c259d0cf58752c1498db7f34035ce0da98879d369d2500204948eacbff008a36

Analysis

max time kernel
0s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
31-12-2023 01:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe
Size

12.5MB
MD5

d412865db372ff51f4237c496025639b
SHA1

9cd5409d3ecf569b61beac788215ff3711c0f6fc
SHA256

af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc
SHA512

661532765f49d56ff41119217b29719837f9773c396ba6d9efa95d21dcfabd3d7c89c2e688b7da9b9a984d760bc505d980be3ba2ad14b1359423a891c34508b1
SSDEEP

393216:aqFZIAAa93h999999lvnMv+HmtFgWWgaxraJT4a:aPAN93h999999lMvmKgWKuTV

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1940	driver_setup.exe
1260	Process not Found

Loads dropped DLL 1 IoCs

pid	Process
1908	af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	driver_setup.exe
File opened (read-only)	\??\V:	driver_setup.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	driver_setup.exe
File opened (read-only)	\??\Y:	driver_setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	driver_setup.exe
File opened (read-only)	\??\K:	driver_setup.exe
File opened (read-only)	\??\L:	driver_setup.exe
File opened (read-only)	\??\M:	driver_setup.exe
File opened (read-only)	\??\O:	driver_setup.exe
File opened (read-only)	\??\S:	driver_setup.exe
File opened (read-only)	\??\W:	driver_setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	driver_setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	driver_setup.exe
File opened (read-only)	\??\G:	driver_setup.exe
File opened (read-only)	\??\H:	driver_setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	driver_setup.exe
File opened (read-only)	\??\P:	driver_setup.exe
File opened (read-only)	\??\Q:	driver_setup.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	driver_setup.exe
File opened (read-only)	\??\R:	driver_setup.exe
File opened (read-only)	\??\T:	driver_setup.exe
File opened (read-only)	\??\X:	driver_setup.exe
File opened (read-only)	\??\Z:	driver_setup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2932	msiexec.exe
Token: SeTakeOwnershipPrivilege	2932	msiexec.exe
Token: SeSecurityPrivilege	2932	msiexec.exe
Token: SeCreateTokenPrivilege	1940	driver_setup.exe
Token: SeAssignPrimaryTokenPrivilege	1940	driver_setup.exe
Token: SeLockMemoryPrivilege	1940	driver_setup.exe
Token: SeIncreaseQuotaPrivilege	1940	driver_setup.exe
Token: SeMachineAccountPrivilege	1940	driver_setup.exe
Token: SeTcbPrivilege	1940	driver_setup.exe
Token: SeSecurityPrivilege	1940	driver_setup.exe
Token: SeTakeOwnershipPrivilege	1940	driver_setup.exe
Token: SeLoadDriverPrivilege	1940	driver_setup.exe
Token: SeSystemProfilePrivilege	1940	driver_setup.exe
Token: SeSystemtimePrivilege	1940	driver_setup.exe
Token: SeProfSingleProcessPrivilege	1940	driver_setup.exe
Token: SeIncBasePriorityPrivilege	1940	driver_setup.exe
Token: SeCreatePagefilePrivilege	1940	driver_setup.exe
Token: SeCreatePermanentPrivilege	1940	driver_setup.exe
Token: SeBackupPrivilege	1940	driver_setup.exe
Token: SeRestorePrivilege	1940	driver_setup.exe
Token: SeShutdownPrivilege	1940	driver_setup.exe
Token: SeDebugPrivilege	1940	driver_setup.exe
Token: SeAuditPrivilege	1940	driver_setup.exe
Token: SeSystemEnvironmentPrivilege	1940	driver_setup.exe
Token: SeChangeNotifyPrivilege	1940	driver_setup.exe
Token: SeRemoteShutdownPrivilege	1940	driver_setup.exe
Token: SeUndockPrivilege	1940	driver_setup.exe
Token: SeSyncAgentPrivilege	1940	driver_setup.exe
Token: SeEnableDelegationPrivilege	1940	driver_setup.exe
Token: SeManageVolumePrivilege	1940	driver_setup.exe
Token: SeImpersonatePrivilege	1940	driver_setup.exe
Token: SeCreateGlobalPrivilege	1940	driver_setup.exe
Token: SeShutdownPrivilege	1940	driver_setup.exe
Token: SeIncreaseQuotaPrivilege	1940	driver_setup.exe
Token: SeCreateTokenPrivilege	1940	driver_setup.exe
Token: SeAssignPrimaryTokenPrivilege	1940	driver_setup.exe
Token: SeLockMemoryPrivilege	1940	driver_setup.exe
Token: SeIncreaseQuotaPrivilege	1940	driver_setup.exe
Token: SeMachineAccountPrivilege	1940	driver_setup.exe
Token: SeTcbPrivilege	1940	driver_setup.exe
Token: SeSecurityPrivilege	1940	driver_setup.exe
Token: SeTakeOwnershipPrivilege	1940	driver_setup.exe
Token: SeLoadDriverPrivilege	1940	driver_setup.exe
Token: SeSystemProfilePrivilege	1940	driver_setup.exe
Token: SeSystemtimePrivilege	1940	driver_setup.exe
Token: SeProfSingleProcessPrivilege	1940	driver_setup.exe
Token: SeIncBasePriorityPrivilege	1940	driver_setup.exe
Token: SeCreatePagefilePrivilege	1940	driver_setup.exe
Token: SeCreatePermanentPrivilege	1940	driver_setup.exe
Token: SeBackupPrivilege	1940	driver_setup.exe
Token: SeRestorePrivilege	1940	driver_setup.exe
Token: SeShutdownPrivilege	1940	driver_setup.exe
Token: SeDebugPrivilege	1940	driver_setup.exe
Token: SeAuditPrivilege	1940	driver_setup.exe
Token: SeSystemEnvironmentPrivilege	1940	driver_setup.exe
Token: SeChangeNotifyPrivilege	1940	driver_setup.exe
Token: SeRemoteShutdownPrivilege	1940	driver_setup.exe
Token: SeUndockPrivilege	1940	driver_setup.exe
Token: SeSyncAgentPrivilege	1940	driver_setup.exe
Token: SeEnableDelegationPrivilege	1940	driver_setup.exe
Token: SeManageVolumePrivilege	1940	driver_setup.exe
Token: SeImpersonatePrivilege	1940	driver_setup.exe
Token: SeCreateGlobalPrivilege	1940	driver_setup.exe
Token: SeCreateTokenPrivilege	1940	driver_setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1940	driver_setup.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1940	1908	af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe	23
PID 1908 wrote to memory of 1940	1908	af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe	23
PID 1908 wrote to memory of 1940	1908	af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe	23
PID 2932 wrote to memory of 1212	2932	msiexec.exe	19
PID 2932 wrote to memory of 1212	2932	msiexec.exe	19
PID 2932 wrote to memory of 1212	2932	msiexec.exe	19
PID 2932 wrote to memory of 1212	2932	msiexec.exe	19
PID 2932 wrote to memory of 1212	2932	msiexec.exe	19

C:\Users\Admin\AppData\Local\Temp\af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe
"C:\Users\Admin\AppData\Local\Temp\af48efac2b7d97cc0b70559a0a2be8cfeae961306ed16f0c91706a3bef6d61fc.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\driver_setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\driver_setup.exe /i drvupdate-amd64.msi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1940

C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 24A01854864E5F2E1500AD8E3B81B657 C
1⤵
PID:1212

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2640

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2932
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A34B1B0E6E7F174220CFD047814D75DB
  2⤵
  PID:2524
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding AB0FA491DF256F270EC09915DC5E1CE9 M Global\MSI0000
  2⤵
  PID:1528
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A70376E63CBAF3BB0361C1060EDFF9A8 C
  2⤵
  PID:1552
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 5CBA332159C912C717FAB7BCC09153B6
  2⤵
  PID:2848
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 560D22EFC7BD528BC2F1812E6BDFDC78
  2⤵
  PID:1404
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 82FDDDA4CEAA388112290FFCD5C1B2D3 M Global\MSI0000
  2⤵
  PID:2788
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD51855E294926D771C927A443035105 M Global\MSI0000
  2⤵
  PID:2780
- - C:\Windows\WindowsMobile\InstallForm.exe
    C:\Windows\WindowsMobile\InstallForm.exe Install
    3⤵
    PID:2132

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "00000000000005A4"
1⤵
PID:2468

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{6f032f83-f856-708f-98b5-9162ba20cc60}\wcerndis.inf" "9" "656b799f7" "00000000000005A0" "WinSta0\Default" "0000000000000498" "208" "C:\Windows\WindowsMobile\Drivers\RNDIS"
1⤵
PID:1664

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{12c20948-5f01-1151-af51-474835e0aa75}\wceusbsh.inf" "9" "608b27587" "0000000000000498" "WinSta0\Default" "00000000000003B4" "208" "C:\Windows\WindowsMobile\Drivers\Serial"
1⤵
PID:1704

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2530cb3b-2604-34f3-50ff-2c4fb645ff30}\wpdrapi.inf" "9" "6c93161fb" "00000000000003B4" "WinSta0\Default" "00000000000004A4" "208" "C:\Windows\WindowsMobile\Drivers\WPD"
1⤵
PID:1152

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{02597059-662e-7a43-2396-316502a68a63}\wcebth.inf" "9" "695ee40cf" "00000000000004A4" "WinSta0\Default" "00000000000005A0" "208" "C:\Windows\WindowsMobile\Drivers\Bluetooth"
1⤵
PID:1516

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "UMB\UMB\1&841921d&0&windowsmobiledriverinstaller" "" "" "6ef5b215f" "0000000000000000" "00000000000004A4" "0000000000000498"
1⤵
PID:3000

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{93358ea5-272c-482e-a94b-bd1fdbe65c8c} "(null)"
1⤵
PID:1760
- C:\Windows\System32\dinotify.exe
  "C:\Windows\System32\dinotify.exe" pnpui.dll,SimplifiedDINotification
  2⤵
  PID:2724

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "windowsmobiledriverinstaller\UMB\2&26a98e85&0&{93651959-1844-41A3-A490-B40D44808350}" "" "" "6e38643e3" "0000000000000000" "00000000000004A4" "00000000000005B4"
1⤵
PID:2364
- C:\Windows\WindowsMobile\setup.exe
  C:\Windows\WindowsMobile\setup.exe
  2⤵
  PID:1600
- - C:\Windows\WindowsMobile\wmdc.exe
    "C:\Windows\WindowsMobile\wmdc.exe"
    3⤵
    PID:960

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "UMB\UMB\1&841921d&0&ActiveSyncWPDEnumerator" "" "" "6ebc820a3" "0000000000000000" "00000000000005FC" "00000000000005F8"
1⤵
PID:2060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
1⤵
PID:1656

C:\Windows\WindowsMobile\wmdcBase.exe
"C:\Windows\WindowsMobile\wmdcBase.exe"
1⤵
PID:2236

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding
1⤵
PID:2600

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005C8" "0000000000000498"
1⤵
PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76299b.rbs

Filesize
232KB

MD5
051d6ec6bcb2d073d5d28c3fed6015c2

SHA1
c79f41c7ed1b34b773b15672edcb0e323376358d

SHA256
2282566e8ab606d17db12b2ddc60d0598b1444a79ea989083584cd0e88c9bf15

SHA512
0bab2cd36c90651a5b032c6cec99e6d843ff1f888f5bd2670a6571756daa3a9d802879f9691d6200652657e3907186d91c1f8bcbf3aeda777e0e16408b9712f9

Download Submit
C:\Windows\System32\DriverStore\Temp\{0559edd0-897d-7e5a-54d4-987522f75017}\SET4F3A.tmp

Filesize
270KB

MD5
1441a08ca1c99c382df02973e2ec0eb4

SHA1
840a87b8de99118dfe5cfefddf2f5ceefd426f93

SHA256
55b44d6545a3ffd5e2a403f2bd8f6dd3571336448d18b10c89ac291de67aa049

SHA512
443ca04c9b5433c38450f1b7aec30df6a4b63785968175c4ba43eea298cd2e77dc73f82ca5c0b523f7d5238bcff2501d7693d708c7a0e2e6147cec89c2523c8d

Download Submit
C:\Windows\System32\DriverStore\Temp\{0559edd0-897d-7e5a-54d4-987522f75017}\SET4F3B.tmp

Filesize
2KB

MD5
0e82fe6b5d35574371432b627c45e5e1

SHA1
ba948a7afd489cdeb8041a5b77d71c6b7d9bb16b

SHA256
849a8556830a927f71c28a16ca5bcd7b57462d2991f0b0ca7e7266e838d45b41

SHA512
33ef5fbefc8d908403c253879da61ad7fcbb9dc8391c0069946dd73d9e701d5147be3b746bba4990ed4e723b54b010adee7123a43d95a9208a8f62b8500d0fd3

Download Submit
C:\Windows\System32\DriverStore\Temp\{41eca67e-ed89-7130-a7af-da35f206963f}\SET32A8.tmp

Filesize
104KB

MD5
57053fa6ee2c5a1d2229ebb19c15665b

SHA1
f538132a40d4522dd0d19bca434f6f1628270aac

SHA256
b50e236bc08a62fc538ef54623772f2c091df916adef37be4dc6fca351f97c65

SHA512
9c5a82b1f608a051665558de09e56799124938d9f933369faba344543e6fa727e1706e5cda38991c7ca44bd75cec8e70d62dfce518bba1158a96355aff7029b5

Download Submit
C:\Windows\System32\DriverStore\Temp\{41eca67e-ed89-7130-a7af-da35f206963f}\SET32AA.tmp

Filesize
52KB

MD5
bb4e33f66730bcc5d96b23eb8e03f5fc

SHA1
c3df0269c1432307f2f43c893d6fec92d1b6a4e2

SHA256
1ea81135d249b43ffb0e08b45bdb6ca055c2c2d6ea409dddd2b90feb4f22ba96

SHA512
f9f9e8ef5f925e5e2f5f7603f80af60451500a3dd853006f698f2f017167dd6b13a7d4a869a03f282975f4f00942bc3465e987668d926f4e107b0a753c9adbf6

Download Submit
C:\Windows\System32\DriverStore\Temp\{678f9824-57f9-4ee1-caa5-6a58e8c8c704}\SET5218.tmp

Filesize
104KB

MD5
d1fc2f25908e459d1d51fb7a864bf3ef

SHA1
6e13f8e981a0fb92a67b363e6cc23614a02f7c8b

SHA256
0ee344652d6398c5b64695bbbcc543a9cf39c59b510548dfbeac412dd9894529

SHA512
2a1acf77554c11564427d2dd2d0aa4a8259ce007fbc31d0b368fb7e57823e33b386c6248784e3f2dbc1e4b21feae63d698051dbc996e48e31a9f8ff572de15ff

Download Submit
C:\Windows\System32\DriverStore\Temp\{678f9824-57f9-4ee1-caa5-6a58e8c8c704}\SET521A.tmp

Filesize
52KB

MD5
1ac9b27b3c6db65b6fab985f2ff9a02a

SHA1
4daa73f3e5ef0261dd84d9f4da33113a47d065da

SHA256
ddcba8e4d36660f468c2051f2b12ee1b3b4de1d385d38ec5c1c4971761d5f377

SHA512
7b7e17574e10f86a01b906db5710b265679da17e1d822d32f21062efc019b264de3913fc98dccdd7b5672eb6477acf65eeb954c97f1074e9efb2265632a774c2

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
194KB

MD5
c630f23fccce844ba58bedda8b7d7e5e

SHA1
65445ec8b82a529cf8d38718efee76759c243eea

SHA256
ec11ecd4f0d74eff1489b6eeb9e0fc98b1090250688dfa6da7ed41ccfb0f3cd5

SHA512
ca954d471fe1cb0fc8a6a7db63f9873a051ff459d27f017aac820f8c8642e61696929011f31fe66095e3fa13b504d58814869883541b147e3bb0f2dc9b4429b6

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\ceutil.dll

Filesize
72KB

MD5
56312836fe23fadc4f838656d7477a93

SHA1
3cd9154fc3a1995d9e8e769e7acbfe7b65e32601

SHA256
269a3b4ba460fd82409c0646cabaa8b71dccd13b98c564a1fbfca2f5ec99a8a6

SHA512
c0a8697a8cedc8eec2737ad5a0553ea5cf0ae1bfb33f588326d6825abaafbfac9264ea39b2ba3d4a401a119259826253e9267a84c57fe10bd94fc20dc7a21f63

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\da-DK\da-DK-rapimgr.dll.mui

Filesize
5KB

MD5
df44673b2bf8aa885ef78ba6b83f6f35

SHA1
00107a0b82a9a94cfe82cfdbe2f49550f6dcfbb0

SHA256
709f6f613796248227bf1e384408c5e1cea1ec75e36b95c20775f40d23cbde94

SHA512
cd868c0caf98391cd8fcd1e55470c45c5d9ff70e27d9dfbb10fe7a44419361b5791c0ae44ff4cd4d9958307377724f436c454343407dc2a14378dad55e8c9067

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\da-DK\da-DK-setup.exe.mui

Filesize
2KB

MD5
29001ac79f57fd573e088bce466683ad

SHA1
f36cbdd090e691614cce8064edcdd75da01a1dbc

SHA256
80bdd18b8b3df32b72c8c5eb8384136636ecd246b4b304a8ba1a6c105d6d11c5

SHA512
75be2dec26a776dfd1238cc878e38debefc8b98cc1f6638492bbc5b98144cbc5f4843174ecaf95182168986f3646a0c7f7fc0167729dbb1157972d2c8a47db22

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\da-DK\da-DK-wcescomm.dll.mui

Filesize
4KB

MD5
653cdb022a0b721d65a73d31b8932707

SHA1
1f0cacbe6dd5d1d241c1adc58f82ad2079fc1589

SHA256
bea67527a5b2d8fefeaa8bf31867b7da99a9280a74d28174db9aa79b4bca88bc

SHA512
e95252f59f7224a781573277b6a6d3bf1d404a661ef0e7ee5bcc8a94c5a440cebce159758c1c32869a072ef14e343c021f53c1019d7881b0d51bd8125deee04a

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\da-DK\da-DK-wmdConn.cpl.mui

Filesize
2KB

MD5
e47cff4741f128b6ec1d7219377a9de3

SHA1
9b9e4237e823ae5bd115a6438d5b76b02d94bd47

SHA256
f5a3140239545633606bec0a3576975dcb655a8332f03948ff2293311fddf3e0

SHA512
6dafe4ca1bb6295790606668069f111dc602e36412aa735c3f3f1a27b89a67540052cef4bdc411b59b08c46d4c1f9b0ea0e6f5ff36382a426ee129a83becdfbb

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\da-DK\da-DK-wmdc.exe.mui

Filesize
10KB

MD5
a20866d29285ff19d3129613e867a0ce

SHA1
ae7fd57876ce2a45f7f5e3450e27d3bb7ca97ef0

SHA256
5f7743bfc4c08dca44740f65643e07ddf10e58228c34e3a763bdc5c70de78122

SHA512
04753fde462a2f34e7e688d5ffa460d860aa552a676ece8738d753d417b9f6451077eceb809603b6b21a098332e0783ea45adaa1fdd4f816b069f8416be9b4f5

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\de-DE\de-DE-rapimgr.dll.mui

Filesize
5KB

MD5
cf0e3a5093ea1ff2088715865e416e73

SHA1
f40dac09dafdc8c83aabdc6a03fa6b46ea88c171

SHA256
87809414ed112bb1ae6536a8f1164f23281e786430aea7c65bfbe5077351a8cd

SHA512
440ada50a8e4d8e4113ef8ce9a6e293ab68c0f77fe9b29035d6942c73a6864db1f74a4f98860132537ba879efce11d023109a1ad19629871ba13239fc3ed1ba4

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\de-DE\de-DE-setup.exe.mui

Filesize
2KB

MD5
acd448bdf2f48fc9506c84223e6221ba

SHA1
20d12d74cb8edfbe1605fd823fa56627c960fe87

SHA256
800d88c6259cf53c384b31450944d1fdfe9415de41533c2d9a62de120b1e136f

SHA512
efb5819a62fdc91c46130cee120e4af8691855d91162e5c0b548ef9cefc1fd75f6647292f2a3c64d52446054d092cf17a476f2f780acd91512e5c675013703a9

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\de-DE\de-DE-wcescomm.dll.mui

Filesize
3KB

MD5
32764e0b0274de09f649fb9a24d7e24a

SHA1
28fa94324d2e86a6c4f8e183af0b87206ade28f2

SHA256
369e3822d21891ccc83679e1c914f64a422e405f21ac8a959819ee095a6c2d17

SHA512
7a3cfd35daf3a08cff6d1c0abe67bee2cb14c9c820c9af49cbfe3ea602cd4d8d4fda93845a988e7d061ebe5c80e6354c978acee9cc2ab516499e21275285cf2b

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\de-DE\de-DE-wmdConn.cpl.mui

Filesize
2KB

MD5
8bbfe5fbb2db3a7ec147e20d70d09de5

SHA1
3cbfe1855dd0ff8c89e4fd6c7bb6ff06ded862d4

SHA256
cae8e14678b861610e4fd3bc67b2d756809ad35b7acc250ec43444b3ad7a2c94

SHA512
bc5766a41e3c675691b1605a1dc09e1aeb9a8f8080b5bd7c6bdf286fb0a3664eb67b53c1b5fe318e99e18263f0b661bdecdf3e66b3a6a5832a886d6e24d206c0

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\de-DE\de-DE-wmdc.exe.mui

Filesize
11KB

MD5
e8d7ef824193554365a838d26ce9669c

SHA1
a3fb24f8017c5197a972d7d1bead7c2272c3a1ce

SHA256
2e14663b5e982e38ccab4843db2d6a953261536f8156cdc61ab6773a0dceeae2

SHA512
e04c328a619e27dd091ab100baba51f6f8347daeac2ad74333c65c72a38469a4034e9ee5b8dcbb7328d72534db5847a3e2f47e1a54dbfa6eef9793b4cc70a285

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\fi-FI\fi-FI-rapimgr.dll.mui

Filesize
5KB

MD5
8bb9ebcafd827faee9b049692d554775

SHA1
37b7cd334dfd1dfb51bdedb4fae613ed4346b611

SHA256
9c1b3a2a9293cce6a0581ba74589d2d3d373e5d360ec776f599b5acb581b5f31

SHA512
2ed3248c691dd3fe7bf7923937aef3c2794a0b8692199be856ece08d9d2c713dc0351fc48fba702c9350cbbe7e6162d7d37d710b174fb6aae6fed664c7a2df09

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\fi-FI\fi-FI-setup.exe.mui

Filesize
2KB

MD5
b12789d586dda9d0f1ef915b03c82c74

SHA1
4625effd9d7108f6054cd5452b5a15f68c095686

SHA256
ed0170e4600c00a11dd88ea736282299a518d0e86ceb411580f2d25c891bfebc

SHA512
2f620523067f32e6acad7ef2cf7fd65f66234134572b67ce1c4e5e0ee92799e9eefd436ff4f2e8c745902861173cca992c1b49605ed6e75467bf6d5a75eda820

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\fi-FI\fi-FI-wcescomm.dll.mui

Filesize
3KB

MD5
6c7fec9099698d94a537825a4beaf893

SHA1
eca07bdcdf9706d492d68bebfc38871aa557f690

SHA256
31c239e26eba5f321e5588ae8a752067a237289723904576e1f8fe06c47c5c32

SHA512
2f835b1ca14b65389e1bd4ce32454dd9a434dea1ec6152f3ada961eb07189e3b4762112db08cf577177ca32e16d6a6bea453ef9435084ca9e20be099345cc3db

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\fi-FI\fi-FI-wmdConn.cpl.mui

Filesize
2KB

MD5
5c32cf554ac4dbb94440ddddb6292dbf

SHA1
8b3d4ddfbfabbe2fb283a9ccd58934adb8b439a6

SHA256
11a6562fe625bb8ab4632c7e68ad6d07649dfcbf29992eac37887cb0aafe1bc4

SHA512
f9722fffa0075ff9ef6aabce6fe8cb204d2c017a9e91a0e3e97ca88ba4978bf1d5d0b3a454a8ce366db87ad15e4c22e20329caa14f39c4f13221ebd80c3b8444

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\fi-FI\fi-FI-wmdc.exe.mui

Filesize
10KB

MD5
f3ccd69a495c842e0139939433974d29

SHA1
ea90916f4601cbecddefa48f57f597222d200e6a

SHA256
cae13da6c67737afc9a6e2055b8b29711c7d952f44f5a99cea40f9f03b063363

SHA512
8a4bc7dbd5359d54827b34e419226687bf4d6231440f0b48b254d6719ab088418fae908e49b62f5cf0e61f09a1ef6f0c6b5c3c0fdb598caada1ffb339a617090

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\rapi.dll

Filesize
120KB

MD5
2978388067e79b781bff6dd2ab565376

SHA1
cfb8c5b1958c2847c04d037decbfdd292183b661

SHA256
35345c29085d47ace4e14b46f6b32b2499a732e2f9decb45c750ec985bc3d7b2

SHA512
464bf0153d5297437fb12394445d5d83cdfe38791377b7f746e41d98445e0c25d7c85d2586eeca287891304d631205d7f8fc68ea3ee84d16973766fe3573bc37

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\rapispxy.dll

Filesize
33KB

MD5
7b40621518648a67e8f543904696a219

SHA1
b8c3be795d17fb8d7ef84762409a7668b8a7f408

SHA256
2d2fd3cc46cb6ade30d548706e04e60bd36fc7a818a32f175e294dd163f8042d

SHA512
a3b7fcafc0c5feb69959a76daf92a6f168f603f04d44098837c6e08015b771a97c0dc545a3ffb97384a040838cf8f10eec7f6bfd336803b828d6f79406057a56

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\rapistub.dll

Filesize
247KB

MD5
6c457c8e7d16a708f7818877f570adfc

SHA1
5bc7233471db21c1bb65c59ba90b7185103a4592

SHA256
8d6e76c6bef767f803d9435d5ea1485ed2e1b834d4e926708c4bb2fa5c0309d5

SHA512
abfa59551bf452ac6dd26420eb861bc5e3b9e289e8db6cd09db427fce1f9a6d39ab1b773d856681ba3b377ef75830ccc2d8e72ee87ea503c3e53b1628c4650b3

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\setup.exe

Filesize
124KB

MD5
98e6650c197d97363acca3f07c7b2060

SHA1
1ad00ba8af9521cdff3efe460173f4c1a37f27db

SHA256
6b031f58e48fa2036ac65b3fb33541d5edcb2eed25fce72b8fb7a09b8bdc58d3

SHA512
e8772e555b876c3531bc70ef011d76a4d2be5cd0d6d7920a0ff4b64ae9735933404b87c037e83df5c779108546bb7eeb81f36e9d657963079904b215ba6dd698

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wcescpxy.dll

Filesize
39KB

MD5
b44a28651149d885fcd33fec08a7733c

SHA1
825315e62b3639defdeb6039e66b55630794987b

SHA256
24d61941fd2b9101990308541a5ce85dda2b1f8e7442c165b173e3fc8bcf4195

SHA512
eb902963073a2a4960c3ca30f2077420a1be41f3f88ca896f1438814b0433e4268ac456399b476e573877d1b5bc24a232cf705ff0838b590dc872517ec26831b

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wmcoinst-070531-0952.dll

Filesize
51KB

MD5
6343539f6b68b0dec63644617e05cef6

SHA1
e9d6f66b3d43058411113bfab2b0b47527163e96

SHA256
7c1a092c27d0f9a64211d75d11cc8e6b26c9774cf09a2ef924ab9071ba0e23b4

SHA512
2b375c277eaafd516c3d3dd7b1ceb0da2c0f2369d4b3f7f8e9e107d009f399767a16ca103cb7294585f70235fc2984f3a2a6e88262003e29b85c48aca01fc303

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wmdc.exe

Filesize
644KB

MD5
233a10d4b3f6897899112e4ec60f1906

SHA1
5fdf32c9bea32c181e55226b2b3cbe00154b94a5

SHA256
1f7e768e57064938114df2efc5b219eb0d30a7d9e574924e9ced054462505af0

SHA512
34de4fffcd8f3b3b3ebe8444b91dc04dfae1ee9c678f64d6b6921048756e3a40962992539df0ae7041b7198491a4dd9122b7c2e35c9ba1ddc1b21e0e94cc8b73

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wmupdate.msi

Filesize
11.2MB

MD5
87095bc823e2e295e5b2a387b15e409b

SHA1
9ed294d2566d1d5b7efc0fee9b2102211301ff19

SHA256
75cf9dcd683557833942d3216deb5e54dae9b194401107a253e1bee343133b41

SHA512
c01bafb5382b8c48fcde2e29cfbcc40ed11804471297385143f31c921a7377a140dcd4df193232c37754da91ab616e2a7c7605678f9d0b6c71d63a5c6b92a6c9

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wow64-ceutil.dll

Filesize
73KB

MD5
b0b4c590c0cae7741da17e3dc86cc828

SHA1
bfbb3736db11b40fe68f8e677724b4eade4a2e51

SHA256
b0fd9c7d34b5eea1346e98ac499e503ab67672fbd3a48cb482e139f1bc05d55e

SHA512
2f40c097f6bd15a498a5659927bfa73a1066953727d89e9ec25af4ce6bd2fb6a2bd9d51ab9b8b2f0fd8d56aa17eb9e93f055ecfb3474996250922476af66e06a

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wow64-rapi.dll

Filesize
102KB

MD5
11fbb8cb6865b7ba387095398eb91ed4

SHA1
c86530c9c696212acb52db0cc1219851aa7b9231

SHA256
8a565aa6319ceaaddf67598ae95eee174649a852f56b3efb7f3a11cd2f786986

SHA512
1bd3a7ccd4382efcdf7e23aeae73b9c9e47c91bc7dbe9fcf3d1312cc30fd458bdfefa0dcb8c5a36fd640f2610277e1b302c6096afc9120def5e86794da151a6e

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wow64-rapispxy.dll

Filesize
23KB

MD5
3379989f06b31347792836dcf028a325

SHA1
cf3964bcaae3fcdcb1122eea81f1be52b738e268

SHA256
d1689ef16bf6419cd131fba7683926608aaebaa540302dcb067f8a60f37abaf3

SHA512
8fe625ca4ee573d9286865098b672f16e8ede2488b9ba1552a481bb08c6644d5d9312da765e56fb79e3e64a38b1804d6eb806aa2ac0cc16998a7d301159882fc

Download Submit
C:\Windows\WINDOW~1\Drivers\RNDIS\wow64-wcescpxy.dll

Filesize
24KB

MD5
917422e1b95a72b0328b301bacbf1b07

SHA1
009407ba2a0f5e617896777dcd7bbf65f613d891

SHA256
b2452a303ec960f14fd1ab2d346b611d16e72061b5508eabb0f468cd30892e68

SHA512
394414393c2d95f7985f84725b0a98541d6ca58b96b3b6e3af0d56a8aa0f752b743468429bf6a882fdb2d9ac625a7c758d8f787be233ca89ef4152b6fdf9d422

Download Submit
memory/960-5827-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1600-5062-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1940-4325-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2132-5758-0x00000000730ED000-0x00000000730F8000-memory.dmp

Filesize
44KB

Download
memory/2132-5757-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2132-5802-0x00000000730ED000-0x00000000730F8000-memory.dmp

Filesize
44KB

Download
memory/2132-5801-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2236-5063-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads