colossus | b70b9039ec4b33987a991c5c20729eb3310d7406b8d15161037df3b21fd968bb

General

Target

APP.exe

Score

10^/10

colossus evasion ransomware themida trojan

Malware Config

Extracted

Path

C:\HOW_TO_RECOVER_FILES.Colossus.txt

Family

colossus

Ransom Note

[+] What's Happened? [+] Your files have been encrypted and currently unavailable. You can check it. All files in your system have "Colossus" extension. By the way, everything is possible to recover (restore) but you should follow our instructions. Otherwise you can NEVER return your data. [+] What are our guarantees? [+] It's just a business and we care only about getting benefits. If we don't meet our obligations, nobody will deal with us. It doesn't hold our interest. So you can check the ability to restore your files. For this purpose you should come to talk to us we can decrypt one of your files for free. That is our guarantee. It doesn't metter for us whether you cooperate with us or not. But if you don't, you'll lose your time and data cause only we have the private key to decrypt your files. time is much more valuable than money. [+] Data Leak [+] We uploaded your data and if you dont contact with us then we will publish your data. Example of data: - Accounting data - Executive data - Sales data - Customer support data - Marketing data - And more other ... [+] How to Contact? [+] You have two options : 1. Chat with me : -Visit our website: http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/ -When you visit our website, put the following KEY into the input form. -Then start talk to me. 2. Email me at : colossussupport@protonmail.com KEY: MjdhZDUzM2Y3MTVhZmUxZjI2NTk2ZGM4YjVhN2EwMDEzODk2M2ZhNWEzMGU2Mjc5MTU4ODFjYjhiNWE3YTAwMTM4OTYzZmE1YTMwZTYyNzkxNTg4MWNiZmRkNDkwNDhiNzA0MjVhNGU0YTc0N2FhYzY0MWU5MTFjODY3M2RhZGQ= !!! DANGER !!! DON'T try to change files by yourself, DON'T use any third party software or antivirus solutions to restore your data - it may entail the private key damage and as a result all your data loss! !!! !!! !!! ONE MORE TIME: It's in your best interests to get your files back. From our side we ready to make everything for restoring but please do not interfere. !!! !!! !!

Emails

colossussupport@protonmail.com

URLs

http://colossus.support/LPc6EwBqmyC8Tv9Glawleycars/

Signatures

Colossus
Ransomware discovered by ZeroFox.
ransomware colossus
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 14 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

APP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	APP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	APP.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral1/memory/2544-114-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/2324-183-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/3680-226-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/2204-229-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/3788-232-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/1844-235-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida
behavioral1/memory/2260-238-0x0000000000210000-0x0000000000EEB000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 7 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

APP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exeAPP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	APP.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

APP.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\desktop.ini	APP.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini	APP.exe
File opened for modification	C:\Users\Public\desktop.ini	APP.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	APP.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	APP.exe
File opened for modification	C:\Program Files\desktop.ini	APP.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

APP.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEShims.dll	APP.exe
File opened for modification	C:\Program Files\InvokeGet.pub	APP.exe
File opened for modification	C:\Program Files\Windows Defender\MpCmdRun.exe	APP.exe
File opened for modification	C:\Program Files\Windows Defender\AmStatusInstall.mof	APP.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe	APP.exe
File opened for modification	C:\Program Files\Windows Mail\oeimport.dll	APP.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\sqmapi.dll	APP.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	APP.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.ini	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	APP.exe
File opened for modification	C:\Program Files\Windows Defender\MpUXSrv.exe	APP.exe
File opened for modification	C:\Program Files\ResizeMerge.mid	APP.exe
File opened for modification	C:\Program Files\ResetMeasure.ogg	APP.exe
File opened for modification	C:\Program Files\ShowExit.mid	APP.exe
File opened for modification	C:\Program Files\MoveConvert.mpeg	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-conio-l1-1-0.dll	APP.exe
File opened for modification	C:\Program Files\Windows Media Player\mpvis.DLL	APP.exe
File opened for modification	C:\Program Files\Windows Mail\wabimp.dll	APP.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPMediaSharing.dll	APP.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\PhotoViewer.dll	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\MSOERES.dll	APP.exe
File opened for modification	C:\Program Files\BackupFormat.odt	APP.exe
File created	C:\Program Files\Uninstall Information\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\mozglue.dll	APP.exe
File opened for modification	C:\Program Files\Windows Defender\ClientWMIInstall.mof	APP.exe
File created	C:\Program Files (x86)\Reference Assemblies\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	APP.exe
File opened for modification	C:\Program Files\PingUnblock.mpeg3	APP.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	APP.exe
File opened for modification	C:\Program Files\Windows Defender\FepUnregister.mof	APP.exe
File created	C:\Program Files\WindowsPowerShell\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	APP.exe
File opened for modification	C:\Program Files\Windows Defender\MpOAV.dll	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpClient.dll	APP.exe
File opened for modification	C:\Program Files\OptimizePop.3g2	APP.exe
File opened for modification	C:\Program Files\Windows Defender\AMMonitoringProvider.dll	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\oeimport.dll	APP.exe
File opened for modification	C:\Program Files\StartUnpublish.tmp	APP.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	APP.exe
File created	C:\Program Files\Internet Explorer\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	APP.exe
File created	C:\Program Files\Windows NT\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml	APP.exe
File opened for modification	C:\Program Files\Windows Defender\NisWfp.dll	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\WinMail.exe	APP.exe
File created	C:\Program Files (x86)\Windows NT\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\PhotoAcq.dll	APP.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnssci.dll	APP.exe
File created	C:\Program Files (x86)\Windows Mail\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	APP.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	APP.exe
File opened for modification	C:\Program Files\Windows Defender\shellext.dll	APP.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	APP.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	APP.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini	APP.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\MpOAV.dll	APP.exe

Drops file in Windows directory 64 IoCs

Processes:

APP.exe

description	ioc	process
File created	C:\Windows\Cursors\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Windows\Fonts\palai.ttf	APP.exe
File opened for modification	C:\Windows\Fonts\corbelz.ttf	APP.exe
File opened for modification	C:\Windows\INF\tdibth.inf	APP.exe
File opened for modification	C:\Windows\INF\netrtl64.inf	APP.exe
File opened for modification	C:\Windows\INF\swenum.inf	APP.exe
File opened for modification	C:\Windows\INF\wsdprint.inf	APP.exe
File opened for modification	C:\Windows\Fonts\ega40866.fon	APP.exe
File opened for modification	C:\Windows\Fonts\vgafix.fon	APP.exe
File opened for modification	C:\Windows\INF\mdmgl008.inf	APP.exe
File opened for modification	C:\Windows\INF\mdmmhrtz.inf	APP.exe
File opened for modification	C:\Windows\INF\mgtdyn.inf	APP.exe
File opened for modification	C:\Windows\INF\prnms005.inf	APP.exe
File opened for modification	C:\Windows\INF\wfpcapture.inf	APP.exe
File opened for modification	C:\Windows\Cursors\busy_m.cur	APP.exe
File opened for modification	C:\Windows\Fonts\holomdl2.ttf	APP.exe
File opened for modification	C:\Windows\INF\WpdFs.inf	APP.exe
File opened for modification	C:\Windows\INF\bthhfenum.PNF	APP.exe
File opened for modification	C:\Windows\INF\oposdrv.inf	APP.exe
File opened for modification	C:\Windows\Fonts\vgas1255.fon	APP.exe
File opened for modification	C:\Windows\INF\mchgr.inf	APP.exe
File opened for modification	C:\Windows\INF\mdmcpq.inf	APP.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\bg-BG_BitLockerToGo.exe.mui	APP.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\en-US_BitLockerToGo.exe.mui	APP.exe
File created	C:\Windows\Branding\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Windows\Cursors\aero_busy_xl.ani	APP.exe
File opened for modification	C:\Windows\Fonts\smaf1255.fon	APP.exe
File opened for modification	C:\Windows\INF\tsusbhubfilter.inf	APP.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\uk-UA_BitLockerToGo.exe.mui	APP.exe
File opened for modification	C:\Windows\Cursors\aero_nesw_l.cur	APP.exe
File opened for modification	C:\Windows\Fonts\ega80866.fon	APP.exe
File opened for modification	C:\Windows\INF\netwsw00.inf	APP.exe
File opened for modification	C:\Windows\Fonts\85f1257.fon	APP.exe
File opened for modification	C:\Windows\INF\mdmcpv.inf	APP.exe
File opened for modification	C:\Windows\INF\iagpio.inf	APP.exe
File opened for modification	C:\Windows\INF\ksfilter.PNF	APP.exe
File opened for modification	C:\Windows\INF\mdmmega.inf	APP.exe
File opened for modification	C:\Windows\HOW_TO_RECOVER_FILES.Colossus.txt	APP.exe
File opened for modification	C:\Windows\Fonts\StaticCache.dat	APP.exe
File opened for modification	C:\Windows\Fonts\seriff.fon	APP.exe
File opened for modification	C:\Windows\Fonts\ssef1255.fon	APP.exe
File opened for modification	C:\Windows\INF\c_printer.inf	APP.exe
File opened for modification	C:\Windows\INF\ndiscap.inf	APP.exe
File opened for modification	C:\Windows\Fonts\cga80852.fon	APP.exe
File opened for modification	C:\Windows\Fonts\georgiai.ttf	APP.exe
File opened for modification	C:\Windows\Fonts\himalaya.ttf	APP.exe
File opened for modification	C:\Windows\Fonts\vgafixr.fon	APP.exe
File opened for modification	C:\Windows\INF\c_extension.inf	APP.exe
File opened for modification	C:\Windows\Cursors\lmove.cur	APP.exe
File opened for modification	C:\Windows\Fonts\arial.ttf	APP.exe
File opened for modification	C:\Windows\INF\c_holographic.inf	APP.exe
File opened for modification	C:\Windows\INF\flpydisk.PNF	APP.exe
File opened for modification	C:\Windows\INF\netl1c63x64.inf	APP.exe
File opened for modification	C:\Windows\INF\usbhub3.inf	APP.exe
File opened for modification	C:\Windows\HelpPane.exe	APP.exe
File opened for modification	C:\Windows\Cursors\size2_rm.cur	APP.exe
File opened for modification	C:\Windows\Fonts\serifee.fon	APP.exe
File opened for modification	C:\Windows\INF\kscaptur.inf	APP.exe
File opened for modification	C:\Windows\INF\oem1.inf	APP.exe
File opened for modification	C:\Windows\INF\ufxsynopsys.PNF	APP.exe
File opened for modification	C:\Windows\INF\urschipidea.inf	APP.exe
File opened for modification	C:\Windows\lsasetup.log	APP.exe
File opened for modification	C:\Windows\Cursors\arrow_rl.cur	APP.exe
File opened for modification	C:\Windows\Fonts\vgasysr.fon	APP.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

772 powershell.exe
772 powershell.exe
772 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 772 powershell.exe

pid	process
772	powershell.exe
772	powershell.exe
772	powershell.exe

description	pid	process
Token: SeDebugPrivilege	772	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

powershell.exe

description	pid	process	target process
PID 772 wrote to memory of 2324	772	powershell.exe	APP.exe
PID 772 wrote to memory of 2324	772	powershell.exe	APP.exe
PID 772 wrote to memory of 3680	772	powershell.exe	APP.exe
PID 772 wrote to memory of 3680	772	powershell.exe	APP.exe
PID 772 wrote to memory of 2204	772	powershell.exe	APP.exe
PID 772 wrote to memory of 2204	772	powershell.exe	APP.exe
PID 772 wrote to memory of 3788	772	powershell.exe	APP.exe
PID 772 wrote to memory of 3788	772	powershell.exe	APP.exe
PID 772 wrote to memory of 1844	772	powershell.exe	APP.exe
PID 772 wrote to memory of 1844	772	powershell.exe	APP.exe
PID 772 wrote to memory of 2260	772	powershell.exe	APP.exe
PID 772 wrote to memory of 2260	772	powershell.exe	APP.exe

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe"
1⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\AppData\Local\Temp'
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2324

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 c:\
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3680

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 c:\
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:2204

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe" -ArgumentList 6e42f05c8e4d24c3fa0ce2f2a8d203c8 *
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:3788

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 *
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
PID:1844

C:\Users\Admin\AppData\Local\Temp\APP.exe
"C:\Users\Admin\AppData\Local\Temp\APP.exe" 6e42f05c8e4d24c3fa0ce2f2a8d203c8 C:\
2⤵
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
PID:2260

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

Virtualization/Sandbox Evasion

1

T1497

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-1594587808-2047097707-2163810515-1000\desktop.ini
MD5
490bc15f3d6a9308d4ff2a4072d408c6

SHA1
94c5c008a560e50af42c424ad135ff35f0cebb52

SHA256
436d5bcd24eab5f89d39b4b503143506e276ec4d10427bc9d833b662c6e28200

SHA512
ac163fc764fdebdd1a5018c7a44aafb935739a41aafbfce77a2246214756c7dc9c23a45d62c25f5cfddf411efb1e304d2c33caae683c422fad72ddf0dc2b3634

Download Submit
memory/772-120-0x000001ABD85E0000-0x000001ABD85E1000-memory.dmp

Filesize
4KB

Download
memory/772-136-0x000001ABBFEA0000-0x000001ABBFEA2000-memory.dmp

Filesize
8KB

Download
memory/772-138-0x000001ABBFEA3000-0x000001ABBFEA5000-memory.dmp

Filesize
8KB

Download
memory/772-139-0x000001ABD8A80000-0x000001ABD8A81000-memory.dmp

Filesize
4KB

Download
memory/772-150-0x000001ABD8B40000-0x000001ABD8B41000-memory.dmp

Filesize
4KB

Download
memory/772-161-0x000001ABD8AC0000-0x000001ABD8AC1000-memory.dmp

Filesize
4KB

Download
memory/772-170-0x000001ABBFEA6000-0x000001ABBFEA8000-memory.dmp

Filesize
8KB

Download
memory/772-171-0x000001ABBFEA8000-0x000001ABBFEA9000-memory.dmp

Filesize
4KB

Download
memory/1844-234-0x0000000000000000-mapping.dmp

Download
memory/1844-235-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download
memory/2204-229-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download
memory/2204-228-0x0000000000000000-mapping.dmp

Download
memory/2260-237-0x0000000000000000-mapping.dmp

Download
memory/2260-238-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download
memory/2324-183-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download
memory/2324-182-0x0000000000000000-mapping.dmp

Download
memory/2544-114-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download
memory/2544-115-0x0000000000211000-0x00000000002F7000-memory.dmp

Filesize
920KB

Download
memory/3680-225-0x0000000000000000-mapping.dmp

Download
memory/3680-226-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download
memory/3788-231-0x0000000000000000-mapping.dmp

Download
memory/3788-232-0x0000000000210000-0x0000000000EEB000-memory.dmp

Filesize
12.9MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads