65dff425f5dbf60186664a0d16508e2fe65fd4c4361a15c774ba600478d8f225

General

Target

speedo.bin.exe
Size

50KB
MD5

e0870a190c5eaefdae56f9c8773e36cd
SHA1

a0d2ea755f3914354b76ed895e0024fe753808bc
SHA256

1b1172500c6e1e1607b0b0bce4ec74f8b65ffafcd492d8cd2886a7b7f20efaa4
SHA512

c68948866b06f2336b4be9ea6ec63daa3573d9a5a8185977e772bfd297a0b7cbf050fd5cc72cb782f53a4ba1bb7d46b683b7a3fcd69e047d0e30899e021efadd

Score

10^/10

ransomware spyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\info.hta

Ransom Note

🔒 ALL YOUR DATA TURNED TO USELESS BINARY CODE 🔒 Your computer is infected with a virus. Send an email parasite@cock.li , specify in the subject your unique identifier 4LP7M and you will definitly be helped to recover. NOTE: You can send 2 files as proof that we can return all your data. If the provided email doesn't work, please contact us at para5ite@tutanota.com Algorithms used are AES and RSA. IMPORTANT: 1. The infection was due to vulnerabilities in your software. 2. If you want to make sure that it is impossible to recover files using third-party software, do this not on all files, otherwise you may lose all data. 3. Only communication through our email can guarantee file recover for you. We are not responsible for the actions of third parties who promise to help you - most often they are scammers. 4. Please, do not try to rename encrypted files. 5. Our goal is to return your data, but if you don't contact us, we will not succeed.

Emails

parasite@cock.li

para5ite@tutanota.com

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 2 IoCs

Processes:

gmndk54w.exe98561.exe

pid process

856 gmndk54w.exe
2852 98561.exe

pid	process
856	gmndk54w.exe
2852	98561.exe

Modifies extensions of user files 2 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

98561.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\CloseConvertFrom.png => C:\Users\Admin\Pictures\CloseConvertFrom.png.paras1te	98561.exe
File renamed	C:\Users\Admin\Pictures\TestConvertTo.png => C:\Users\Admin\Pictures\TestConvertTo.png.paras1te	98561.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Drops file in System32 directory 1 IoCs

Processes:

98561.exe

description ioc process

File created C:\Windows\SysWOW64\@AudioToastIcon.png 98561.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
ransomware

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\SysWOW64\@AudioToastIcon.png	98561.exe

Drops file in Program Files directory 64 IoCs

Processes:

98561.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.GrayF.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\illustrations.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png	98561.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\WinFXList.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\dd_arrow_small2x.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\digsig_icons_2x.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\core_icons_highcontrast.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_pattern_RHP.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity@4x.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\rhp_world_icon_hover_2x.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\rhp_world_icon_2x.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\bun.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\browse_window.html	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\hscroll-thumb.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\AddressBook.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml	98561.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\edit_pdf_poster2x.jpg	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HighBeamCardLogo.png	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png	98561.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\large_trefoil.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\A12_Checkmark_White@1x.png	98561.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF@3x.png	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\dark\core_icons.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png	98561.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\bg_patterns_header.png	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark@2x.png	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\main.css	98561.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.874.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\bg_patterns_header.png	98561.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Build.bat	98561.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\license.html	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png	98561.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml	98561.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.White.png	98561.exe

Drops file in Windows directory 64 IoCs

Processes:

98561.exe

description	ioc	process
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell ISE.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\4 - Control Panel.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk	98561.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AppRep.ChxApp_cw5n1h2txyewy\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsFeedbackHub_1.1612.10312.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk	98561.exe
File created	C:\Windows\WinSxS\migration.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\default.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	98561.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\SQL\EN\DropSqlPersistenceProviderLogic.sql	98561.exe
File created	C:\Windows\PLA\System\System Diagnostics.xml	98561.exe
File created	C:\Windows\Globalization\Time Zone\timezoneMapping.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\home0.aspx	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\02a - Windows PowerShell.lnk	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	98561.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\RedistList\FrameworkList.xml	98561.exe
File created	C:\Windows\SystemResources\Windows.UI.Shell\Images\DefaultSystemNotification.contrast-black_scale-100.png	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsMaps_2017.209.105.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.Advertising.Xaml_10.0.1605.0_x86__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.ZuneVideo_10.16112.11601.0_neutral_resources.scale-200_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk	98561.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.ModalSharePickerHost_cw5n1h2txyewy\AppxBlockMap.xml	98561.exe
File created	C:\Windows\Fonts\fms_metadata.xml	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.ZuneMusic_2019.16112.11621.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsAlarms_10.1702.333.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\2 - Search.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\03 - Computer Management.lnk	98561.exe
File created	C:\Windows\Web\Wallpaper\Windows\img0.jpg	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsCalculator_2017.131.1904.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\256x256.png	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.WindowsSoundRecorder_10.1702.301.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.Wallet_1.0.16328.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx	98561.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	98561.exe
File created	C:\Windows\Help\en-US\credits.rtf	98561.exe
File created	C:\Windows\InfusedApps\Applications\Microsoft.WindowsSoundRecorder_2017.130.1208.0_neutral_~_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Frameworks\Microsoft.NET.Native.Framework.1.3_1.3.24201.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File created	C:\Windows\InfusedApps\Packages\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\08 - PowerAndSleep.lnk	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\10 - AppsAndFeatures.lnk	98561.exe
File created	C:\Windows\SystemApps\EnvironmentsApp_cw5n1h2txyewy\appxblockmap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\UninstallSqlStateTemplate.sql	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\security_watermark.jpg	98561.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Run.lnk	98561.exe
File created	C:\Windows\InfusedApps\Packages\Microsoft.BingWeather_4.18.56.0_neutral_split.scale-150_8wekyb3d8bbwe\AppxBlockMap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\help.jpg	98561.exe
File created	C:\Windows\Web\Wallpaper\Theme1\img1.jpg	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	98561.exe
File created	C:\Windows\PLA\Templates\WDAC_Diagnostics.xml	98561.exe
File created	C:\Windows\SystemApps\DesktopLearning_cw5n1h2txyewy\appxblockmap.xml	98561.exe
File created	C:\Windows\SystemApps\DesktopView_cw5n1h2txyewy\appxblockmap.xml	98561.exe
File created	C:\Windows\HoloShell\appxblockmap.xml	98561.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	98561.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

2732 vssadmin.exe
1192 vssadmin.exe
668 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

632 taskkill.exe
Modifies registry class 1 IoCs

Processes:

98561.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings 98561.exe

pid	process
2732	vssadmin.exe
1192	vssadmin.exe
668	vssadmin.exe

pid	process
632	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	98561.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

speedo.bin.exe

pid	process
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe
880	speedo.bin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

speedo.bin.exetaskkill.exegmndk54w.exe98561.exeWMIC.exevssvc.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	880	speedo.bin.exe
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	856	gmndk54w.exe
Token: SeDebugPrivilege	2852	98561.exe
Token: 33	2852	98561.exe
Token: SeIncBasePriorityPrivilege	2852	98561.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeBackupPrivilege	1912	vssvc.exe
Token: SeRestorePrivilege	1912	vssvc.exe
Token: SeAuditPrivilege	1912	vssvc.exe
Token: SeIncreaseQuotaPrivilege	3992	WMIC.exe
Token: SeSecurityPrivilege	3992	WMIC.exe
Token: SeTakeOwnershipPrivilege	3992	WMIC.exe
Token: SeLoadDriverPrivilege	3992	WMIC.exe
Token: SeSystemProfilePrivilege	3992	WMIC.exe
Token: SeSystemtimePrivilege	3992	WMIC.exe
Token: SeProfSingleProcessPrivilege	3992	WMIC.exe
Token: SeIncBasePriorityPrivilege	3992	WMIC.exe
Token: SeCreatePagefilePrivilege	3992	WMIC.exe
Token: SeBackupPrivilege	3992	WMIC.exe
Token: SeRestorePrivilege	3992	WMIC.exe
Token: SeShutdownPrivilege	3992	WMIC.exe
Token: SeDebugPrivilege	3992	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3992	WMIC.exe
Token: SeRemoteShutdownPrivilege	3992	WMIC.exe
Token: SeUndockPrivilege	3992	WMIC.exe
Token: SeManageVolumePrivilege	3992	WMIC.exe
Token: 33	3992	WMIC.exe
Token: 34	3992	WMIC.exe
Token: 35	3992	WMIC.exe
Token: 36	3992	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1092	WMIC.exe
Token: SeSecurityPrivilege	1092	WMIC.exe
Token: SeTakeOwnershipPrivilege	1092	WMIC.exe
Token: SeLoadDriverPrivilege	1092	WMIC.exe
Token: SeSystemProfilePrivilege	1092	WMIC.exe
Token: SeSystemtimePrivilege	1092	WMIC.exe
Token: SeProfSingleProcessPrivilege	1092	WMIC.exe
Token: SeIncBasePriorityPrivilege	1092	WMIC.exe
Token: SeCreatePagefilePrivilege	1092	WMIC.exe
Token: SeBackupPrivilege	1092	WMIC.exe
Token: SeRestorePrivilege	1092	WMIC.exe
Token: SeShutdownPrivilege	1092	WMIC.exe
Token: SeDebugPrivilege	1092	WMIC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

speedo.bin.exe

pid process

880 speedo.bin.exe
880 speedo.bin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

speedo.bin.execmd.exegmndk54w.execmd.exe98561.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 880 wrote to memory of 3744	880	speedo.bin.exe	cmstp.exe
PID 880 wrote to memory of 3744	880	speedo.bin.exe	cmstp.exe
PID 2920 wrote to memory of 856	2920	cmd.exe	gmndk54w.exe
PID 2920 wrote to memory of 856	2920	cmd.exe	gmndk54w.exe
PID 2920 wrote to memory of 856	2920	cmd.exe	gmndk54w.exe
PID 856 wrote to memory of 2852	856	gmndk54w.exe	98561.exe
PID 856 wrote to memory of 2852	856	gmndk54w.exe	98561.exe
PID 856 wrote to memory of 2852	856	gmndk54w.exe	98561.exe
PID 856 wrote to memory of 1628	856	gmndk54w.exe	cmd.exe
PID 856 wrote to memory of 1628	856	gmndk54w.exe	cmd.exe
PID 856 wrote to memory of 1628	856	gmndk54w.exe	cmd.exe
PID 1628 wrote to memory of 3860	1628	cmd.exe	choice.exe
PID 1628 wrote to memory of 3860	1628	cmd.exe	choice.exe
PID 1628 wrote to memory of 3860	1628	cmd.exe	choice.exe
PID 2852 wrote to memory of 2784	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2784	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2784	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 804	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 804	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 804	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2084	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2084	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2084	2852	98561.exe	cmd.exe
PID 2784 wrote to memory of 1192	2784	cmd.exe	vssadmin.exe
PID 2784 wrote to memory of 1192	2784	cmd.exe	vssadmin.exe
PID 2784 wrote to memory of 1192	2784	cmd.exe	vssadmin.exe
PID 804 wrote to memory of 3992	804	cmd.exe	WMIC.exe
PID 804 wrote to memory of 3992	804	cmd.exe	WMIC.exe
PID 804 wrote to memory of 3992	804	cmd.exe	WMIC.exe
PID 2852 wrote to memory of 988	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 988	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 988	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 1768	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 1768	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 1768	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 4032	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 4032	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 4032	2852	98561.exe	cmd.exe
PID 1768 wrote to memory of 1092	1768	cmd.exe	WMIC.exe
PID 1768 wrote to memory of 1092	1768	cmd.exe	WMIC.exe
PID 1768 wrote to memory of 1092	1768	cmd.exe	WMIC.exe
PID 988 wrote to memory of 668	988	cmd.exe	vssadmin.exe
PID 988 wrote to memory of 668	988	cmd.exe	vssadmin.exe
PID 988 wrote to memory of 668	988	cmd.exe	vssadmin.exe
PID 2852 wrote to memory of 2928	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2928	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 2928	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 3016	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 3016	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 3016	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 3940	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 3940	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 3940	2852	98561.exe	cmd.exe
PID 2928 wrote to memory of 2732	2928	cmd.exe	vssadmin.exe
PID 2928 wrote to memory of 2732	2928	cmd.exe	vssadmin.exe
PID 2928 wrote to memory of 2732	2928	cmd.exe	vssadmin.exe
PID 3016 wrote to memory of 1760	3016	cmd.exe	WMIC.exe
PID 3016 wrote to memory of 1760	3016	cmd.exe	WMIC.exe
PID 3016 wrote to memory of 1760	3016	cmd.exe	WMIC.exe
PID 2852 wrote to memory of 640	2852	98561.exe	mshta.exe
PID 2852 wrote to memory of 640	2852	98561.exe	mshta.exe
PID 2852 wrote to memory of 640	2852	98561.exe	mshta.exe
PID 2852 wrote to memory of 1196	2852	98561.exe	cmd.exe
PID 2852 wrote to memory of 1196	2852	98561.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe
"C:\Users\Admin\AppData\Local\Temp\speedo.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:880

\??\c:\windows\system32\cmstp.exe
"c:\windows\system32\cmstp.exe" /au C:\Windows\temp\p4ivb3aj.inf
2⤵
PID:3744

C:\Windows\system32\cmd.exe
cmd /c start C:\Windows\temp\gmndk54w.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\temp\gmndk54w.exe
C:\Windows\temp\gmndk54w.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:856

C:\Users\Admin\AppData\Roaming\98561.exe
"C:\Users\Admin\AppData\Roaming\98561.exe"
3⤵
- Executes dropped EXE
- Modifies extensions of user files
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:1192

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:804

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:2084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1092

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:4032

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C vssadmin.exe delete shadows /all /quiet
4⤵
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe delete shadows /all /quiet
5⤵
- Interacts with shadow copies
PID:2732

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
4⤵
PID:3940

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C wmic shadowcopy delete
4⤵
- Suspicious use of WriteProcessMemory
PID:3016

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:1760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\info.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
4⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Roaming\98561.exe"
4⤵
PID:1196

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
5⤵
PID:904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Windows\temp\gmndk54w.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\choice.exe
choice /C Y /N /D Y /T 1
4⤵
PID:3860

C:\Windows\system32\taskkill.exe
taskkill /IM cmstp.exe /F
1⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1912

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\98561.exe
MD5
7bd1af2bf9a6444ed8f835886b203495

SHA1
a18ede85e2129bea96144a7165a8d49bfc29c3ed

SHA256
fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36

SHA512
c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0

Download Submit
C:\Users\Admin\AppData\Roaming\98561.exe
MD5
7bd1af2bf9a6444ed8f835886b203495

SHA1
a18ede85e2129bea96144a7165a8d49bfc29c3ed

SHA256
fa741ee3922bcadce51c42f2ce03bda09cfc96cb7f079a2794f69c98d985ec36

SHA512
c5a0c720ff6f90231bb4c376e7e4d2f33517566ddfa84f9dbe31cbac9d63b239babd1002e7fc00440c2182319c26a82f958b88fb59b087f4e2debef7fd9fbfe0

Download Submit
C:\Users\Admin\Desktop\info.hta
MD5
b4aff40fdf09c3dfb2032c691ccc44d1

SHA1
c385515aa61ada509fad5b9f7a7ab9a84ab856e7

SHA256
e4e875e65926d9343ff2f4d5490407e3ef9050728c92f5cfa56839eca2081109

SHA512
3642499656d403faafdcd5d73a55e9472f2b38a8445bb13db395ce48680b7bd4908a4661c2706a4a8e288ed9617fb5c8045dc01034c70d8f5c233421ec0ff0aa

Download Submit
C:\Windows\Temp\gmndk54w.exe
MD5
6612016ed61a65144813f238efe491a1

SHA1
3a77f98b94a92f482c194ef4d57df1ad05d446ad

SHA256
affdb2f84b3ae8459618a81731f364775386cd8b39b6ec795c5ae80287fed7cc

SHA512
8bffd0759b021b534ba1f7cec57ad7f714c0f189d77b20e363e7de6d77e6c3867dfd0ca1e6c6d8e245252332b5ffff5c49b7ebbc8beb8d5d6c071dafcccada5d

Download Submit
C:\Windows\temp\gmndk54w.exe
MD5
6612016ed61a65144813f238efe491a1

SHA1
3a77f98b94a92f482c194ef4d57df1ad05d446ad

SHA256
affdb2f84b3ae8459618a81731f364775386cd8b39b6ec795c5ae80287fed7cc

SHA512
8bffd0759b021b534ba1f7cec57ad7f714c0f189d77b20e363e7de6d77e6c3867dfd0ca1e6c6d8e245252332b5ffff5c49b7ebbc8beb8d5d6c071dafcccada5d

Download Submit
C:\Windows\temp\p4ivb3aj.inf
MD5
f80666d0a8d2fafcfcfa118aee617fea

SHA1
0bdf32261cb2bb6b632b0406a4dbc874043f8fcd

SHA256
f2ff776705d23c941a0f517dc0273a7b2b17a644e6cbb5caee7948c493a375fa

SHA512
e00c450150f70fa102b496fd3ea9d7fbf3845affae82448570dc583f1f81387e0f9bf8ebdb754b928566358ff9543c4cb0a6d02a6f25fdb49f0893940b811ce8

Download Submit
memory/640-45-0x0000000000000000-mapping.dmp

Download
memory/668-39-0x0000000000000000-mapping.dmp

Download
memory/804-31-0x0000000000000000-mapping.dmp

Download
memory/856-15-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/856-16-0x0000000000F00000-0x0000000000F01000-memory.dmp

Filesize
4KB

Download
memory/856-12-0x0000000000000000-mapping.dmp

Download
memory/880-11-0x000000001ACD4000-0x000000001ACD6000-memory.dmp

Filesize
8KB

Download
memory/880-10-0x000000001ACD2000-0x000000001ACD4000-memory.dmp

Filesize
8KB

Download
memory/880-9-0x000000001ACD0000-0x000000001ACD2000-memory.dmp

Filesize
8KB

Download
memory/880-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/880-2-0x00007FF9448C0000-0x00007FF9452AC000-memory.dmp

Filesize
9.9MB

Download
memory/904-47-0x0000000000000000-mapping.dmp

Download
memory/988-35-0x0000000000000000-mapping.dmp

Download
memory/1092-38-0x0000000000000000-mapping.dmp

Download
memory/1192-33-0x0000000000000000-mapping.dmp

Download
memory/1196-46-0x0000000000000000-mapping.dmp

Download
memory/1628-25-0x0000000000000000-mapping.dmp

Download
memory/1760-44-0x0000000000000000-mapping.dmp

Download
memory/1768-36-0x0000000000000000-mapping.dmp

Download
memory/2084-32-0x0000000000000000-mapping.dmp

Download
memory/2732-43-0x0000000000000000-mapping.dmp

Download
memory/2784-30-0x0000000000000000-mapping.dmp

Download
memory/2852-24-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/2852-29-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/2852-28-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2852-22-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/2852-21-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/2852-18-0x0000000000000000-mapping.dmp

Download
memory/2852-26-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2928-40-0x0000000000000000-mapping.dmp

Download
memory/3016-41-0x0000000000000000-mapping.dmp

Download
memory/3744-8-0x00000241DBF10000-0x00000241DC011000-memory.dmp

Filesize
1.0MB

Download
memory/3744-7-0x00000241DBF10000-0x00000241DBF11000-memory.dmp

Filesize
4KB

Download
memory/3744-5-0x0000000000000000-mapping.dmp

Download
memory/3860-27-0x0000000000000000-mapping.dmp

Download
memory/3940-42-0x0000000000000000-mapping.dmp

Download
memory/3992-34-0x0000000000000000-mapping.dmp

Download
memory/4032-37-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads