quantum | 53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08

General

Target

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
Size

64KB
MD5

60c02f5b6c8cf50918027e14bf06b967
SHA1

3c9e9454ed02c02ccfc3f5240391c413da300b5f
SHA256

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08
SHA512

c7f893883406065c78474af4541178bffec10f4a9847e15206c4012e68c87228029bc495fefb2ebdab77b16595d1969b8d85674b02a1c49f3f61b2281e39aa4f
SSDEEP

768:GnJ9uwtbJD/QpEdTrArzVpCK1w22TYgNvCJ037FLxZKQJRNz0TqXuEmLIu0L:G+wr1AB0AwB57F9npz0TauEm8u0L

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 8c2f9a2309b489e5a3f2b753b653456861d985722897b67542bbdd1149822732 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://wxxp3rny7w3j6gkel56iomdw2ztfzqxlsdw3fyezrnohgh767bau6dqd.onion/?cid=8c2f9a2309b489e5a3f2b753b653456861d985722897b67542bbdd1149822732">http://wxxp3rny7w3j6gkel56iomdw2ztfzqxlsdw3fyezrnohgh767bau6dqd.onion/?cid=8c2f9a2309b489e5a3f2b753b653456861d985722897b67542bbdd1149822732</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://wxxp3rny7w3j6gkel56iomdw2ztfzqxlsdw3fyezrnohgh767bau6dqd.onion/?cid=8c2f9a2309b489e5a3f2b753b653456861d985722897b67542bbdd1149822732 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://wxxp3rny7w3j6gkel56iomdw2ztfzqxlsdw3fyezrnohgh767bau6dqd.onion/?cid=8c2f9a2309b489e5a3f2b753b653456861d985722897b67542bbdd1149822732

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\GrantStart.raw => \??\c:\Users\Admin\Pictures\GrantStart.raw.quantum	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File renamed	C:\Users\Admin\Pictures\PublishSwitch.png => \??\c:\Users\Admin\Pictures\PublishSwitch.png.quantum	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File renamed	C:\Users\Admin\Pictures\SaveHide.crw => \??\c:\Users\Admin\Pictures\SaveHide.crw.quantum	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File renamed	C:\Users\Admin\Pictures\EnableEdit.tif => \??\c:\Users\Admin\Pictures\EnableEdit.tif.quantum	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1576	cmd.exe

Drops desktop.ini file(s) 26 IoCs

Processes:

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A726BD41-B71A-11ED-981D-FAEC88B9DA95} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Modifies registry class 5 IoCs

Processes:

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum\shell\Open\command	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.quantum	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

pid	Process
1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

description	pid	Process
Token: SeRestorePrivilege	1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
Token: SeDebugPrivilege	1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid	Process
544	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
544	iexplore.exe
544	iexplore.exe
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE
1100	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.execmd.exeiexplore.exe

description	pid	Process	procid_target
PID 1980 wrote to memory of 1576	1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe	28
PID 1980 wrote to memory of 1576	1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe	28
PID 1980 wrote to memory of 1576	1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe	28
PID 1980 wrote to memory of 1576	1980	53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe	28
PID 1576 wrote to memory of 1636	1576	cmd.exe	30
PID 1576 wrote to memory of 1636	1576	cmd.exe	30
PID 1576 wrote to memory of 1636	1576	cmd.exe	30
PID 1576 wrote to memory of 1636	1576	cmd.exe	30
PID 544 wrote to memory of 1100	544	iexplore.exe	33
PID 544 wrote to memory of 1100	544	iexplore.exe	33
PID 544 wrote to memory of 1100	544	iexplore.exe	33
PID 544 wrote to memory of 1100	544	iexplore.exe	33

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exe

pid	Process
1636	attrib.exe

C:\Users\Admin\AppData\Local\Temp\53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe
"C:\Users\Admin\AppData\Local\Temp\53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C60D6.bat" "C:\Users\Admin\AppData\Local\Temp\53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\53d6ddd82fc6faa5549fb887bbcad87759d93ee27c12a3cac74637d6e881dc08.exe"
    3⤵
    - Views/modifies file attributes
    PID:1636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:544 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006C60D6.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C60D6.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
80a27365f722f99f1bcb2a9e60a0102d

SHA1
3b0a2f48a358b0947a5faaf15556dede922c9571

SHA256
e8224663a7feb247de2310007809d22ab9d42fd1de381f95ce3e2cb56215b98e

SHA512
7947f3f3ed7ea9b631746d3ebbf0751a144628e387360d6b6bb8571d826cafa306f6154fcfe9c79d3299195f7b2250b28e300db7acd186eac404d15827a92770

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
80a27365f722f99f1bcb2a9e60a0102d

SHA1
3b0a2f48a358b0947a5faaf15556dede922c9571

SHA256
e8224663a7feb247de2310007809d22ab9d42fd1de381f95ce3e2cb56215b98e

SHA512
7947f3f3ed7ea9b631746d3ebbf0751a144628e387360d6b6bb8571d826cafa306f6154fcfe9c79d3299195f7b2250b28e300db7acd186eac404d15827a92770

Download Submit
memory/544-327-0x0000000002DE0000-0x0000000002DF0000-memory.dmp

Filesize
64KB

Download
memory/1100-328-0x0000000002F30000-0x0000000002F32000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads