c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0

Analysis

max time kernel
40s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
Size

601KB
MD5

636a2e42cb9241cd930bdce15fcf6fbd
SHA1

de57565d758162af4181df72d0a8080692bbe408
SHA256

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0
SHA512

e72720839a6212c142fd41a78f652b2ebe23c960a4b938ed9279eadfcb2d523b6e95e2b74489bc4b7447d55b333823f1d0a1451a800095d8cdd2901dc7f23a99
SSDEEP

12288:IIny5DYTgkUQ/PI8Sb8bdNuMuaPvxyaFtEOz9ARlSzbWQE:GUTgA4Rbyd0M5YMhcwzbWQ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1168 installd.exe
1856 nethtsrv.exe
1508 netupdsrv.exe
1752 nethtsrv.exe
1200 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

pid	process
1168	installd.exe
1856	nethtsrv.exe
1508	netupdsrv.exe
1752	nethtsrv.exe
1200	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1168	installd.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1856	nethtsrv.exe
1856	nethtsrv.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
1752	nethtsrv.exe
1752	nethtsrv.exe
1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
File created	C:\Windows\SysWOW64\installd.exe	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

Drops file in Program Files directory 3 IoCs

Processes:

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1752 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1752	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1700 wrote to memory of 2012	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 2012	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 2012	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 2012	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 2012 wrote to memory of 2020	2012	net.exe	net1.exe
PID 2012 wrote to memory of 2020	2012	net.exe	net1.exe
PID 2012 wrote to memory of 2020	2012	net.exe	net1.exe
PID 2012 wrote to memory of 2020	2012	net.exe	net1.exe
PID 1700 wrote to memory of 1072	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 1072	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 1072	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 1072	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1072 wrote to memory of 1100	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1100	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1100	1072	net.exe	net1.exe
PID 1072 wrote to memory of 1100	1072	net.exe	net1.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1168	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	installd.exe
PID 1700 wrote to memory of 1856	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	nethtsrv.exe
PID 1700 wrote to memory of 1856	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	nethtsrv.exe
PID 1700 wrote to memory of 1856	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	nethtsrv.exe
PID 1700 wrote to memory of 1856	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	nethtsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1508	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	netupdsrv.exe
PID 1700 wrote to memory of 1960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 1960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 1960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 1960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1960 wrote to memory of 1696	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1696	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1696	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1696	1960	net.exe	net1.exe
PID 1700 wrote to memory of 960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 1700 wrote to memory of 960	1700	c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe	net.exe
PID 960 wrote to memory of 1404	960	net.exe	net1.exe
PID 960 wrote to memory of 1404	960	net.exe	net1.exe
PID 960 wrote to memory of 1404	960	net.exe	net1.exe
PID 960 wrote to memory of 1404	960	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe
"C:\Users\Admin\AppData\Local\Temp\c9c9663efcef72f99bf9f4601688324673b867f4d8525272c76bc8e41ecd9bc0.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:2020

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1100

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1508

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1696

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1404

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1200

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
fbbf7c41e9615ee7803c158a8eff5998

SHA1
6d7bf8f92a1c095ac6aa2b7522fcdc1b6a9ee733

SHA256
87d0be1dadfb64f4aa26278cbaa14b64ad1339d8db274758476f6be870f6044e

SHA512
abcb642ea480a9d0312bd5f8a7968b68d2a4232bc9036e3d2e7395ce359455a880f66ba66045cf6e0aa9097ec14d45b35d672c50bf1b2f5228ed0a45aa3c0d51

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
b6a283037334f8ca0b0d0ec3006c85cb

SHA1
76904dce932624adcbbb781329e1abff5ac0841d

SHA256
8f0aed298d4ee1e8cf1d10e22c94663a6852eeba4941be1efbc4e5659d2d15fc

SHA512
9e1db1bb2503f4aa24034584eea3b9a3e42a69a11547262d04800043b5dc86dc23a11f06b42db135fedc44bc332f81e04fccb933f7420bac8ed58a4ce7cf4ff9

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
afab603022dbe7a0b93af6626d867329

SHA1
541ce14cd2e4149237957bbcfd0600ffe052e8f0

SHA256
1e182c74906112571a8a39b0a797f3deb9e439d9ca88aeacfb5846bf707a6d92

SHA512
c7ed46b992f511ece5f3ba0612afaf98e6880f30248f51925581614d163405191227f6944bdf13db20f094acebd8d1b106219e7030947e32aacb3efd998318b4

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
ec385948ef70c26fe45fc99c22596e99

SHA1
879edd20144ec9109ef0c5f11f98777234d46b18

SHA256
596cbc2238698e6652a58a91cdcbca68f7e3598db5d5a6a32a1dccf7d9d447f3

SHA512
b3704574d09ce233138df408301bd43636acc6defa4fb6051a71a61763e8825a21fdcd77dbde9646e74ad95de34b8b0c7cae9cc3b743ebdd94902f8fde3dbaff

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
ec385948ef70c26fe45fc99c22596e99

SHA1
879edd20144ec9109ef0c5f11f98777234d46b18

SHA256
596cbc2238698e6652a58a91cdcbca68f7e3598db5d5a6a32a1dccf7d9d447f3

SHA512
b3704574d09ce233138df408301bd43636acc6defa4fb6051a71a61763e8825a21fdcd77dbde9646e74ad95de34b8b0c7cae9cc3b743ebdd94902f8fde3dbaff

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
44d573dac35fc37b1e7afd24ffb3bfc5

SHA1
68cfa601e449a9f2b5021627b0efb4a41d7b0dc6

SHA256
59edc7429b64b591bd063c59bd61e148fd6db28732d80b250ba7b9b29f1ecc05

SHA512
a6414ec2a9956dd6cb6ac01b76e469c41216b44bc1e9430b1df9b9d7714c37b12456464c4674a1cdb561fb65a4c81d39b881e17b4001937636c3073ef17ecda7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
44d573dac35fc37b1e7afd24ffb3bfc5

SHA1
68cfa601e449a9f2b5021627b0efb4a41d7b0dc6

SHA256
59edc7429b64b591bd063c59bd61e148fd6db28732d80b250ba7b9b29f1ecc05

SHA512
a6414ec2a9956dd6cb6ac01b76e469c41216b44bc1e9430b1df9b9d7714c37b12456464c4674a1cdb561fb65a4c81d39b881e17b4001937636c3073ef17ecda7

Download Submit
\Users\Admin\AppData\Local\Temp\nsy34E.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy34E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy34E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy34E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy34E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
fbbf7c41e9615ee7803c158a8eff5998

SHA1
6d7bf8f92a1c095ac6aa2b7522fcdc1b6a9ee733

SHA256
87d0be1dadfb64f4aa26278cbaa14b64ad1339d8db274758476f6be870f6044e

SHA512
abcb642ea480a9d0312bd5f8a7968b68d2a4232bc9036e3d2e7395ce359455a880f66ba66045cf6e0aa9097ec14d45b35d672c50bf1b2f5228ed0a45aa3c0d51

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
fbbf7c41e9615ee7803c158a8eff5998

SHA1
6d7bf8f92a1c095ac6aa2b7522fcdc1b6a9ee733

SHA256
87d0be1dadfb64f4aa26278cbaa14b64ad1339d8db274758476f6be870f6044e

SHA512
abcb642ea480a9d0312bd5f8a7968b68d2a4232bc9036e3d2e7395ce359455a880f66ba66045cf6e0aa9097ec14d45b35d672c50bf1b2f5228ed0a45aa3c0d51

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
fbbf7c41e9615ee7803c158a8eff5998

SHA1
6d7bf8f92a1c095ac6aa2b7522fcdc1b6a9ee733

SHA256
87d0be1dadfb64f4aa26278cbaa14b64ad1339d8db274758476f6be870f6044e

SHA512
abcb642ea480a9d0312bd5f8a7968b68d2a4232bc9036e3d2e7395ce359455a880f66ba66045cf6e0aa9097ec14d45b35d672c50bf1b2f5228ed0a45aa3c0d51

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
b6a283037334f8ca0b0d0ec3006c85cb

SHA1
76904dce932624adcbbb781329e1abff5ac0841d

SHA256
8f0aed298d4ee1e8cf1d10e22c94663a6852eeba4941be1efbc4e5659d2d15fc

SHA512
9e1db1bb2503f4aa24034584eea3b9a3e42a69a11547262d04800043b5dc86dc23a11f06b42db135fedc44bc332f81e04fccb933f7420bac8ed58a4ce7cf4ff9

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
b6a283037334f8ca0b0d0ec3006c85cb

SHA1
76904dce932624adcbbb781329e1abff5ac0841d

SHA256
8f0aed298d4ee1e8cf1d10e22c94663a6852eeba4941be1efbc4e5659d2d15fc

SHA512
9e1db1bb2503f4aa24034584eea3b9a3e42a69a11547262d04800043b5dc86dc23a11f06b42db135fedc44bc332f81e04fccb933f7420bac8ed58a4ce7cf4ff9

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
afab603022dbe7a0b93af6626d867329

SHA1
541ce14cd2e4149237957bbcfd0600ffe052e8f0

SHA256
1e182c74906112571a8a39b0a797f3deb9e439d9ca88aeacfb5846bf707a6d92

SHA512
c7ed46b992f511ece5f3ba0612afaf98e6880f30248f51925581614d163405191227f6944bdf13db20f094acebd8d1b106219e7030947e32aacb3efd998318b4

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
ec385948ef70c26fe45fc99c22596e99

SHA1
879edd20144ec9109ef0c5f11f98777234d46b18

SHA256
596cbc2238698e6652a58a91cdcbca68f7e3598db5d5a6a32a1dccf7d9d447f3

SHA512
b3704574d09ce233138df408301bd43636acc6defa4fb6051a71a61763e8825a21fdcd77dbde9646e74ad95de34b8b0c7cae9cc3b743ebdd94902f8fde3dbaff

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
44d573dac35fc37b1e7afd24ffb3bfc5

SHA1
68cfa601e449a9f2b5021627b0efb4a41d7b0dc6

SHA256
59edc7429b64b591bd063c59bd61e148fd6db28732d80b250ba7b9b29f1ecc05

SHA512
a6414ec2a9956dd6cb6ac01b76e469c41216b44bc1e9430b1df9b9d7714c37b12456464c4674a1cdb561fb65a4c81d39b881e17b4001937636c3073ef17ecda7

Download Submit
memory/960-86-0x0000000000000000-mapping.dmp

Download
memory/1072-60-0x0000000000000000-mapping.dmp

Download
memory/1100-61-0x0000000000000000-mapping.dmp

Download
memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/1404-87-0x0000000000000000-mapping.dmp

Download
memory/1508-76-0x0000000000000000-mapping.dmp

Download
memory/1696-81-0x0000000000000000-mapping.dmp

Download
memory/1700-62-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1700-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1700-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1856-70-0x0000000000000000-mapping.dmp

Download
memory/1960-80-0x0000000000000000-mapping.dmp

Download
memory/2012-57-0x0000000000000000-mapping.dmp

Download
memory/2020-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads