d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
Size

603KB
MD5

b80a29696d65f4ba7b096ed709c9b40a
SHA1

f4e306e527dae7ac6ed5cbe88953cd8b4088c924
SHA256

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05
SHA512

9fd1709199782ff85847048cdb764e91dfcf2242b1f60307a6735faf666f2b86726e8b7bde913d09323d996cf746f417bcac35c2fcef4e40b393bffa1210140a
SSDEEP

12288:WIny5DYTfI55NAonZuv+nif/CwVWzAegPbxOIWfmW0:YUTfeMonZuvhf/vEAjbxti50

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1804 installd.exe
892 nethtsrv.exe
1944 netupdsrv.exe
1756 nethtsrv.exe
1248 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

pid	process
1804	installd.exe
892	nethtsrv.exe
1944	netupdsrv.exe
1756	nethtsrv.exe
1248	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
1804	installd.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
892	nethtsrv.exe
892	nethtsrv.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
1756	nethtsrv.exe
1756	nethtsrv.exe
2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
File created	C:\Windows\SysWOW64\installd.exe	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

Drops file in Program Files directory 3 IoCs

Processes:

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1756 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1756	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2036 wrote to memory of 1740	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1740	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1740	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1740	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 1740 wrote to memory of 1892	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1892	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1892	1740	net.exe	net1.exe
PID 1740 wrote to memory of 1892	1740	net.exe	net1.exe
PID 2036 wrote to memory of 1216	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1216	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1216	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1216	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 1216 wrote to memory of 1876	1216	net.exe	net1.exe
PID 1216 wrote to memory of 1876	1216	net.exe	net1.exe
PID 1216 wrote to memory of 1876	1216	net.exe	net1.exe
PID 1216 wrote to memory of 1876	1216	net.exe	net1.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 1804	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	installd.exe
PID 2036 wrote to memory of 892	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	nethtsrv.exe
PID 2036 wrote to memory of 892	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	nethtsrv.exe
PID 2036 wrote to memory of 892	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	nethtsrv.exe
PID 2036 wrote to memory of 892	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	nethtsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1944	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	netupdsrv.exe
PID 2036 wrote to memory of 1888	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1888	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1888	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1888	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 1888 wrote to memory of 528	1888	net.exe	net1.exe
PID 1888 wrote to memory of 528	1888	net.exe	net1.exe
PID 1888 wrote to memory of 528	1888	net.exe	net1.exe
PID 1888 wrote to memory of 528	1888	net.exe	net1.exe
PID 2036 wrote to memory of 1784	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1784	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1784	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 2036 wrote to memory of 1784	2036	d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe	net.exe
PID 1784 wrote to memory of 1780	1784	net.exe	net1.exe
PID 1784 wrote to memory of 1780	1784	net.exe	net1.exe
PID 1784 wrote to memory of 1780	1784	net.exe	net1.exe
PID 1784 wrote to memory of 1780	1784	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe
"C:\Users\Admin\AppData\Local\Temp\d91c4e1f188c0462f24e4db16af0ec5482a7b088fcd2094dbd87538ddc5def05.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1892

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1876

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:528

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1780

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1248

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0a8f55f801ededa8d25b12c13562cde0

SHA1
4bacbbd2a98c5582f360cf7d31e887debe0867a3

SHA256
ead9629f3ad3381ff51761a3946a73bf4caf77135d4598a5452eeeaa7fcbe2e9

SHA512
cf9282bdec5c57f11c36e3e7ad8cdcdcc9c8426759f9ad359aef39ade10acd8ca51b72834f0f9853a90b831f18ef2ff36ea142d1f365614f5b70deb55385a0da

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ebc2f49067b50fca066efbbc36364bf3

SHA1
c88958a292d0bf82eb4e9e4f73b5d66c8b841e83

SHA256
b93a44a8c210c0b15534934f32f22ae93e7214f99f85df8462d4d8c03970a38b

SHA512
a2437e289061903703e790d0fb41c1f30bd8525d6f7e43ed0cb1c248fdf1e8db47bbcfec3ffa50c2f58dd3ca36b0627df02d89fd03e298302122869f9aa498f0

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a19001c2dde8634ccda8e23ed69691de

SHA1
48d4bbbd995dddf7775a3bacc70308a70953b031

SHA256
79ea996b93790c62d23ea09fd7a06babbcf96de06d5f3c71b04b2a5f7320a0dd

SHA512
d36ef71d291101b6b7342c656397d0b98e15ff56ea35308778e93677fe4668b8c1e8cdb3b8912294065ca065a976d042653e4a771393a00ea506f3e404e9e15f

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3c3e1ec023b33059988ebf3bb1bd7e2b

SHA1
a22429e964c1cbbe356ea3612103954cb48193ca

SHA256
e12a37fcd9eb6030fb032d2d5b717a03caeb391e30fdae1a04a75e3b918c1fe5

SHA512
44864c7e9e515647ee4573b9879230649a89151b4cc070cea72a58918d4461388d7d224107856a312f23650035ad104b43e92df0914f4a3c57585339c5d27976

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3c3e1ec023b33059988ebf3bb1bd7e2b

SHA1
a22429e964c1cbbe356ea3612103954cb48193ca

SHA256
e12a37fcd9eb6030fb032d2d5b717a03caeb391e30fdae1a04a75e3b918c1fe5

SHA512
44864c7e9e515647ee4573b9879230649a89151b4cc070cea72a58918d4461388d7d224107856a312f23650035ad104b43e92df0914f4a3c57585339c5d27976

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
6d4da1590fc271e580a895e9f22e5e84

SHA1
ab9f14e20ac21ad6630b14cdf41ca9c9a0d40aa2

SHA256
a0e8f599bcba881cf29fae4def7e4ba446f54e877b72aedcd59a7dd5ec928e8c

SHA512
9489d74720845bb033d8b7763db855afcc1f72bc5e64e4b031f8fdeab79227553f1033650b8097f926cebe6d90c1801c26cb5f9ee9fb04f85e988472c014f88e

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
6d4da1590fc271e580a895e9f22e5e84

SHA1
ab9f14e20ac21ad6630b14cdf41ca9c9a0d40aa2

SHA256
a0e8f599bcba881cf29fae4def7e4ba446f54e877b72aedcd59a7dd5ec928e8c

SHA512
9489d74720845bb033d8b7763db855afcc1f72bc5e64e4b031f8fdeab79227553f1033650b8097f926cebe6d90c1801c26cb5f9ee9fb04f85e988472c014f88e

Download Submit
\Users\Admin\AppData\Local\Temp\nso1114.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1114.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1114.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1114.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1114.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0a8f55f801ededa8d25b12c13562cde0

SHA1
4bacbbd2a98c5582f360cf7d31e887debe0867a3

SHA256
ead9629f3ad3381ff51761a3946a73bf4caf77135d4598a5452eeeaa7fcbe2e9

SHA512
cf9282bdec5c57f11c36e3e7ad8cdcdcc9c8426759f9ad359aef39ade10acd8ca51b72834f0f9853a90b831f18ef2ff36ea142d1f365614f5b70deb55385a0da

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0a8f55f801ededa8d25b12c13562cde0

SHA1
4bacbbd2a98c5582f360cf7d31e887debe0867a3

SHA256
ead9629f3ad3381ff51761a3946a73bf4caf77135d4598a5452eeeaa7fcbe2e9

SHA512
cf9282bdec5c57f11c36e3e7ad8cdcdcc9c8426759f9ad359aef39ade10acd8ca51b72834f0f9853a90b831f18ef2ff36ea142d1f365614f5b70deb55385a0da

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0a8f55f801ededa8d25b12c13562cde0

SHA1
4bacbbd2a98c5582f360cf7d31e887debe0867a3

SHA256
ead9629f3ad3381ff51761a3946a73bf4caf77135d4598a5452eeeaa7fcbe2e9

SHA512
cf9282bdec5c57f11c36e3e7ad8cdcdcc9c8426759f9ad359aef39ade10acd8ca51b72834f0f9853a90b831f18ef2ff36ea142d1f365614f5b70deb55385a0da

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ebc2f49067b50fca066efbbc36364bf3

SHA1
c88958a292d0bf82eb4e9e4f73b5d66c8b841e83

SHA256
b93a44a8c210c0b15534934f32f22ae93e7214f99f85df8462d4d8c03970a38b

SHA512
a2437e289061903703e790d0fb41c1f30bd8525d6f7e43ed0cb1c248fdf1e8db47bbcfec3ffa50c2f58dd3ca36b0627df02d89fd03e298302122869f9aa498f0

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ebc2f49067b50fca066efbbc36364bf3

SHA1
c88958a292d0bf82eb4e9e4f73b5d66c8b841e83

SHA256
b93a44a8c210c0b15534934f32f22ae93e7214f99f85df8462d4d8c03970a38b

SHA512
a2437e289061903703e790d0fb41c1f30bd8525d6f7e43ed0cb1c248fdf1e8db47bbcfec3ffa50c2f58dd3ca36b0627df02d89fd03e298302122869f9aa498f0

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a19001c2dde8634ccda8e23ed69691de

SHA1
48d4bbbd995dddf7775a3bacc70308a70953b031

SHA256
79ea996b93790c62d23ea09fd7a06babbcf96de06d5f3c71b04b2a5f7320a0dd

SHA512
d36ef71d291101b6b7342c656397d0b98e15ff56ea35308778e93677fe4668b8c1e8cdb3b8912294065ca065a976d042653e4a771393a00ea506f3e404e9e15f

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3c3e1ec023b33059988ebf3bb1bd7e2b

SHA1
a22429e964c1cbbe356ea3612103954cb48193ca

SHA256
e12a37fcd9eb6030fb032d2d5b717a03caeb391e30fdae1a04a75e3b918c1fe5

SHA512
44864c7e9e515647ee4573b9879230649a89151b4cc070cea72a58918d4461388d7d224107856a312f23650035ad104b43e92df0914f4a3c57585339c5d27976

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
6d4da1590fc271e580a895e9f22e5e84

SHA1
ab9f14e20ac21ad6630b14cdf41ca9c9a0d40aa2

SHA256
a0e8f599bcba881cf29fae4def7e4ba446f54e877b72aedcd59a7dd5ec928e8c

SHA512
9489d74720845bb033d8b7763db855afcc1f72bc5e64e4b031f8fdeab79227553f1033650b8097f926cebe6d90c1801c26cb5f9ee9fb04f85e988472c014f88e

Download Submit
memory/528-81-0x0000000000000000-mapping.dmp

Download
memory/892-70-0x0000000000000000-mapping.dmp

Download
memory/1216-60-0x0000000000000000-mapping.dmp

Download
memory/1740-57-0x0000000000000000-mapping.dmp

Download
memory/1780-87-0x0000000000000000-mapping.dmp

Download
memory/1784-86-0x0000000000000000-mapping.dmp

Download
memory/1804-64-0x0000000000000000-mapping.dmp

Download
memory/1876-61-0x0000000000000000-mapping.dmp

Download
memory/1888-80-0x0000000000000000-mapping.dmp

Download
memory/1892-58-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x0000000000000000-mapping.dmp

Download
memory/2036-54-0x00000000762D1000-0x00000000762D3000-memory.dmp

Filesize
8KB

Download
memory/2036-62-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2036-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads