quantum | 2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9

General

Target

2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
Size

75KB
MD5

97b012d95745c2d4670f90ea81a3167a
SHA1

8ea598b142fb2ca30318b968dc61f912587a5824
SHA256

2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9
SHA512

6d9b760f7c092fcaf942b67a37cdebe12bce50c0e5badb15cf00f2d10caa0dae8d1c59b4e2e130da55beab200e06fbebf097661c85eb834396e968a6d996a853
SSDEEP

1536:9aX51pVH9hsgNGLs6BLM1frxz/HTfcKKBaJG:OfJGLs6BwNxnfTKsG

Score

10^/10

quantum ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

<html> <head> <title>Quantum</title> </head> <body> <h1>Your ID:</h1> <pre> 7d964f3d2efe012eb21dd419ffdf79c260dd875e64e187754df218bdedde1061 </pre> <hr/> This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. <a href="http://obqregdsd7dmilzf3aqvegn3sofpufsvb2n3m2dvwfhsgthemvyi44qd.onion/?cid=7d964f3d2efe012eb21dd419ffdf79c260dd875e64e187754df218bdedde1061">http://obqregdsd7dmilzf3aqvegn3sofpufsvb2n3m2dvwfhsgthemvyi44qd.onion/?cid=7d964f3d2efe012eb21dd419ffdf79c260dd875e64e187754df218bdedde1061</a> <ul> <li>Password field should be blank for the first login. <li>Note that this server is available via Tor browser only. </ul> P.S. How to get TOR browser - see at https://www.torproject.org </body> </html>

Extracted

Path

C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Family

quantum

Ransom Note

Your ID: This message contains an information how to fix the troubles you've got with your network. Files on the workstations in your network were encrypted and any your attempt to change, decrypt or rename them could destroy the content. The only way to get files back is a decryption with Key, provided by the Quantum Locker. During the period your network was under our control, we downloaded a huge volume of information. Now it is stored on our servers with high-secure access. This information contains a lot of sensitive, private and personal data. Publishing of such data will cause serious consequences and even business disruption. It's not a threat, on the contrary - it's a manual how to get a way out. Quantum team doesn't aim to damage your company, our goals are only financial. After a payment you'll get network decryption, full destruction of downloaded data, information about your network vulnerabilities and penetration points. If you decide not to negotiate, in 48 hours the fact of the attack and all your information will be posted on our site and will be promoted among dozens of cyber forums, news agencies, websites etc. To contact our support and start the negotiations, please visit our support chat. It is simple, secure and you can set a password to avoid intervention of unauthorised persons. http://obqregdsd7dmilzf3aqvegn3sofpufsvb2n3m2dvwfhsgthemvyi44qd.onion/?cid=7d964f3d2efe012eb21dd419ffdf79c260dd875e64e187754df218bdedde1061 Password field should be blank for the first login. Note that this server is available via Tor browser only. P.S. How to get TOR browser - see at https://www.torproject.org

URLs

http://obqregdsd7dmilzf3aqvegn3sofpufsvb2n3m2dvwfhsgthemvyi44qd.onion/?cid=7d964f3d2efe012eb21dd419ffdf79c260dd875e64e187754df218bdedde1061

Signatures

Quantum Ransomware
A rebrand of the MountLocker ransomware first seen in August 2021.
ransomware quantum

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnregisterGrant.raw => \??\c:\Users\Admin\Pictures\UnregisterGrant.raw.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSet.raw => \??\c:\Users\Admin\Pictures\ConvertToSet.raw.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File renamed	C:\Users\Admin\Pictures\GrantWait.png => \??\c:\Users\Admin\Pictures\GrantWait.png.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File renamed	C:\Users\Admin\Pictures\ImportComplete.raw => \??\c:\Users\Admin\Pictures\ImportComplete.raw.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Pictures\NewBackup.tiff	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File renamed	C:\Users\Admin\Pictures\NewBackup.tiff => \??\c:\Users\Admin\Pictures\NewBackup.tiff.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Pictures\ResumeEdit.tiff	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File renamed	C:\Users\Admin\Pictures\ResumeEdit.tiff => \??\c:\Users\Admin\Pictures\ResumeEdit.tiff.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe

Deletes itself 1 IoCs

pid	Process
1732	cmd.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	\??\c:\Users\Admin\Favorites\Links for United States\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Videos\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Music\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Pictures\Sample Pictures\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Videos\Sample Videos\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Favorites\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Favorites\Links\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Links\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Music\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Saved Games\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Searches\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Desktop\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Documents\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Contacts\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Documents\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Recorded TV\Sample Media\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Downloads\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Libraries\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Videos\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Desktop\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Music\Sample Music\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Public\Pictures\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Downloads\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
File opened for modification	\??\c:\Users\Admin\Pictures\desktop.ini	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7881C9A1-B844-11ED-B880-C227D5A71BE4} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell\Open\command	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell\Open	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000_CLASSES\.quantum\shell\Open\command\ = "explorer.exe README_TO_DECRYPT.html"	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
Token: SeDebugPrivilege	1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1048	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1048	iexplore.exe
1048	iexplore.exe
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE
1160	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1732	1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe	29
PID 1092 wrote to memory of 1732	1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe	29
PID 1092 wrote to memory of 1732	1092	2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe	29
PID 1732 wrote to memory of 1580	1732	cmd.exe	31
PID 1732 wrote to memory of 1580	1732	cmd.exe	31
PID 1732 wrote to memory of 1580	1732	cmd.exe	31
PID 1048 wrote to memory of 1160	1048	iexplore.exe	34
PID 1048 wrote to memory of 1160	1048	iexplore.exe	34
PID 1048 wrote to memory of 1160	1048	iexplore.exe	34
PID 1048 wrote to memory of 1160	1048	iexplore.exe	34

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
1580	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe
"C:\Users\Admin\AppData\Local\Temp\2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe"
1⤵
- Modifies extensions of user files
- Drops desktop.ini file(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\\006C3A05.bat" "C:\Users\Admin\AppData\Local\Temp\2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe""
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\system32\attrib.exe
    attrib -s -r -h "C:\Users\Admin\AppData\Local\Temp\2fd8356abd42b19799aca857990a5f49631b02bd3253f80d96b5d27dcfd2f7c9.exe"
    3⤵
    - Views/modifies file attributes
    PID:1580

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\README_TO_DECRYPT.html
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1048 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\006C3A05.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\AppData\Local\Temp\006C3A05.bat

Filesize
65B

MD5
348cae913e496198548854f5ff2f6d1e

SHA1
a07655b9020205bd47084afd62a8bb22b48c0cdc

SHA256
c80128f51871eec3ae2057989a025ce244277c1c180498a5aaef45d5214b8506

SHA512
799796736d41d3fcb5a7c859571bb025ca2d062c4b86e078302be68c1a932ed4f78e003640df5405274364b5a9a9c0ba5e37177997683ee7ab54e5267590b611

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
a37087dcd0651616d34cfd2e7bd65ca8

SHA1
204e9aae38cf9392b7774e93b3e90df43cdb6907

SHA256
793090dab3d46af39fe6282716d6fe554edc81a5d70692e0ce3c9f7a89d09ab5

SHA512
0d434fb8109f3ef1183660fbad1fcd4d069581a90f56966171fac73e6fb14c7dfe102f586c614c330eb850458dd3d8966c01ed7ccf0db158a768a20fcabb0e2b

Download Submit
C:\Users\Admin\Desktop\README_TO_DECRYPT.html

Filesize
2KB

MD5
a37087dcd0651616d34cfd2e7bd65ca8

SHA1
204e9aae38cf9392b7774e93b3e90df43cdb6907

SHA256
793090dab3d46af39fe6282716d6fe554edc81a5d70692e0ce3c9f7a89d09ab5

SHA512
0d434fb8109f3ef1183660fbad1fcd4d069581a90f56966171fac73e6fb14c7dfe102f586c614c330eb850458dd3d8966c01ed7ccf0db158a768a20fcabb0e2b

Download Submit
memory/1048-312-0x0000000002E30000-0x0000000002E40000-memory.dmp

Filesize
64KB

Download
memory/1160-313-0x0000000002410000-0x0000000002412000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads