4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989

Analysis

max time kernel
61s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
Size

446KB
MD5

be9a0cdb2589271f542155efb953cdef
SHA1

992fc97bf357d05c0eab75a5b08b9bd6c6e8a88c
SHA256

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989
SHA512

cf6b6ec6989240ef0e9ea535800041ceb6e111d9e1f49f17e644b2dd245dafe09f4d45b44b3e019aab0c10fdf45f32b6acd68e603a4a99673e0982b07c140985
SSDEEP

12288:VzK0noiP5m5lKIgkng2IyJ5Fz7nLFON6bA9k:Vt9OKInIytZy6bGk

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1500 installd.exe
1364 nethtsrv.exe
1760 netupdsrv.exe
1632 nethtsrv.exe
1828 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

pid	process
1500	installd.exe
1364	nethtsrv.exe
1760	netupdsrv.exe
1632	nethtsrv.exe
1828	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
1500	installd.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
1364	nethtsrv.exe
1364	nethtsrv.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
1632	nethtsrv.exe
1632	nethtsrv.exe
484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
File created	C:\Windows\SysWOW64\installd.exe	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

Drops file in Program Files directory 3 IoCs

Processes:

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1632 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1632	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 484 wrote to memory of 1072	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1072	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1072	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1072	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 1072 wrote to memory of 1248	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1248	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1248	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1248	1072	net.exe	net1.exe
PID 484 wrote to memory of 772	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 772	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 772	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 772	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 772 wrote to memory of 1028	772	net.exe	net1.exe
PID 772 wrote to memory of 1028	772	net.exe	net1.exe
PID 772 wrote to memory of 1028	772	net.exe	net1.exe
PID 772 wrote to memory of 1028	772	net.exe	net1.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1500	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	installd.exe
PID 484 wrote to memory of 1364	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	nethtsrv.exe
PID 484 wrote to memory of 1364	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	nethtsrv.exe
PID 484 wrote to memory of 1364	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	nethtsrv.exe
PID 484 wrote to memory of 1364	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	nethtsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1760	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	netupdsrv.exe
PID 484 wrote to memory of 1540	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1540	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1540	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1540	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 1540 wrote to memory of 1484	1540	net.exe	net1.exe
PID 1540 wrote to memory of 1484	1540	net.exe	net1.exe
PID 1540 wrote to memory of 1484	1540	net.exe	net1.exe
PID 1540 wrote to memory of 1484	1540	net.exe	net1.exe
PID 484 wrote to memory of 1320	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1320	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1320	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 484 wrote to memory of 1320	484	4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe	net.exe
PID 1320 wrote to memory of 1188	1320	net.exe	net1.exe
PID 1320 wrote to memory of 1188	1320	net.exe	net1.exe
PID 1320 wrote to memory of 1188	1320	net.exe	net1.exe
PID 1320 wrote to memory of 1188	1320	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe
"C:\Users\Admin\AppData\Local\Temp\4698d76a460b9d0197cfef4a92495948d5719770cafd6948df50b745b30f7989.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:484

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1248

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1028

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1760

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1484

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1188

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0dee574af62f82b2126e7654bc3a50d4

SHA1
fda2ff71b088ce1fcca759ffacd9f00c06951099

SHA256
2138a34aa1371f29fc944f74e2f2d74891b2b6be9057e9250c3c6c676e708e9f

SHA512
d78101302455b34fa3cf4377e077836235274edcbc3905f353c69d30ed023c51749e9c349c0b607f1f5af42522d03a5290222c173e3eaae056b1ba83c88103a1

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
817d94cfeeb3603d2edf34029844af48

SHA1
13dfdf2e56c9b8e62a02dcfbd39dc186ce0ff050

SHA256
7f2cde780bb382e8f2edeadd193238e3325777c2e7bee89cbf6a492def15c1ba

SHA512
ef3e7a46a393abab73af5a6fb1f88fcb64ba4435984b2c7e1956eb87dd4f26298abe7d885259253eb3da036a43c5353286c9649c56682baf1fd838ff3fc006d1

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
75ae1c8faff5a94592fd69eb4f5be0c7

SHA1
622717f63b4876bf26f8b0304247106863680bd2

SHA256
03660c4fcb1537ca16c16450bdde541a773faad00ab5d73bed9387644f99d820

SHA512
957c7e32ee60686083ffd04a3b22f694c8fe6cf5f902408e9e49dac57cc1437abee9e590a66351c7cfde76488469b9a37f1d8b1ab15460aa5f0f03a1e8d16e30

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
39f164f3bcb6170e9e6c0765f8c5b2a8

SHA1
e39fe13e1759d1b48169e823bf07eff7b70bc322

SHA256
702d10a1c1a7e511341d7cdafdfb9fce4be5ce6ff99ae676d7a8546de41b1c56

SHA512
bc60a89c80a07954a335756e9b739056e4e140f3bdc4f430d1fd38e31b92aee8f6d1f0349927080c3a7f9e9b6aa8dec0c4128331473046cf5dbb078667dfaef7

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
39f164f3bcb6170e9e6c0765f8c5b2a8

SHA1
e39fe13e1759d1b48169e823bf07eff7b70bc322

SHA256
702d10a1c1a7e511341d7cdafdfb9fce4be5ce6ff99ae676d7a8546de41b1c56

SHA512
bc60a89c80a07954a335756e9b739056e4e140f3bdc4f430d1fd38e31b92aee8f6d1f0349927080c3a7f9e9b6aa8dec0c4128331473046cf5dbb078667dfaef7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
fc83aff8700223656754f7ef2fb2bcdf

SHA1
86063193472cb5eafa7ea91e557bd044d0474923

SHA256
22683d678c768143b6cd6f6754ec5c5f8c0bb1e7a1891e410d6b6afedf310e39

SHA512
408eb33c41e1cdfe62295f32930401e12fb88abeb4ea1743d97df8cb6d642e0934f65bff63f042b7ac89bcaa7ce73a17393e34c3fa51dfe712cfb9e3298e8667

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
fc83aff8700223656754f7ef2fb2bcdf

SHA1
86063193472cb5eafa7ea91e557bd044d0474923

SHA256
22683d678c768143b6cd6f6754ec5c5f8c0bb1e7a1891e410d6b6afedf310e39

SHA512
408eb33c41e1cdfe62295f32930401e12fb88abeb4ea1743d97df8cb6d642e0934f65bff63f042b7ac89bcaa7ce73a17393e34c3fa51dfe712cfb9e3298e8667

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF460.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF460.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF460.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF460.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoF460.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0dee574af62f82b2126e7654bc3a50d4

SHA1
fda2ff71b088ce1fcca759ffacd9f00c06951099

SHA256
2138a34aa1371f29fc944f74e2f2d74891b2b6be9057e9250c3c6c676e708e9f

SHA512
d78101302455b34fa3cf4377e077836235274edcbc3905f353c69d30ed023c51749e9c349c0b607f1f5af42522d03a5290222c173e3eaae056b1ba83c88103a1

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0dee574af62f82b2126e7654bc3a50d4

SHA1
fda2ff71b088ce1fcca759ffacd9f00c06951099

SHA256
2138a34aa1371f29fc944f74e2f2d74891b2b6be9057e9250c3c6c676e708e9f

SHA512
d78101302455b34fa3cf4377e077836235274edcbc3905f353c69d30ed023c51749e9c349c0b607f1f5af42522d03a5290222c173e3eaae056b1ba83c88103a1

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0dee574af62f82b2126e7654bc3a50d4

SHA1
fda2ff71b088ce1fcca759ffacd9f00c06951099

SHA256
2138a34aa1371f29fc944f74e2f2d74891b2b6be9057e9250c3c6c676e708e9f

SHA512
d78101302455b34fa3cf4377e077836235274edcbc3905f353c69d30ed023c51749e9c349c0b607f1f5af42522d03a5290222c173e3eaae056b1ba83c88103a1

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
817d94cfeeb3603d2edf34029844af48

SHA1
13dfdf2e56c9b8e62a02dcfbd39dc186ce0ff050

SHA256
7f2cde780bb382e8f2edeadd193238e3325777c2e7bee89cbf6a492def15c1ba

SHA512
ef3e7a46a393abab73af5a6fb1f88fcb64ba4435984b2c7e1956eb87dd4f26298abe7d885259253eb3da036a43c5353286c9649c56682baf1fd838ff3fc006d1

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
817d94cfeeb3603d2edf34029844af48

SHA1
13dfdf2e56c9b8e62a02dcfbd39dc186ce0ff050

SHA256
7f2cde780bb382e8f2edeadd193238e3325777c2e7bee89cbf6a492def15c1ba

SHA512
ef3e7a46a393abab73af5a6fb1f88fcb64ba4435984b2c7e1956eb87dd4f26298abe7d885259253eb3da036a43c5353286c9649c56682baf1fd838ff3fc006d1

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
75ae1c8faff5a94592fd69eb4f5be0c7

SHA1
622717f63b4876bf26f8b0304247106863680bd2

SHA256
03660c4fcb1537ca16c16450bdde541a773faad00ab5d73bed9387644f99d820

SHA512
957c7e32ee60686083ffd04a3b22f694c8fe6cf5f902408e9e49dac57cc1437abee9e590a66351c7cfde76488469b9a37f1d8b1ab15460aa5f0f03a1e8d16e30

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
39f164f3bcb6170e9e6c0765f8c5b2a8

SHA1
e39fe13e1759d1b48169e823bf07eff7b70bc322

SHA256
702d10a1c1a7e511341d7cdafdfb9fce4be5ce6ff99ae676d7a8546de41b1c56

SHA512
bc60a89c80a07954a335756e9b739056e4e140f3bdc4f430d1fd38e31b92aee8f6d1f0349927080c3a7f9e9b6aa8dec0c4128331473046cf5dbb078667dfaef7

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
fc83aff8700223656754f7ef2fb2bcdf

SHA1
86063193472cb5eafa7ea91e557bd044d0474923

SHA256
22683d678c768143b6cd6f6754ec5c5f8c0bb1e7a1891e410d6b6afedf310e39

SHA512
408eb33c41e1cdfe62295f32930401e12fb88abeb4ea1743d97df8cb6d642e0934f65bff63f042b7ac89bcaa7ce73a17393e34c3fa51dfe712cfb9e3298e8667

Download Submit
memory/484-54-0x0000000074D71000-0x0000000074D73000-memory.dmp

Filesize
8KB

Download
memory/772-60-0x0000000000000000-mapping.dmp

Download
memory/1028-61-0x0000000000000000-mapping.dmp

Download
memory/1072-57-0x0000000000000000-mapping.dmp

Download
memory/1188-86-0x0000000000000000-mapping.dmp

Download
memory/1248-58-0x0000000000000000-mapping.dmp

Download
memory/1320-85-0x0000000000000000-mapping.dmp

Download
memory/1364-69-0x0000000000000000-mapping.dmp

Download
memory/1484-80-0x0000000000000000-mapping.dmp

Download
memory/1500-63-0x0000000000000000-mapping.dmp

Download
memory/1540-79-0x0000000000000000-mapping.dmp

Download
memory/1760-75-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads