f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb

Analysis

max time kernel
36s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
Size

603KB
MD5

eb951996b1881b72ce5d0fac206cdd26
SHA1

bcdffd1466d2c5f8a6ac120be8a576bbdb38d8bc
SHA256

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb
SHA512

40e8e9870294f7e953d890027a0dfae92f37c9d91b0a88501f9cee0920906a212adbf35266b3f1543439741f2dd4f3219cadc10c722e13486d657d98fd9985b9
SSDEEP

12288:zIny5DYTEV7mt5LLK1N9kEOxCeL8Koa+whPs:bUTEV7mtONORL8KBG

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1560 installd.exe
572 nethtsrv.exe
1492 netupdsrv.exe
1384 nethtsrv.exe
1552 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

pid	process
1560	installd.exe
572	nethtsrv.exe
1492	netupdsrv.exe
1384	nethtsrv.exe
1552	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
1560	installd.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
572	nethtsrv.exe
572	nethtsrv.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
1384	nethtsrv.exe
1384	nethtsrv.exe
1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
File created	C:\Windows\SysWOW64\installd.exe	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

Drops file in Program Files directory 3 IoCs

Processes:

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1384 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1384	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1488 wrote to memory of 1692	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1692	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1692	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1692	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1692 wrote to memory of 1688	1692	net.exe	net1.exe
PID 1692 wrote to memory of 1688	1692	net.exe	net1.exe
PID 1692 wrote to memory of 1688	1692	net.exe	net1.exe
PID 1692 wrote to memory of 1688	1692	net.exe	net1.exe
PID 1488 wrote to memory of 1524	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1524	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1524	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1524	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1524 wrote to memory of 1792	1524	net.exe	net1.exe
PID 1524 wrote to memory of 1792	1524	net.exe	net1.exe
PID 1524 wrote to memory of 1792	1524	net.exe	net1.exe
PID 1524 wrote to memory of 1792	1524	net.exe	net1.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	installd.exe
PID 1488 wrote to memory of 572	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	nethtsrv.exe
PID 1488 wrote to memory of 572	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	nethtsrv.exe
PID 1488 wrote to memory of 572	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	nethtsrv.exe
PID 1488 wrote to memory of 572	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	nethtsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	netupdsrv.exe
PID 1488 wrote to memory of 1376	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1376	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1376	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1376	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1488 wrote to memory of 1936	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1936	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1936	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1488 wrote to memory of 1936	1488	f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe	net.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe
"C:\Users\Admin\AppData\Local\Temp\f4a8481c20d48dcd465c50f56cb8c293529c85739f8e6b5b70ec8b7df6f09bdb.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1688

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1792

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2016

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e0ff2bab5ac2af6abb719e1e38e2288f

SHA1
b278296c6486ec2fdbec7f8fd70176cf531d9989

SHA256
36f431cee70ba4497fd197f2bf2220ed9daa1518af400e02c7fbaa75f185ed83

SHA512
d9bbb6e0536115ebe95bb95579d6f9213e3a022c41fe24e6314973e352928c6d82974307194202fef3813e88d22dd5ee9db13ec0b1928094b2b5a786c6a58fc3

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ef3cf8fa0f55a8fa5442d0e152d24a11

SHA1
37618782517a155bae06b3c915304d5d40764d51

SHA256
aee0278aece695691cd1b12ba8e4b43bd9ce91fc02b75b1bad85870e4673ac8b

SHA512
77152f64a897e3270d1da9ebb71a9e1cca74286ecedef5a3059b72d4bdad66b7d9fb2ecce2ac8c17d7c585ee6000f4b601e4d0702c22c9d354cb0ee58b26bc8f

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
72d9794c4459d765d3fdbe62b63ff8d0

SHA1
56230b29d754acd2e73f6e569d89089fcd126c9a

SHA256
a049d29b550985cd7b819d74ef82dbd9f8b737e61d0811f7654dd60d3e5d5800

SHA512
add376cbb4fda5730a2a3fa54b9af627650ca904a587fdd9f3a4db6c2a82e2bd2c2b1398b500fe58319debeb4992080f30baa0a584a3dc15a6a038c851de27bd

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
bc1f0df2d5bb3ec34358937d8d36729d

SHA1
00082a744031fcd0c81585b47bef0b02a7ee4214

SHA256
e543b033174d0a8e1b07a50777f5d44fa4c6d69e1190f00414d818c22756935b

SHA512
719a3993ba43866a048c58e230b50bb14917475c7cdef6c63b3a2acf89d37c7926fc37a4127fb62114c0ad006f328f0de4ff2b4de59d3d74466473c29651a09c

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
bc1f0df2d5bb3ec34358937d8d36729d

SHA1
00082a744031fcd0c81585b47bef0b02a7ee4214

SHA256
e543b033174d0a8e1b07a50777f5d44fa4c6d69e1190f00414d818c22756935b

SHA512
719a3993ba43866a048c58e230b50bb14917475c7cdef6c63b3a2acf89d37c7926fc37a4127fb62114c0ad006f328f0de4ff2b4de59d3d74466473c29651a09c

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
41e39583efe0ae11613736379573f278

SHA1
347c1222e52d47cb165fb91a8fe7efe001776159

SHA256
4530e53c173bee5baac75335bc1043da210175d59cae5c6bf474fc432e64a25b

SHA512
c4e5acf380a6077878bec1c7c6dadb31de4c86daf94e0d27a4e2f18d7d841c90aa3ef88f24ae34ae741429459c7f0c6cacb02095a5ac202628f359072f964b7a

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
41e39583efe0ae11613736379573f278

SHA1
347c1222e52d47cb165fb91a8fe7efe001776159

SHA256
4530e53c173bee5baac75335bc1043da210175d59cae5c6bf474fc432e64a25b

SHA512
c4e5acf380a6077878bec1c7c6dadb31de4c86daf94e0d27a4e2f18d7d841c90aa3ef88f24ae34ae741429459c7f0c6cacb02095a5ac202628f359072f964b7a

Download Submit
\Users\Admin\AppData\Local\Temp\nst67BB.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst67BB.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst67BB.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst67BB.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst67BB.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e0ff2bab5ac2af6abb719e1e38e2288f

SHA1
b278296c6486ec2fdbec7f8fd70176cf531d9989

SHA256
36f431cee70ba4497fd197f2bf2220ed9daa1518af400e02c7fbaa75f185ed83

SHA512
d9bbb6e0536115ebe95bb95579d6f9213e3a022c41fe24e6314973e352928c6d82974307194202fef3813e88d22dd5ee9db13ec0b1928094b2b5a786c6a58fc3

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e0ff2bab5ac2af6abb719e1e38e2288f

SHA1
b278296c6486ec2fdbec7f8fd70176cf531d9989

SHA256
36f431cee70ba4497fd197f2bf2220ed9daa1518af400e02c7fbaa75f185ed83

SHA512
d9bbb6e0536115ebe95bb95579d6f9213e3a022c41fe24e6314973e352928c6d82974307194202fef3813e88d22dd5ee9db13ec0b1928094b2b5a786c6a58fc3

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e0ff2bab5ac2af6abb719e1e38e2288f

SHA1
b278296c6486ec2fdbec7f8fd70176cf531d9989

SHA256
36f431cee70ba4497fd197f2bf2220ed9daa1518af400e02c7fbaa75f185ed83

SHA512
d9bbb6e0536115ebe95bb95579d6f9213e3a022c41fe24e6314973e352928c6d82974307194202fef3813e88d22dd5ee9db13ec0b1928094b2b5a786c6a58fc3

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ef3cf8fa0f55a8fa5442d0e152d24a11

SHA1
37618782517a155bae06b3c915304d5d40764d51

SHA256
aee0278aece695691cd1b12ba8e4b43bd9ce91fc02b75b1bad85870e4673ac8b

SHA512
77152f64a897e3270d1da9ebb71a9e1cca74286ecedef5a3059b72d4bdad66b7d9fb2ecce2ac8c17d7c585ee6000f4b601e4d0702c22c9d354cb0ee58b26bc8f

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ef3cf8fa0f55a8fa5442d0e152d24a11

SHA1
37618782517a155bae06b3c915304d5d40764d51

SHA256
aee0278aece695691cd1b12ba8e4b43bd9ce91fc02b75b1bad85870e4673ac8b

SHA512
77152f64a897e3270d1da9ebb71a9e1cca74286ecedef5a3059b72d4bdad66b7d9fb2ecce2ac8c17d7c585ee6000f4b601e4d0702c22c9d354cb0ee58b26bc8f

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
72d9794c4459d765d3fdbe62b63ff8d0

SHA1
56230b29d754acd2e73f6e569d89089fcd126c9a

SHA256
a049d29b550985cd7b819d74ef82dbd9f8b737e61d0811f7654dd60d3e5d5800

SHA512
add376cbb4fda5730a2a3fa54b9af627650ca904a587fdd9f3a4db6c2a82e2bd2c2b1398b500fe58319debeb4992080f30baa0a584a3dc15a6a038c851de27bd

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
bc1f0df2d5bb3ec34358937d8d36729d

SHA1
00082a744031fcd0c81585b47bef0b02a7ee4214

SHA256
e543b033174d0a8e1b07a50777f5d44fa4c6d69e1190f00414d818c22756935b

SHA512
719a3993ba43866a048c58e230b50bb14917475c7cdef6c63b3a2acf89d37c7926fc37a4127fb62114c0ad006f328f0de4ff2b4de59d3d74466473c29651a09c

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
41e39583efe0ae11613736379573f278

SHA1
347c1222e52d47cb165fb91a8fe7efe001776159

SHA256
4530e53c173bee5baac75335bc1043da210175d59cae5c6bf474fc432e64a25b

SHA512
c4e5acf380a6077878bec1c7c6dadb31de4c86daf94e0d27a4e2f18d7d841c90aa3ef88f24ae34ae741429459c7f0c6cacb02095a5ac202628f359072f964b7a

Download Submit
memory/572-70-0x0000000000000000-mapping.dmp

Download
memory/1376-80-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1488-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1492-76-0x0000000000000000-mapping.dmp

Download
memory/1524-61-0x0000000000000000-mapping.dmp

Download
memory/1560-64-0x0000000000000000-mapping.dmp

Download
memory/1688-59-0x0000000000000000-mapping.dmp

Download
memory/1692-58-0x0000000000000000-mapping.dmp

Download
memory/1792-62-0x0000000000000000-mapping.dmp

Download
memory/1936-86-0x0000000000000000-mapping.dmp

Download
memory/1952-81-0x0000000000000000-mapping.dmp

Download
memory/2016-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads