ctblocker | 1fe2341438aea4b0427f3f2808918b6ef00bf742bc903e94022c7f73df914ed4

General

Target

d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe
Size

1.0MB
MD5

d9fc3b845454f7588b0f48b017fb9a50
SHA1

17de143a193969b85902fa54c1554410dcf72b06
SHA256

1fe2341438aea4b0427f3f2808918b6ef00bf742bc903e94022c7f73df914ed4
SHA512

bb11d7ad5d6f426b23c459d130c8962c66a70fa5d6df35ffbf2bc51ae619dc94bb9bccd990d0856a6a5ca40f0a3d5519b7f0dd075fc9e1a65f846a4a72a7449c
SSDEEP

24576:m2g8AFUAEUM91zfwVPIl6Mw3C1tvIgOB9Af8P2rU:+FUB9wRMUYL8P2rU

Score

10^/10

ctblocker defense_evasion discovery execution impact ransomware

Malware Config

Extracted

Path

C:\ProgramData\cziklag.html

Ransom Note

Your documents, photos, databases and other important files have been encrypted with strongest encryption and unique key, generated for this computer. Private decryption key is stored on a secret Internet server and nobody can decrypt your files until you pay and obtain the private key. If you see the main locker window, follow the instructions on the locker. Overwise, it's seems that you or your antivirus deleted the locker program. Now you have the last chance to decrypt your files. Open http://uwm2wosrob3gplxy.onion.cab or http://uwm2wosrob3gplxy.tor2web.org in your browser. They are public gates to the secret server. If you have problems with gates, use direct connection: 1. Download Tor Browser from http://torproject.org. 2. In the Tor Browser open the http://uwm2wosrob3gplxy.onion Note that this server is available via Tor Browser only. Retry in 1 hour if site is not reachable. Copy and paste the following public key in the input form on server. Avoid missprints. Follow the instructions on the server. The list of your encrypted files: Path File

URLs

http://uwm2wosrob3gplxy.onion.cab

http://uwm2wosrob3gplxy.tor2web.org

http://uwm2wosrob3gplxy.onion

Signatures

CTB-Locker
Ransomware family which uses Tor to hide its C2 communications.
ransomware ctblocker
Ctblocker family
ctblocker
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation	jgdsooe.exe

Executes dropped EXE 2 IoCs

pid	Process
1968	jgdsooe.exe
2296	jgdsooe.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-18\desktop.ini	svchost.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	jgdsooe.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Documents\\!Decrypt-All-Files-ufuoufc.bmp"	Explorer.EXE

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ufuoufc.bmp	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\!Decrypt-All-Files-ufuoufc.txt	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgdsooe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jgdsooe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vssadmin.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
904	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	jgdsooe.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	jgdsooe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	jgdsooe.exe

Modifies data under HKEY_USERS 23 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\TileWallpaper = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WallpaperStyle = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{367eaf84-3d79-11ef-ac21-806e6f6e6963}\NukeOnDelete = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9ce737e-3d41-11ef-b7c4-da9ecb958399}\NukeOnDelete = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Full = "%SystemRoot%\\System32\\imageres.dll,-54"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\Empty = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{367eaf84-3d79-11ef-ac21-806e6f6e6963}\MaxCapacity = "14116"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9ce737e-3d41-11ef-b7c4-da9ecb958399}\MaxCapacity = "2047"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\LastEnum = 30002c007b00330036003700650061006600380034002d0033006400370039002d0031003100650066002d0061006300320031002d003800300036006500360066003600650036003900360033007d00000030002c007b00660039006300650037003300370065002d0033006400340031002d0031003100650066002d0062003700630034002d006400610039006500630062003900350038003300390039007d0000000000	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon\ = "%SystemRoot%\\System32\\imageres.dll,-55"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{367eaf84-3d79-11ef-ac21-806e6f6e6963}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{f9ce737e-3d41-11ef-b7c4-da9ecb958399}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CLSID	svchost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1728	d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe
1968	jgdsooe.exe
1968	jgdsooe.exe
1968	jgdsooe.exe
1968	jgdsooe.exe
2296	jgdsooe.exe
2296	jgdsooe.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1968	jgdsooe.exe
Token: SeDebugPrivilege	1968	jgdsooe.exe
Token: SeShutdownPrivilege	1204	Explorer.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	jgdsooe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2296	jgdsooe.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2296	jgdsooe.exe
2296	jgdsooe.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1204	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1968	2040	taskeng.exe	31
PID 2040 wrote to memory of 1968	2040	taskeng.exe	31
PID 2040 wrote to memory of 1968	2040	taskeng.exe	31
PID 2040 wrote to memory of 1968	2040	taskeng.exe	31
PID 1968 wrote to memory of 596	1968	jgdsooe.exe	9
PID 596 wrote to memory of 688	596	svchost.exe	33
PID 596 wrote to memory of 688	596	svchost.exe	33
PID 596 wrote to memory of 688	596	svchost.exe	33
PID 1968 wrote to memory of 1204	1968	jgdsooe.exe	21
PID 1968 wrote to memory of 904	1968	jgdsooe.exe	34
PID 1968 wrote to memory of 904	1968	jgdsooe.exe	34
PID 1968 wrote to memory of 904	1968	jgdsooe.exe	34
PID 1968 wrote to memory of 904	1968	jgdsooe.exe	34
PID 1968 wrote to memory of 2296	1968	jgdsooe.exe	36
PID 1968 wrote to memory of 2296	1968	jgdsooe.exe	36
PID 1968 wrote to memory of 2296	1968	jgdsooe.exe	36
PID 1968 wrote to memory of 2296	1968	jgdsooe.exe	36

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:596
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
  2⤵
  PID:688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Sets desktop wallpaper using registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d9fc3b845454f7588b0f48b017fb9a50_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {C7765577-AFE3-4C50-8E50-96B7130D2D15} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
  C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin delete shadows all
    3⤵
    - System Location Discovery: System Language Discovery
    - Interacts with shadow copies
    PID:904
- - C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe
    "C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe" -u
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

1

T1047

Persistence

Privilege Escalation

Defense Evasion

Direct Volume Access

1

T1006

Indicator Removal

2

T1070

File Deletion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

1

T1491

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\stwsoge

Filesize
654B

MD5
74c60b2ebec85dc6429e79528481fcd7

SHA1
a81103d0e1165cdedfec028928e10af86d5d3c86

SHA256
2f2738a81239a0c80e58692df9056fa2637339b8fe7d07510afcb62d6a5dd462

SHA512
86ffc26e3ceb4657419100c1f7e8fdadc30dec103d2c7393effdae30059db42d8d5e6888d5e57dcac857a98e67db0101d2d37adbb276b41dc4849dde076aa5f5

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\stwsoge

Filesize
654B

MD5
f904227424c21286835061ab4e8c823b

SHA1
af0403bde70f0bba6dbffc7108d639b946274720

SHA256
756e9d3b89300ad3f7b27619d9be253cfb9db52bba1c6fac92e79917bb5052e1

SHA512
75ae352a425a0419d0ecac94a75e3abb377556a9bb30f395474bc5cbb14b02a69f8125263b21eff78120fd352da8050196be154475c54d14c7fc066db6efed6d

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\stwsoge

Filesize
654B

MD5
ab4d0bc25c1cbd2892e7cc0ae418c1a6

SHA1
fdb267433a10e450c6e622ad14ac60ef068c8388

SHA256
55625d735c413024f884caa381fa3c523f6cece303bd9c0d6cf1469b1e65252b

SHA512
3a339e577942d885469f502ac68a650fab8df9aef060d27eff64c392e82487d4dc9e5dd602591d0d7319d6c34a2237b4757ae78678dda6d233cac2634f89f064

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\stwsoge

Filesize
654B

MD5
b17f3686d42e46caf4b3a228d9c9c0b7

SHA1
d1b2754fc3d668b75abb1135716c0e9efd5c0f01

SHA256
a6290151886e251d8190c3ae0be986df53527d66f5641bb7738712db48451f30

SHA512
3915f79525348027380a11e61340ef5b585faac9e9ff0f180a593c68ef762dcf2ab12a66910f6f7ec3cd63d27e7443ca26b4cb8256dfe2aaa60a839ab2bf716d

Download Submit
C:\ProgramData\cziklag.html

Filesize
63KB

MD5
235f79f61ce35295deaeac3023fa1a75

SHA1
4f0d5cd67585db4ca88371514d89339b303a9507

SHA256
70bcacd4c87a5e08d7be04caa967e33021e1c8b41679588d3cec21ebdccb9808

SHA512
6923be49a3ad54441748baaf3f37156eb10514a9d5808c547be3b314e6764ac0f1c679a1789aacf334773011a02b76eba011dd786e132a9f68584c5166bd75c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgdsooe.exe

Filesize
1.0MB

MD5
d9fc3b845454f7588b0f48b017fb9a50

SHA1
17de143a193969b85902fa54c1554410dcf72b06

SHA256
1fe2341438aea4b0427f3f2808918b6ef00bf742bc903e94022c7f73df914ed4

SHA512
bb11d7ad5d6f426b23c459d130c8962c66a70fa5d6df35ffbf2bc51ae619dc94bb9bccd990d0856a6a5ca40f0a3d5519b7f0dd075fc9e1a65f846a4a72a7449c

Download Submit
F:\$RECYCLE.BIN\S-1-5-18\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/596-36-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-33-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-29-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-31-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-1253-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-26-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-25-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-23-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/596-22-0x00000000004F0000-0x0000000000567000-memory.dmp

Filesize
476KB

Download
memory/1728-10-0x00000000039D0000-0x0000000003BEA000-memory.dmp

Filesize
2.1MB

Download
memory/1728-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1728-1-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1728-11-0x0000000003BF0000-0x0000000003E3B000-memory.dmp

Filesize
2.3MB

Download
memory/1728-0-0x00000000029E0000-0x0000000002A35000-memory.dmp

Filesize
340KB

Download
memory/1728-8-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/1728-7-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1728-6-0x00000000029E0000-0x0000000002A35000-memory.dmp

Filesize
340KB

Download
memory/1728-5-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1728-4-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1728-3-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/1968-1265-0x0000000002790000-0x00000000029DB000-memory.dmp

Filesize
2.3MB

Download
memory/1968-19-0x0000000002790000-0x00000000029DB000-memory.dmp

Filesize
2.3MB

Download
memory/1968-1275-0x0000000002790000-0x00000000029DB000-memory.dmp

Filesize
2.3MB

Download
memory/1968-16-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2296-1280-0x0000000000400000-0x000000000050B000-memory.dmp

Filesize
1.0MB

Download
memory/2296-1283-0x0000000003C30000-0x0000000003E7B000-memory.dmp

Filesize
2.3MB

Download
memory/2296-1284-0x0000000003C30000-0x0000000003E7B000-memory.dmp

Filesize
2.3MB

Download
memory/2296-1308-0x0000000003C30000-0x0000000003E7B000-memory.dmp

Filesize
2.3MB

Download
memory/2296-1307-0x0000000003C30000-0x0000000003E7B000-memory.dmp

Filesize
2.3MB

Download
memory/2296-1311-0x0000000003C30000-0x0000000003E7B000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads