6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568

Analysis

max time kernel
59s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
Size

601KB
MD5

f45e60ea1b1eff54ff3d7ca746afd768
SHA1

1dc2a346b9cf13eaf59d663900ece2917bcdb443
SHA256

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568
SHA512

4ab90b83e60ceb78ab10b6260de37160799bad621175b8b77afc30af9105b9ef9f76e79c1d687436f759e7d19f82a768ebe85ae614b0373a64f363da35241fa6
SSDEEP

12288:pIny5DYTD+ufOo6UQP0FDzJtgKQlT9S6EUVpZ84uK:FUTD+u2MhJtgKQlT/VVpZBx

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1924 installd.exe
824 nethtsrv.exe
1600 netupdsrv.exe
1268 nethtsrv.exe
1660 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

pid	process
1924	installd.exe
824	nethtsrv.exe
1600	netupdsrv.exe
1268	nethtsrv.exe
1660	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
1924	installd.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
824	nethtsrv.exe
824	nethtsrv.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
1268	nethtsrv.exe
1268	nethtsrv.exe
1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
File created	C:\Windows\SysWOW64\installd.exe	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

Drops file in Program Files directory 3 IoCs

Processes:

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1268 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1268	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1208 wrote to memory of 564	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 564	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 564	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 564	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 564 wrote to memory of 776	564	net.exe	net1.exe
PID 564 wrote to memory of 776	564	net.exe	net1.exe
PID 564 wrote to memory of 776	564	net.exe	net1.exe
PID 564 wrote to memory of 776	564	net.exe	net1.exe
PID 1208 wrote to memory of 920	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 920	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 920	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 920	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 920 wrote to memory of 752	920	net.exe	net1.exe
PID 920 wrote to memory of 752	920	net.exe	net1.exe
PID 920 wrote to memory of 752	920	net.exe	net1.exe
PID 920 wrote to memory of 752	920	net.exe	net1.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 1924	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	installd.exe
PID 1208 wrote to memory of 824	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	nethtsrv.exe
PID 1208 wrote to memory of 824	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	nethtsrv.exe
PID 1208 wrote to memory of 824	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	nethtsrv.exe
PID 1208 wrote to memory of 824	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	nethtsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1600	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	netupdsrv.exe
PID 1208 wrote to memory of 1952	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 1952	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 1952	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 1952	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1952 wrote to memory of 636	1952	net.exe	net1.exe
PID 1952 wrote to memory of 636	1952	net.exe	net1.exe
PID 1952 wrote to memory of 636	1952	net.exe	net1.exe
PID 1952 wrote to memory of 636	1952	net.exe	net1.exe
PID 1208 wrote to memory of 1116	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 1116	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 1116	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1208 wrote to memory of 1116	1208	6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe	net.exe
PID 1116 wrote to memory of 2036	1116	net.exe	net1.exe
PID 1116 wrote to memory of 2036	1116	net.exe	net1.exe
PID 1116 wrote to memory of 2036	1116	net.exe	net1.exe
PID 1116 wrote to memory of 2036	1116	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe
"C:\Users\Admin\AppData\Local\Temp\6960232c7711461f6e7c46049fad25976796510973f1c461eceb0b9bcefea568.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:776

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:752

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1600

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:636

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1116

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2036

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1268

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1660

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0001d9d7c953854c40341b4b6f3bd8ac

SHA1
ca2ed1a4062660f98a226d72ec136596e565e20e

SHA256
b04b41d9431106c3ba405c2f3d4a5213f620e7b40bd5aa95caab3ccf91831920

SHA512
26e9137a6d6352861f7003560983c2ecaab8f326edbed8197fdf07114ddf01cb6d486edf4922e00dbdbfe911dfe214014aaf504ba57978840f984a52dd1931d1

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
0e85a1ba0b1835c7de682de5efa4e93a

SHA1
29dc386bbd0eda7ac544b0a462de362718571a77

SHA256
ebca6be22e768c8ff2bf7634d74c0e9e41e607a58d88af4a44b895ab6fb3ee96

SHA512
7032244ba8a4bef399958ffae5f494401b8e04bfae3ef394e62cc2485a6f13c55f65f22fcf3f9cdc6eb522f8a8355710f5bc85c066f602502a806f5ba560fade

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
df61b56dd44b6ca2d36d4e041e6c9582

SHA1
38325e2e7cd2077b83c07a76b50a9ec456bc4712

SHA256
53a456527a1ea6a22ddaaa53c2b55678948d110670ad5f70ec7eae383936a8ff

SHA512
d6ca16857a21a8af345657263801cd977f558e0faa231110638bd7f925303867b675b5f08cadbd3942bdf924998986cd62c9d29740bedb019cf972be79b647bd

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2536a7b6c5a276cbe946a68b9f5eb255

SHA1
1cad24dd1a1264f262318def09eaf5bd2773053b

SHA256
f8291dc66a9397701973ebd0cc69183322bad13ffacfb62b2e3cb20afadb748d

SHA512
aebaa927b5437dc9b6726641615f02169309cdb11e4ea5198c8c0026885394dff30e80da499d9785341bfd350239ff937879e03ae1df23aba3a91216ec073107

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2536a7b6c5a276cbe946a68b9f5eb255

SHA1
1cad24dd1a1264f262318def09eaf5bd2773053b

SHA256
f8291dc66a9397701973ebd0cc69183322bad13ffacfb62b2e3cb20afadb748d

SHA512
aebaa927b5437dc9b6726641615f02169309cdb11e4ea5198c8c0026885394dff30e80da499d9785341bfd350239ff937879e03ae1df23aba3a91216ec073107

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
ed1f8102e996cd373a07777b49115743

SHA1
44822260e38dbfbb71c1dd80747de3c7f0f38a93

SHA256
2a2c57ba7777b5206434798ca8b3b07c898447c546c055c028f357e2ef65ee71

SHA512
a0e20b8982c681a5e3181a010b1080633a7196ed141765e6ea7153eb519862256761bad1fb852e130ce1b952bcc5ddd95b1f1918223079b7ab6ae137f3c55d82

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
ed1f8102e996cd373a07777b49115743

SHA1
44822260e38dbfbb71c1dd80747de3c7f0f38a93

SHA256
2a2c57ba7777b5206434798ca8b3b07c898447c546c055c028f357e2ef65ee71

SHA512
a0e20b8982c681a5e3181a010b1080633a7196ed141765e6ea7153eb519862256761bad1fb852e130ce1b952bcc5ddd95b1f1918223079b7ab6ae137f3c55d82

Download Submit
\Users\Admin\AppData\Local\Temp\nseD29E.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseD29E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseD29E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseD29E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseD29E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0001d9d7c953854c40341b4b6f3bd8ac

SHA1
ca2ed1a4062660f98a226d72ec136596e565e20e

SHA256
b04b41d9431106c3ba405c2f3d4a5213f620e7b40bd5aa95caab3ccf91831920

SHA512
26e9137a6d6352861f7003560983c2ecaab8f326edbed8197fdf07114ddf01cb6d486edf4922e00dbdbfe911dfe214014aaf504ba57978840f984a52dd1931d1

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0001d9d7c953854c40341b4b6f3bd8ac

SHA1
ca2ed1a4062660f98a226d72ec136596e565e20e

SHA256
b04b41d9431106c3ba405c2f3d4a5213f620e7b40bd5aa95caab3ccf91831920

SHA512
26e9137a6d6352861f7003560983c2ecaab8f326edbed8197fdf07114ddf01cb6d486edf4922e00dbdbfe911dfe214014aaf504ba57978840f984a52dd1931d1

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0001d9d7c953854c40341b4b6f3bd8ac

SHA1
ca2ed1a4062660f98a226d72ec136596e565e20e

SHA256
b04b41d9431106c3ba405c2f3d4a5213f620e7b40bd5aa95caab3ccf91831920

SHA512
26e9137a6d6352861f7003560983c2ecaab8f326edbed8197fdf07114ddf01cb6d486edf4922e00dbdbfe911dfe214014aaf504ba57978840f984a52dd1931d1

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
0e85a1ba0b1835c7de682de5efa4e93a

SHA1
29dc386bbd0eda7ac544b0a462de362718571a77

SHA256
ebca6be22e768c8ff2bf7634d74c0e9e41e607a58d88af4a44b895ab6fb3ee96

SHA512
7032244ba8a4bef399958ffae5f494401b8e04bfae3ef394e62cc2485a6f13c55f65f22fcf3f9cdc6eb522f8a8355710f5bc85c066f602502a806f5ba560fade

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
0e85a1ba0b1835c7de682de5efa4e93a

SHA1
29dc386bbd0eda7ac544b0a462de362718571a77

SHA256
ebca6be22e768c8ff2bf7634d74c0e9e41e607a58d88af4a44b895ab6fb3ee96

SHA512
7032244ba8a4bef399958ffae5f494401b8e04bfae3ef394e62cc2485a6f13c55f65f22fcf3f9cdc6eb522f8a8355710f5bc85c066f602502a806f5ba560fade

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
df61b56dd44b6ca2d36d4e041e6c9582

SHA1
38325e2e7cd2077b83c07a76b50a9ec456bc4712

SHA256
53a456527a1ea6a22ddaaa53c2b55678948d110670ad5f70ec7eae383936a8ff

SHA512
d6ca16857a21a8af345657263801cd977f558e0faa231110638bd7f925303867b675b5f08cadbd3942bdf924998986cd62c9d29740bedb019cf972be79b647bd

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2536a7b6c5a276cbe946a68b9f5eb255

SHA1
1cad24dd1a1264f262318def09eaf5bd2773053b

SHA256
f8291dc66a9397701973ebd0cc69183322bad13ffacfb62b2e3cb20afadb748d

SHA512
aebaa927b5437dc9b6726641615f02169309cdb11e4ea5198c8c0026885394dff30e80da499d9785341bfd350239ff937879e03ae1df23aba3a91216ec073107

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
ed1f8102e996cd373a07777b49115743

SHA1
44822260e38dbfbb71c1dd80747de3c7f0f38a93

SHA256
2a2c57ba7777b5206434798ca8b3b07c898447c546c055c028f357e2ef65ee71

SHA512
a0e20b8982c681a5e3181a010b1080633a7196ed141765e6ea7153eb519862256761bad1fb852e130ce1b952bcc5ddd95b1f1918223079b7ab6ae137f3c55d82

Download Submit
memory/564-58-0x0000000000000000-mapping.dmp

Download
memory/636-82-0x0000000000000000-mapping.dmp

Download
memory/752-63-0x0000000000000000-mapping.dmp

Download
memory/776-60-0x0000000000000000-mapping.dmp

Download
memory/824-71-0x0000000000000000-mapping.dmp

Download
memory/920-62-0x0000000000000000-mapping.dmp

Download
memory/1116-87-0x0000000000000000-mapping.dmp

Download
memory/1208-54-0x0000000075C21000-0x0000000075C23000-memory.dmp

Filesize
8KB

Download
memory/1208-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1208-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1208-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1600-77-0x0000000000000000-mapping.dmp

Download
memory/1924-65-0x0000000000000000-mapping.dmp

Download
memory/1952-81-0x0000000000000000-mapping.dmp

Download
memory/2036-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads