d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae

Analysis

max time kernel
41s
max time network
30s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
Size

602KB
MD5

74a6fa31689f45201aeee369ebf60ec1
SHA1

898826023183a811b32afe710869d9dc09a3bd83
SHA256

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae
SHA512

242c348d0f234b8c39fe0e33906719117601336d92b5db58606e5a9eedc9cc917ee2869b798f804abc8b5c29952f659656c0fdff95600f4e6a6978b94864168a
SSDEEP

12288:9Iny5DYT72LG+7snvHiSNNXHy0YaDF/YLfmq5ZuvUDyCxxvi:pUT7lniEcbah/yp5wvUDpx

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1708 installd.exe
108 nethtsrv.exe
824 netupdsrv.exe
1756 nethtsrv.exe
1812 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

pid	process
1708	installd.exe
108	nethtsrv.exe
824	netupdsrv.exe
1756	nethtsrv.exe
1812	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
1708	installd.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
108	nethtsrv.exe
108	nethtsrv.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
1756	nethtsrv.exe
1756	nethtsrv.exe
1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

description	ioc	process
File created	C:\Windows\SysWOW64\netupdsrv.exe	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
File created	C:\Windows\SysWOW64\installd.exe	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

Drops file in Program Files directory 3 IoCs

Processes:

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1756 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1756	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1828 wrote to memory of 1508	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1508	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1508	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1508	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1508 wrote to memory of 1496	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1496	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1496	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1496	1508	net.exe	net1.exe
PID 1828 wrote to memory of 1932	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1932	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1932	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1932	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1932 wrote to memory of 1632	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1632	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1632	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1632	1932	net.exe	net1.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 1708	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	installd.exe
PID 1828 wrote to memory of 108	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	nethtsrv.exe
PID 1828 wrote to memory of 108	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	nethtsrv.exe
PID 1828 wrote to memory of 108	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	nethtsrv.exe
PID 1828 wrote to memory of 108	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	nethtsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 824	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	netupdsrv.exe
PID 1828 wrote to memory of 1548	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1548	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1548	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1548	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1548 wrote to memory of 1844	1548	net.exe	net1.exe
PID 1548 wrote to memory of 1844	1548	net.exe	net1.exe
PID 1548 wrote to memory of 1844	1548	net.exe	net1.exe
PID 1548 wrote to memory of 1844	1548	net.exe	net1.exe
PID 1828 wrote to memory of 1792	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1792	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1792	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1828 wrote to memory of 1792	1828	d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe	net.exe
PID 1792 wrote to memory of 2020	1792	net.exe	net1.exe
PID 1792 wrote to memory of 2020	1792	net.exe	net1.exe
PID 1792 wrote to memory of 2020	1792	net.exe	net1.exe
PID 1792 wrote to memory of 2020	1792	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe
"C:\Users\Admin\AppData\Local\Temp\d956804f43f24cde977090383313c2aa5513964d8f5d09b9d39adfc5c6b22eae.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1828

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1496

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1632

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:824

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1844

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1792

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2020

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1812

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5b4afdf090d195a92f7dc2dc2a228688

SHA1
6b033161ceeafc005e8c5e067bb68be25debca7c

SHA256
4095b66264d83a28537778d5dd3d6df02b166191203bae3f9d27eca5de4298db

SHA512
85c3b66b9d9b07eab462d8bb37a4b830a7c84d30eccafed6ef5644a8cd5c4a3616b8c7a1183cf45af284536e56b9612cd543426985988115392ee4a02408922b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
5f73d04b1dcff6c6f09e1e4a357ad240

SHA1
55a6c54316a299b2a0554b05f823217d9ba91684

SHA256
9b3b6050802a5f6173182c96b55d98a85aff0e67d674ce7e1dc059793398df40

SHA512
c075ae871bcf3c9dc4bfabe07a2450fd3498a51d85c689d52593410b22c48d341ccb59c6338998f9708481e6fed39c5c404a8f0cac9c970c4a7db792d0e5bd7a

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
8d2c834acf98a015e2166daecfdaabb0

SHA1
dd81210f5552e68a671ca88516e63ab4175ad51d

SHA256
e5f83b2633502250cefe00c094f3c99caceb33a0c379c4aa39ca8c5d49446971

SHA512
31b86055d3d34f466665e4596d62a4e747610a807aafa98fb7adce6128bcc692fc7208527a4c2ea28f7a322b4440d0ac79a83dd819453aac888f1b94ca3e0d12

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c7f639c7f3c0dfd8eb39e3ac6cec8409

SHA1
bb72b972ae25e7b366111185ab4386079206327c

SHA256
5f8df3defc42dbc2aa1dcee48c5023d0cf14aceaf6c3e8e62f304a59ab5bd911

SHA512
fa3dcd3de43ffeaf911775373ac7e293d149b0d8541421ce7eac5709246ed0e249ae08bf4cbd3c0945eea977068736701fcc8262b37327bf6db814b1a8b44656

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c7f639c7f3c0dfd8eb39e3ac6cec8409

SHA1
bb72b972ae25e7b366111185ab4386079206327c

SHA256
5f8df3defc42dbc2aa1dcee48c5023d0cf14aceaf6c3e8e62f304a59ab5bd911

SHA512
fa3dcd3de43ffeaf911775373ac7e293d149b0d8541421ce7eac5709246ed0e249ae08bf4cbd3c0945eea977068736701fcc8262b37327bf6db814b1a8b44656

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
ea564c71ceea9c0a57bb6d029d8a83f0

SHA1
a88fa334ed9b247dcd419757d39caf3b64b6539f

SHA256
bdd2139da8c675037ffb2c317672b80bfe1f7d985f3fb4401413a0d6a406f35d

SHA512
071c383358af1f6e4b4f6df5a43e345a41a7730487868c2da816afc4fda5ca171ce84e9ca879a7cb87fbd99feed2c261265985daaefca07581d8349f7edaf1cb

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
ea564c71ceea9c0a57bb6d029d8a83f0

SHA1
a88fa334ed9b247dcd419757d39caf3b64b6539f

SHA256
bdd2139da8c675037ffb2c317672b80bfe1f7d985f3fb4401413a0d6a406f35d

SHA512
071c383358af1f6e4b4f6df5a43e345a41a7730487868c2da816afc4fda5ca171ce84e9ca879a7cb87fbd99feed2c261265985daaefca07581d8349f7edaf1cb

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB9A.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB9A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB9A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB9A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseEB9A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5b4afdf090d195a92f7dc2dc2a228688

SHA1
6b033161ceeafc005e8c5e067bb68be25debca7c

SHA256
4095b66264d83a28537778d5dd3d6df02b166191203bae3f9d27eca5de4298db

SHA512
85c3b66b9d9b07eab462d8bb37a4b830a7c84d30eccafed6ef5644a8cd5c4a3616b8c7a1183cf45af284536e56b9612cd543426985988115392ee4a02408922b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5b4afdf090d195a92f7dc2dc2a228688

SHA1
6b033161ceeafc005e8c5e067bb68be25debca7c

SHA256
4095b66264d83a28537778d5dd3d6df02b166191203bae3f9d27eca5de4298db

SHA512
85c3b66b9d9b07eab462d8bb37a4b830a7c84d30eccafed6ef5644a8cd5c4a3616b8c7a1183cf45af284536e56b9612cd543426985988115392ee4a02408922b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5b4afdf090d195a92f7dc2dc2a228688

SHA1
6b033161ceeafc005e8c5e067bb68be25debca7c

SHA256
4095b66264d83a28537778d5dd3d6df02b166191203bae3f9d27eca5de4298db

SHA512
85c3b66b9d9b07eab462d8bb37a4b830a7c84d30eccafed6ef5644a8cd5c4a3616b8c7a1183cf45af284536e56b9612cd543426985988115392ee4a02408922b

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
5f73d04b1dcff6c6f09e1e4a357ad240

SHA1
55a6c54316a299b2a0554b05f823217d9ba91684

SHA256
9b3b6050802a5f6173182c96b55d98a85aff0e67d674ce7e1dc059793398df40

SHA512
c075ae871bcf3c9dc4bfabe07a2450fd3498a51d85c689d52593410b22c48d341ccb59c6338998f9708481e6fed39c5c404a8f0cac9c970c4a7db792d0e5bd7a

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
5f73d04b1dcff6c6f09e1e4a357ad240

SHA1
55a6c54316a299b2a0554b05f823217d9ba91684

SHA256
9b3b6050802a5f6173182c96b55d98a85aff0e67d674ce7e1dc059793398df40

SHA512
c075ae871bcf3c9dc4bfabe07a2450fd3498a51d85c689d52593410b22c48d341ccb59c6338998f9708481e6fed39c5c404a8f0cac9c970c4a7db792d0e5bd7a

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
8d2c834acf98a015e2166daecfdaabb0

SHA1
dd81210f5552e68a671ca88516e63ab4175ad51d

SHA256
e5f83b2633502250cefe00c094f3c99caceb33a0c379c4aa39ca8c5d49446971

SHA512
31b86055d3d34f466665e4596d62a4e747610a807aafa98fb7adce6128bcc692fc7208527a4c2ea28f7a322b4440d0ac79a83dd819453aac888f1b94ca3e0d12

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c7f639c7f3c0dfd8eb39e3ac6cec8409

SHA1
bb72b972ae25e7b366111185ab4386079206327c

SHA256
5f8df3defc42dbc2aa1dcee48c5023d0cf14aceaf6c3e8e62f304a59ab5bd911

SHA512
fa3dcd3de43ffeaf911775373ac7e293d149b0d8541421ce7eac5709246ed0e249ae08bf4cbd3c0945eea977068736701fcc8262b37327bf6db814b1a8b44656

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
ea564c71ceea9c0a57bb6d029d8a83f0

SHA1
a88fa334ed9b247dcd419757d39caf3b64b6539f

SHA256
bdd2139da8c675037ffb2c317672b80bfe1f7d985f3fb4401413a0d6a406f35d

SHA512
071c383358af1f6e4b4f6df5a43e345a41a7730487868c2da816afc4fda5ca171ce84e9ca879a7cb87fbd99feed2c261265985daaefca07581d8349f7edaf1cb

Download Submit
memory/108-71-0x0000000000000000-mapping.dmp

Download
memory/824-77-0x0000000000000000-mapping.dmp

Download
memory/1496-59-0x0000000000000000-mapping.dmp

Download
memory/1508-58-0x0000000000000000-mapping.dmp

Download
memory/1548-81-0x0000000000000000-mapping.dmp

Download
memory/1632-62-0x0000000000000000-mapping.dmp

Download
memory/1708-64-0x0000000000000000-mapping.dmp

Download
memory/1792-87-0x0000000000000000-mapping.dmp

Download
memory/1828-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1828-54-0x0000000075611000-0x0000000075613000-memory.dmp

Filesize
8KB

Download
memory/1828-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1828-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1844-82-0x0000000000000000-mapping.dmp

Download
memory/1932-61-0x0000000000000000-mapping.dmp

Download
memory/2020-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads