618f0c6bb75983b6c4c5acaf02fb6fb7a0d5a9e3e0259e8ccebb3a704f36b

Download Submit
C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
2695c05fb9ba210095b5634212dcdc4d

SHA1
c6e97b479efa66aecce662d15175364fe50d804d

SHA256
13b83d55a584a585f7cba26b7a9af5bffd4d6a007864adc3cc66bda096d68d73

SHA512
39ddf678b56d3098557aa375b1acdadd3b4b0ad4a272151325e012dd98f0453ca81618f0c6bb75983b6c4c5acaf02fb6fb7a0d5a9e3e0259e8ccebb3a704f36b

Download Submit
C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
a6f635f0824e78aa8bc0b7af7ddbe5cc

SHA1
b7f2e4cedd5917caf2efbe02e7f73f557f28163e

SHA256
268a3722afc3c0c2f9f37ba11062a96abf21659c579242aacdcb78ef1357742a

SHA512
5e229b4fe18f35cadc21ef815cebc049eeca47a5acac2bb6d70ad7ec308490876f1c37cedee66057901f2e429fd3761be4f5d22d97a5558bea9576c96d201ac4

Download Submit
C:\ProgramData\Microsoft Help\aubdarb
Filesize
654B

MD5
67cb3db758351be897983a76ff0382bc

SHA1
4de1f0f5811471c05c2ace941cf2eb1b940a2669

SHA256
020bf91da6e993c1b9b9508cdb6746b950f96f77845c30c70e87df8df3f5e822

SHA512
4ab76b093958a92bd00d2ac85a02ff6d701822a5ea46c5f9a24b9d0f50e76c0dca72ae1aeb0ec4c88e4703e3cf670970a934ce64fe3cddc791531b50ac7beb9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
820KB

MD5
53efb689f9f56262b571f68b11a21839

SHA1
0d31c13c910cbb2dd2979a3762a9223aa12eceee

SHA256
e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004

SHA512
f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
820KB

MD5
53efb689f9f56262b571f68b11a21839

SHA1
0d31c13c910cbb2dd2979a3762a9223aa12eceee

SHA256
e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004

SHA512
f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pcrcyge.exe
Filesize
820KB

MD5
53efb689f9f56262b571f68b11a21839

SHA1
0d31c13c910cbb2dd2979a3762a9223aa12eceee

SHA256
e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004

SHA512
f7c2723cee0b9d8db1f910e852d4e66f2a10de0710a106676b4f1a07cd6e8e49987d1cac9b30007014f9f8e108d0baccdbca2b7ce4ff863a09570851b9cbf43b

Download Submit
memory/588-82-0x00000000001C0000-0x0000000000237000-memory.dmp

Filesize
476KB

Download
memory/588-84-0x00000000001C0000-0x0000000000237000-memory.dmp

Filesize
476KB

Download
memory/588-88-0x000007FEFB821000-0x000007FEFB823000-memory.dmp

Filesize
8KB

Download
memory/600-74-0x0000000000E2107E-mapping.dmp

Download
memory/600-81-0x0000000000E50000-0x000000000109B000-memory.dmp

Filesize
2.3MB

Download
memory/1164-68-0x0000000000000000-mapping.dmp

Download
memory/1164-76-0x00000000739C0000-0x0000000073F6B000-memory.dmp

Filesize
5.7MB

Download
memory/1616-87-0x0000000000000000-mapping.dmp

Download
memory/1640-65-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-55-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-56-0x0000000073F70000-0x000000007451B000-memory.dmp

Filesize
5.7MB

Download
memory/1640-54-0x0000000075071000-0x0000000075073000-memory.dmp

Filesize
8KB

Download
memory/1820-62-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1820-57-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1820-58-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1820-60-0x00000000002C107E-mapping.dmp

Download
memory/1820-61-0x0000000000400000-0x00000000004A5000-memory.dmp

Filesize
660KB

Download
memory/1820-63-0x00000000009B0000-0x0000000000BCA000-memory.dmp

Filesize
2.1MB

Download
memory/1820-66-0x0000000000BD0000-0x0000000000E1B000-memory.dmp

Filesize
2.3MB

Download

description	pid	process	target process
PID 1640 wrote to memory of 952	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 952	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 952	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 952	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1232	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1232	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1232	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1232	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1284	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1284	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1284	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1284	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1324	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1324	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1324	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1324	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1828	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1828	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1828	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1828	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 1640 wrote to memory of 1820	1640	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe	e26bd11c525dfca4152ed74b2fb97e5c30a091239c2dbe877a312a1cfcf34004.exe
PID 280 wrote to memory of 1164	280	taskeng.exe	pcrcyge.exe
PID 280 wrote to memory of 1164	280	taskeng.exe	pcrcyge.exe
PID 280 wrote to memory of 1164	280	taskeng.exe	pcrcyge.exe
PID 280 wrote to memory of 1164	280	taskeng.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 1164 wrote to memory of 600	1164	pcrcyge.exe	pcrcyge.exe
PID 600 wrote to memory of 588	600	pcrcyge.exe	svchost.exe
PID 588 wrote to memory of 1616	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1616	588	svchost.exe	DllHost.exe
PID 588 wrote to memory of 1616	588	svchost.exe	DllHost.exe
PID 600 wrote to memory of 1268	600	pcrcyge.exe	Explorer.EXE

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads