ctblocker | f681f08b89b710b8d32d08a6569629a6403459aa5256cc68e0e3d2b86934a221

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Factuur 00078454556-00398583.pdf.exe
Size

760KB
MD5

73b5b2675d4391fe6c59cc596bcd2a04
SHA1

4a598519786f3646d459ede621337e08d67c1b3f
SHA256

34400196b5de7adde8de4f2d8a5aadd350d1ce06910b9d44c1a17969c42b1b69
SHA512

9b0f5bf43ae7b001a40f9d2742c2558e6961e3058bd67ec92108cbe75dc088ec3cbc8afeb3bd88bb0d9042db36b66cc1cff1054235fdb3ae4d1b659f0e86114f
SSDEEP

12288:BDcMXv3/NEK7s37/shbOnMxrUzbtvC0nNr/Bqoo0Pamhyx/iugcGfAAChCJeTlV3:VpX/uqs37/s4MKrRZqLWaE6iUSDX2b

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\axwcwrc.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://tmc2ybfqzgkaeilm.onion.cab or http://tmc2ybfqzgkaeilm.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://tmc2ybfqzgkaeilm.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://tmc2ybfqzgkaeilm.onion.cab

http://tmc2ybfqzgkaeilm.tor2web.org

http://tmc2ybfqzgkaeilm.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\Geo\Nation	tockauf.exe

Executes dropped EXE 4 IoCs

pid	Process
3016	tockauf.exe
2904	tockauf.exe
2340	tockauf.exe
2268	tockauf.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	tockauf.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-atpjffg.bmp"	Explorer.EXE

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2872 set thread context of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 set thread context of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 3016 set thread context of 2904	3016	tockauf.exe	34
PID 3016 set thread context of 2904	3016	tockauf.exe	34
PID 2340 set thread context of 2268	2340	tockauf.exe	39
PID 2340 set thread context of 2268	2340	tockauf.exe	39

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-atpjffg.txt	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-atpjffg.bmp	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Factuur 00078454556-00398583.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tockauf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tockauf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tockauf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tockauf.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
996	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	tockauf.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	tockauf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	tockauf.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a1f5501-69b6-11ef-8fd1-ea7747d117e6}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00630039006400390030003700380034002d0036003900650064002d0031003100650066002d0038003300380039002d003800300036006500360066003600650036003900360033007d00000030002c007b00310061003100660035003500300031002d0036003900620036002d0031003100650066002d0038006600640031002d006500610037003700340037006400310031003700650036007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90784-69ed-11ef-8389-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90784-69ed-11ef-8389-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d90784-69ed-11ef-8389-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a1f5501-69b6-11ef-8fd1-ea7747d117e6}	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{1a1f5501-69b6-11ef-8fd1-ea7747d117e6}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1484	Factuur 00078454556-00398583.pdf.exe
2904	tockauf.exe
2904	tockauf.exe
2904	tockauf.exe
2904	tockauf.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	tockauf.exe
Token: SeDebugPrivilege	2904	tockauf.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: 33	2420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2420	AUDIODG.EXE
Token: 33	2420	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2420	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2268	tockauf.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2268	tockauf.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2872	Factuur 00078454556-00398583.pdf.exe
3016	tockauf.exe
2340	tockauf.exe
2268	tockauf.exe
2268	tockauf.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 47 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2872 wrote to memory of 1484	2872	Factuur 00078454556-00398583.pdf.exe	31
PID 2504 wrote to memory of 3016	2504	taskeng.exe	33
PID 2504 wrote to memory of 3016	2504	taskeng.exe	33
PID 2504 wrote to memory of 3016	2504	taskeng.exe	33
PID 2504 wrote to memory of 3016	2504	taskeng.exe	33
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 3016 wrote to memory of 2904	3016	tockauf.exe	34
PID 2904 wrote to memory of 604	2904	tockauf.exe	9
PID 604 wrote to memory of 956	604	svchost.exe	35
PID 604 wrote to memory of 956	604	svchost.exe	35
PID 604 wrote to memory of 956	604	svchost.exe	35
PID 2904 wrote to memory of 1212	2904	tockauf.exe	21
PID 2904 wrote to memory of 996	2904	tockauf.exe	36
PID 2904 wrote to memory of 996	2904	tockauf.exe	36
PID 2904 wrote to memory of 996	2904	tockauf.exe	36
PID 2904 wrote to memory of 996	2904	tockauf.exe	36
PID 2904 wrote to memory of 2340	2904	tockauf.exe	38
PID 2904 wrote to memory of 2340	2904	tockauf.exe	38
PID 2904 wrote to memory of 2340	2904	tockauf.exe	38
PID 2904 wrote to memory of 2340	2904	tockauf.exe	38
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 2340 wrote to memory of 2268	2340	tockauf.exe	39
PID 604 wrote to memory of 1860	604	svchost.exe	41
PID 604 wrote to memory of 1860	604	svchost.exe	41
PID 604 wrote to memory of 1860	604	svchost.exe	41

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:956
- C:\Windows\system32\wbem\wmiprvse.exe
  C:\Windows\system32\wbem\wmiprvse.exe -Embedding
  2⤵
  PID:1860

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1212
- C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Factuur 00078454556-00398583.pdf.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1484

C:\Windows\system32\taskeng.exe
taskeng.exe {3B64C6F0-C46D-45A0-A772-567CD3F70E60} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Users\Admin\AppData\Local\Temp\tockauf.exe
  C:\Users\Admin\AppData\Local\Temp\tockauf.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Users\Admin\AppData\Local\Temp\tockauf.exe
    C:\Users\Admin\AppData\Local\Temp\tockauf.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin delete shadows all
      4⤵
      System Location Discovery: System Language Discovery
      Interacts with shadow copies
      PID:996
  - - C:\Users\Admin\AppData\Local\Temp\tockauf.exe
      "C:\Users\Admin\AppData\Local\Temp\tockauf.exe" -u
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Users\Admin\AppData\Local\Temp\tockauf.exe
        
        "C:\Users\Admin\AppData\Local\Temp\tockauf.exe" -u
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of SetWindowsHookEx
        
        PID:2268

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\wnlwkom

Filesize
654B

MD5
ed3c04871f9f4a179fea2cd1669550e3

SHA1
ea637fc9d6d4d6f30e24a1770ed1da8db2fd88c2

SHA256
3beb90956d0496002a0e94ba84b97d115ae02bc94652a2bdb8c4bf959fbf419a

SHA512
7574220399323776cc83794c2fdf50b091635e5bef7a2c848c2723965b3676af9932cff3752d50418f382934f4b56fdfaa94d9c210385fa929c9b997529397bb

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\wnlwkom

Filesize
654B

MD5
396daa3e628b4ce0f70904dd52ed73e0

SHA1
163266c0c5adb06869cd96de5f0aaffda41e45de

SHA256
50c938d6c8619cbead32362308544cf18cfc4171d29a3f0cacdcb4d814fa5deb

SHA512
42b58a4c9c664436780c1e40e964842647f4322745f2816e1a0fe7bf8b6a544fd8f7cc6c7757ab8c7be2c90af3be9fa78c920a9ce5de1bfcee15121b7ae0092d

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\wnlwkom

Filesize
654B

MD5
2e811aa9be26d46bb67bc1f222edd6d9

SHA1
45c506765a34ec9017b4aaf5c362c8d4ae5cc87e

SHA256
6f1cc4f56a0dbeda75c4e59cf09954e017bca909405bf210e041cb3a5b78257a

SHA512
e540ccffce611e6fec497288a87c452b8c4b7954ecd393fdf9aa5b4081fef909907bd8075c856020d1d45c8924a2d908676d91dbb1ae5c7e2f0dc0943af71797

Download Submit
C:\ProgramData\axwcwrc.html

Filesize
64KB

MD5
81d32155236f3b22e9df30dce39f030c

SHA1
98f4ab3906a0d5509de483aafeb82ae1ead25439

SHA256
319e476309456b1d4b80f3844079a18f51dbf273704516e97b36a44367c517f9

SHA512
3838e32e0bb2f210a1c66193e9e9fd597a67d87d3a3445209f21a6308652811ee8f526944f2873b1fd80faeb56691d1bda0779a568f009bfce68788c47a2ada6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tockauf.exe

Filesize
760KB

MD5
73b5b2675d4391fe6c59cc596bcd2a04

SHA1
4a598519786f3646d459ede621337e08d67c1b3f

SHA256
34400196b5de7adde8de4f2d8a5aadd350d1ce06910b9d44c1a17969c42b1b69

SHA512
9b0f5bf43ae7b001a40f9d2742c2558e6961e3058bd67ec92108cbe75dc088ec3cbc8afeb3bd88bb0d9042db36b66cc1cff1054235fdb3ae4d1b659f0e86114f

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/604-1269-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-21-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-23-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-27-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-20-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-24-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-31-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-29-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/604-35-0x00000000002B0000-0x0000000000327000-memory.dmp

Filesize
476KB

Download
memory/1484-3-0x0000000000401000-0x00000000004A5000-memory.dmp

Filesize
656KB

Download
memory/1484-4-0x0000000000A60000-0x0000000000CAB000-memory.dmp

Filesize
2.3MB

Download
memory/1484-2-0x0000000000840000-0x0000000000A5A000-memory.dmp

Filesize
2.1MB

Download
memory/2268-1298-0x0000000000B60000-0x0000000000DAB000-memory.dmp

Filesize
2.3MB

Download
memory/2268-1299-0x0000000000B60000-0x0000000000DAB000-memory.dmp

Filesize
2.3MB

Download
memory/2904-17-0x0000000000AE0000-0x0000000000D2B000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1281-0x0000000000AE0000-0x0000000000D2B000-memory.dmp

Filesize
2.3MB

Download