af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
Size

603KB
MD5

af5fa66ceb1e86ea1965ca3523e101f4
SHA1

426563e5222f06584d72fdc1ba79f30889e4f1bf
SHA256

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32
SHA512

9bdc2488efaba65afd78f1fb217d591401d2d17348d5f20f1074dc9596b2799ea26417d824a4bc012204352da5326c22708bee71027d54bfc6d8c804a89cfbec
SSDEEP

12288:mIny5DYT9d4F7ARGIpow4grFdVKqTpY6/MNFF6B:IUT9OFoGIpow4grFdcqTqvy

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1980 installd.exe
632 nethtsrv.exe
1196 netupdsrv.exe
1456 nethtsrv.exe
1920 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

pid	process
1980	installd.exe
632	nethtsrv.exe
1196	netupdsrv.exe
1456	nethtsrv.exe
1920	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
1980	installd.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
632	nethtsrv.exe
632	nethtsrv.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
1456	nethtsrv.exe
1456	nethtsrv.exe
548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

description	ioc	process
File created	C:\Windows\SysWOW64\netupdsrv.exe	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
File created	C:\Windows\SysWOW64\installd.exe	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

Drops file in Program Files directory 3 IoCs

Processes:

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1456 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1456	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 548 wrote to memory of 1976	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 1976	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 1976	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 1976	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 1976 wrote to memory of 2020	1976	net.exe	net1.exe
PID 1976 wrote to memory of 2020	1976	net.exe	net1.exe
PID 1976 wrote to memory of 2020	1976	net.exe	net1.exe
PID 1976 wrote to memory of 2020	1976	net.exe	net1.exe
PID 548 wrote to memory of 2040	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 2040	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 2040	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 2040	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 2040 wrote to memory of 956	2040	net.exe	net1.exe
PID 2040 wrote to memory of 956	2040	net.exe	net1.exe
PID 2040 wrote to memory of 956	2040	net.exe	net1.exe
PID 2040 wrote to memory of 956	2040	net.exe	net1.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 1980	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	installd.exe
PID 548 wrote to memory of 632	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	nethtsrv.exe
PID 548 wrote to memory of 632	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	nethtsrv.exe
PID 548 wrote to memory of 632	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	nethtsrv.exe
PID 548 wrote to memory of 632	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	nethtsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 1196	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	netupdsrv.exe
PID 548 wrote to memory of 608	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 608	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 608	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 608	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 608 wrote to memory of 556	608	net.exe	net1.exe
PID 608 wrote to memory of 556	608	net.exe	net1.exe
PID 608 wrote to memory of 556	608	net.exe	net1.exe
PID 608 wrote to memory of 556	608	net.exe	net1.exe
PID 548 wrote to memory of 588	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 588	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 588	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 548 wrote to memory of 588	548	af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe	net.exe
PID 588 wrote to memory of 1972	588	net.exe	net1.exe
PID 588 wrote to memory of 1972	588	net.exe	net1.exe
PID 588 wrote to memory of 1972	588	net.exe	net1.exe
PID 588 wrote to memory of 1972	588	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe
"C:\Users\Admin\AppData\Local\Temp\af54048ea7e284421e650bd56f839de41be865ef526c91ac0ad1594370a2db32.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:956

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1196

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:556

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1972

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1456

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ec5482397c9bf1003cb603711e108261

SHA1
4a6b1abf5072829b41e860bd72578dbc4c1fddcf

SHA256
cb70856f95946101b29ac4e83b5c6f6ed1260c0cfb0cd2535eb6597d2135f0f5

SHA512
1c2c33bd9337b17b71451f053c40742032373a88725165bec245296b7e7a7891681f559e1cb224151275a8e4e6a180a6d1ce904a42b0e82607f88e4f170205ab

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
cfc5e4290776d52bc70c3909f5fcc4e9

SHA1
fbd4c1816ed66f25cfce26e730227740141a4f7f

SHA256
d97178555fa15d53706608dd57765fc3f9e36a19c12a22856110163477623ffb

SHA512
ba54b8b07f3cf84a1ad31236897e23867edef98842372e017e3c02a647c4024b0ebce2f5876f47bade44283b8cb71370c3e1b737f82a3cf1abc8eb881633d7fe

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
3dc1e80d9e3f678d7c1286988a99789a

SHA1
9a72032ac39e680eb6fbf5544e5a3295077c9414

SHA256
01174a5c3753f8c8d1648301cfe95f646085cb0fc4cd20ade15605f837f2697e

SHA512
c3db93bda8d7da221b20360946bd673aaa7210f6e982fe60e77adeb560f351ec39915a6406e5b5e3beee7b46c6e7659bdf9068e9effcc50ee7382377ddf2918d

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2e76e1aadb561bab4a3096a7c286c76b

SHA1
d554e0584ad157f6304539c6d9b1d820af7197d7

SHA256
11ceea37f438746abb0d8508c95ca87115afa2e1213c07065e3bc91aa83332b1

SHA512
0d848f185180948b87245d7f9bce3e2f66a2f94ae7cb88740ff1fd1bb49595caa1e2b26c92819fa16051049809bab77d4a78036ec67ad473967e88af49ebfd15

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2e76e1aadb561bab4a3096a7c286c76b

SHA1
d554e0584ad157f6304539c6d9b1d820af7197d7

SHA256
11ceea37f438746abb0d8508c95ca87115afa2e1213c07065e3bc91aa83332b1

SHA512
0d848f185180948b87245d7f9bce3e2f66a2f94ae7cb88740ff1fd1bb49595caa1e2b26c92819fa16051049809bab77d4a78036ec67ad473967e88af49ebfd15

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
f048402d330059a9bce43b16311e50f8

SHA1
c282649590a22dfb5d25dd65e27aa607c3e9ac23

SHA256
da8c11e7ebbce26a3417f33b86a6858ae29aa3601383de4c106dcb0c55a75d26

SHA512
e125fdf80a4fc298a63e5e8641601823c41e29cd2d2b8c81c01356116002378af81ca2607b0f87d17972485e9016e24e8a30d2f9b21d23eebe39cbeb406f5458

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
f048402d330059a9bce43b16311e50f8

SHA1
c282649590a22dfb5d25dd65e27aa607c3e9ac23

SHA256
da8c11e7ebbce26a3417f33b86a6858ae29aa3601383de4c106dcb0c55a75d26

SHA512
e125fdf80a4fc298a63e5e8641601823c41e29cd2d2b8c81c01356116002378af81ca2607b0f87d17972485e9016e24e8a30d2f9b21d23eebe39cbeb406f5458

Download Submit
\Users\Admin\AppData\Local\Temp\nsd55B1.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd55B1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd55B1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd55B1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd55B1.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ec5482397c9bf1003cb603711e108261

SHA1
4a6b1abf5072829b41e860bd72578dbc4c1fddcf

SHA256
cb70856f95946101b29ac4e83b5c6f6ed1260c0cfb0cd2535eb6597d2135f0f5

SHA512
1c2c33bd9337b17b71451f053c40742032373a88725165bec245296b7e7a7891681f559e1cb224151275a8e4e6a180a6d1ce904a42b0e82607f88e4f170205ab

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ec5482397c9bf1003cb603711e108261

SHA1
4a6b1abf5072829b41e860bd72578dbc4c1fddcf

SHA256
cb70856f95946101b29ac4e83b5c6f6ed1260c0cfb0cd2535eb6597d2135f0f5

SHA512
1c2c33bd9337b17b71451f053c40742032373a88725165bec245296b7e7a7891681f559e1cb224151275a8e4e6a180a6d1ce904a42b0e82607f88e4f170205ab

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ec5482397c9bf1003cb603711e108261

SHA1
4a6b1abf5072829b41e860bd72578dbc4c1fddcf

SHA256
cb70856f95946101b29ac4e83b5c6f6ed1260c0cfb0cd2535eb6597d2135f0f5

SHA512
1c2c33bd9337b17b71451f053c40742032373a88725165bec245296b7e7a7891681f559e1cb224151275a8e4e6a180a6d1ce904a42b0e82607f88e4f170205ab

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
cfc5e4290776d52bc70c3909f5fcc4e9

SHA1
fbd4c1816ed66f25cfce26e730227740141a4f7f

SHA256
d97178555fa15d53706608dd57765fc3f9e36a19c12a22856110163477623ffb

SHA512
ba54b8b07f3cf84a1ad31236897e23867edef98842372e017e3c02a647c4024b0ebce2f5876f47bade44283b8cb71370c3e1b737f82a3cf1abc8eb881633d7fe

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
cfc5e4290776d52bc70c3909f5fcc4e9

SHA1
fbd4c1816ed66f25cfce26e730227740141a4f7f

SHA256
d97178555fa15d53706608dd57765fc3f9e36a19c12a22856110163477623ffb

SHA512
ba54b8b07f3cf84a1ad31236897e23867edef98842372e017e3c02a647c4024b0ebce2f5876f47bade44283b8cb71370c3e1b737f82a3cf1abc8eb881633d7fe

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
3dc1e80d9e3f678d7c1286988a99789a

SHA1
9a72032ac39e680eb6fbf5544e5a3295077c9414

SHA256
01174a5c3753f8c8d1648301cfe95f646085cb0fc4cd20ade15605f837f2697e

SHA512
c3db93bda8d7da221b20360946bd673aaa7210f6e982fe60e77adeb560f351ec39915a6406e5b5e3beee7b46c6e7659bdf9068e9effcc50ee7382377ddf2918d

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2e76e1aadb561bab4a3096a7c286c76b

SHA1
d554e0584ad157f6304539c6d9b1d820af7197d7

SHA256
11ceea37f438746abb0d8508c95ca87115afa2e1213c07065e3bc91aa83332b1

SHA512
0d848f185180948b87245d7f9bce3e2f66a2f94ae7cb88740ff1fd1bb49595caa1e2b26c92819fa16051049809bab77d4a78036ec67ad473967e88af49ebfd15

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
f048402d330059a9bce43b16311e50f8

SHA1
c282649590a22dfb5d25dd65e27aa607c3e9ac23

SHA256
da8c11e7ebbce26a3417f33b86a6858ae29aa3601383de4c106dcb0c55a75d26

SHA512
e125fdf80a4fc298a63e5e8641601823c41e29cd2d2b8c81c01356116002378af81ca2607b0f87d17972485e9016e24e8a30d2f9b21d23eebe39cbeb406f5458

Download Submit
memory/548-62-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/548-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/548-54-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/556-81-0x0000000000000000-mapping.dmp

Download
memory/588-86-0x0000000000000000-mapping.dmp

Download
memory/608-80-0x0000000000000000-mapping.dmp

Download
memory/632-70-0x0000000000000000-mapping.dmp

Download
memory/956-61-0x0000000000000000-mapping.dmp

Download
memory/1196-76-0x0000000000000000-mapping.dmp

Download
memory/1972-87-0x0000000000000000-mapping.dmp

Download
memory/1976-57-0x0000000000000000-mapping.dmp

Download
memory/1980-64-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads