641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
Size

446KB
MD5

77c36bab48674d991f60184426a8f125
SHA1

a97ab82fbb1c079195508e1b39cef2a46e05430f
SHA256

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18
SHA512

8ec53dfcd5779cf96c7b32a2d29d330fdc6805d90cc3604b49080573b3684d947a245f046b891ed40d2717d58ad61d79ccdfbe7291f5b4a8743826e3aa19ca14
SSDEEP

12288:B/UBgm4LkHfJBnOTJqhpK0SfUv7Up9s5aT2upelDnG:B/Cg4HjOlmNtUpHAG

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1996 installd.exe
268 nethtsrv.exe
1784 netupdsrv.exe
616 nethtsrv.exe
696 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

pid	process
1996	installd.exe
268	nethtsrv.exe
1784	netupdsrv.exe
616	nethtsrv.exe
696	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
1996	installd.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
268	nethtsrv.exe
268	nethtsrv.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
616	nethtsrv.exe
616	nethtsrv.exe
1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
File created	C:\Windows\SysWOW64\installd.exe	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

Drops file in Program Files directory 3 IoCs

Processes:

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 616 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	616	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1668 wrote to memory of 1960	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 1960	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 1960	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 1960	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1960 wrote to memory of 1760	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1760	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1760	1960	net.exe	net1.exe
PID 1960 wrote to memory of 1760	1960	net.exe	net1.exe
PID 1668 wrote to memory of 2000	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 2000	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 2000	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 2000	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 2000 wrote to memory of 1740	2000	net.exe	net1.exe
PID 2000 wrote to memory of 1740	2000	net.exe	net1.exe
PID 2000 wrote to memory of 1740	2000	net.exe	net1.exe
PID 2000 wrote to memory of 1740	2000	net.exe	net1.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 1996	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	installd.exe
PID 1668 wrote to memory of 268	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	nethtsrv.exe
PID 1668 wrote to memory of 268	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	nethtsrv.exe
PID 1668 wrote to memory of 268	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	nethtsrv.exe
PID 1668 wrote to memory of 268	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	nethtsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 1784	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	netupdsrv.exe
PID 1668 wrote to memory of 592	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 592	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 592	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 592	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 592 wrote to memory of 1084	592	net.exe	net1.exe
PID 592 wrote to memory of 1084	592	net.exe	net1.exe
PID 592 wrote to memory of 1084	592	net.exe	net1.exe
PID 592 wrote to memory of 1084	592	net.exe	net1.exe
PID 1668 wrote to memory of 2012	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 2012	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 2012	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 1668 wrote to memory of 2012	1668	641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe	net.exe
PID 2012 wrote to memory of 1300	2012	net.exe	net1.exe
PID 2012 wrote to memory of 1300	2012	net.exe	net1.exe
PID 2012 wrote to memory of 1300	2012	net.exe	net1.exe
PID 2012 wrote to memory of 1300	2012	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe
"C:\Users\Admin\AppData\Local\Temp\641db8edb294c24d79df1cafbc40fedd0c34d36608efd1130fe2e7907c8f2c18.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1760

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1740

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:268

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1784

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1084

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1300

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:616

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:696

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
24f9dd2b2797ec1d9c93c90c71f11abb

SHA1
3a3eea3d90b002952032299cef16a239e7d5f5f1

SHA256
8fa2692b71b12538f844b16fac32be5ca12577de3728df9fb2a6b7599b8492af

SHA512
fa20a525a92d4e13535990b4bdecfec14ece6461b9873b666bceb6b6698634e6426d403bce0ecfb40fde83060cfa1a9d6b6d500366dfae512bd27577d84934fb

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
4f37913692a05315ddaef9b93b8094a9

SHA1
28265c7f7b0eb08960845fe5289105c00b3be184

SHA256
a87493e17e9c8b607cda14bffb79eb0495d2f7c789a726fc6149ca7c2c116561

SHA512
cbb72152b5f5cca6dfdae9e5919aadeb90022395c7738d18f4654bd5e4ce9bf18d8a6a07d76e69b9c5cb3bb7298748cb2a4681d37753b160a404cbeecb5459ae

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
2f88428cffc51f37bf709a574e08e65c

SHA1
3a3bea3468ef7e1a61df55ebb88d10f2c1c73d2a

SHA256
5bb0467b0a42ecbd3972b91c1c8b524fd5e5553eb2e6e9f0581057d63940756f

SHA512
30a1ecc6ecc7283ff4bfcf6569d76e6ac76c37d53d5b83176828627b7edd7d51e84e352d9064b8135b49d24a0cb3f3c33a14d46700dc47c50c952f7675f15696

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
96ef3977baa1c202aaa5c011cdbbc7d6

SHA1
d1544e50d014e97de6fe35b3fa0e526af592b529

SHA256
1c06f81af2819e4c92f882e091141573d74129466a44894bb66e6e57a96ac4a4

SHA512
47032504f8e14ebb24167543b9f4ebc60ede7a337c99e2d29ef7aff6154d7ded5b62edfb3211c6b87aae5e4dd252a486e31915cc73d9b6da07958492a22afd13

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
96ef3977baa1c202aaa5c011cdbbc7d6

SHA1
d1544e50d014e97de6fe35b3fa0e526af592b529

SHA256
1c06f81af2819e4c92f882e091141573d74129466a44894bb66e6e57a96ac4a4

SHA512
47032504f8e14ebb24167543b9f4ebc60ede7a337c99e2d29ef7aff6154d7ded5b62edfb3211c6b87aae5e4dd252a486e31915cc73d9b6da07958492a22afd13

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
0e7be2b6fcc23a110957d753b509be51

SHA1
6ea780055d69cd53f6d55a5f1d34c974981977ba

SHA256
d3ded6a595712959db3dd64d47334febb6af4f7242fcab55c45a1965b39a095a

SHA512
ee7e76457a48f77361f691f95c435d536da08574ca6d0bf543a577835d752f88699250f67cea1496c9797cfd3a2d26e750bf5bea492e05212ca85667a12ba2de

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
0e7be2b6fcc23a110957d753b509be51

SHA1
6ea780055d69cd53f6d55a5f1d34c974981977ba

SHA256
d3ded6a595712959db3dd64d47334febb6af4f7242fcab55c45a1965b39a095a

SHA512
ee7e76457a48f77361f691f95c435d536da08574ca6d0bf543a577835d752f88699250f67cea1496c9797cfd3a2d26e750bf5bea492e05212ca85667a12ba2de

Download Submit
\Users\Admin\AppData\Local\Temp\nstFF39.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstFF39.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstFF39.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstFF39.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstFF39.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
24f9dd2b2797ec1d9c93c90c71f11abb

SHA1
3a3eea3d90b002952032299cef16a239e7d5f5f1

SHA256
8fa2692b71b12538f844b16fac32be5ca12577de3728df9fb2a6b7599b8492af

SHA512
fa20a525a92d4e13535990b4bdecfec14ece6461b9873b666bceb6b6698634e6426d403bce0ecfb40fde83060cfa1a9d6b6d500366dfae512bd27577d84934fb

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
24f9dd2b2797ec1d9c93c90c71f11abb

SHA1
3a3eea3d90b002952032299cef16a239e7d5f5f1

SHA256
8fa2692b71b12538f844b16fac32be5ca12577de3728df9fb2a6b7599b8492af

SHA512
fa20a525a92d4e13535990b4bdecfec14ece6461b9873b666bceb6b6698634e6426d403bce0ecfb40fde83060cfa1a9d6b6d500366dfae512bd27577d84934fb

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
24f9dd2b2797ec1d9c93c90c71f11abb

SHA1
3a3eea3d90b002952032299cef16a239e7d5f5f1

SHA256
8fa2692b71b12538f844b16fac32be5ca12577de3728df9fb2a6b7599b8492af

SHA512
fa20a525a92d4e13535990b4bdecfec14ece6461b9873b666bceb6b6698634e6426d403bce0ecfb40fde83060cfa1a9d6b6d500366dfae512bd27577d84934fb

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
4f37913692a05315ddaef9b93b8094a9

SHA1
28265c7f7b0eb08960845fe5289105c00b3be184

SHA256
a87493e17e9c8b607cda14bffb79eb0495d2f7c789a726fc6149ca7c2c116561

SHA512
cbb72152b5f5cca6dfdae9e5919aadeb90022395c7738d18f4654bd5e4ce9bf18d8a6a07d76e69b9c5cb3bb7298748cb2a4681d37753b160a404cbeecb5459ae

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
4f37913692a05315ddaef9b93b8094a9

SHA1
28265c7f7b0eb08960845fe5289105c00b3be184

SHA256
a87493e17e9c8b607cda14bffb79eb0495d2f7c789a726fc6149ca7c2c116561

SHA512
cbb72152b5f5cca6dfdae9e5919aadeb90022395c7738d18f4654bd5e4ce9bf18d8a6a07d76e69b9c5cb3bb7298748cb2a4681d37753b160a404cbeecb5459ae

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
2f88428cffc51f37bf709a574e08e65c

SHA1
3a3bea3468ef7e1a61df55ebb88d10f2c1c73d2a

SHA256
5bb0467b0a42ecbd3972b91c1c8b524fd5e5553eb2e6e9f0581057d63940756f

SHA512
30a1ecc6ecc7283ff4bfcf6569d76e6ac76c37d53d5b83176828627b7edd7d51e84e352d9064b8135b49d24a0cb3f3c33a14d46700dc47c50c952f7675f15696

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
96ef3977baa1c202aaa5c011cdbbc7d6

SHA1
d1544e50d014e97de6fe35b3fa0e526af592b529

SHA256
1c06f81af2819e4c92f882e091141573d74129466a44894bb66e6e57a96ac4a4

SHA512
47032504f8e14ebb24167543b9f4ebc60ede7a337c99e2d29ef7aff6154d7ded5b62edfb3211c6b87aae5e4dd252a486e31915cc73d9b6da07958492a22afd13

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
0e7be2b6fcc23a110957d753b509be51

SHA1
6ea780055d69cd53f6d55a5f1d34c974981977ba

SHA256
d3ded6a595712959db3dd64d47334febb6af4f7242fcab55c45a1965b39a095a

SHA512
ee7e76457a48f77361f691f95c435d536da08574ca6d0bf543a577835d752f88699250f67cea1496c9797cfd3a2d26e750bf5bea492e05212ca85667a12ba2de

Download Submit
memory/268-69-0x0000000000000000-mapping.dmp

Download
memory/592-79-0x0000000000000000-mapping.dmp

Download
memory/1084-80-0x0000000000000000-mapping.dmp

Download
memory/1300-86-0x0000000000000000-mapping.dmp

Download
memory/1668-54-0x0000000075241000-0x0000000075243000-memory.dmp

Filesize
8KB

Download
memory/1740-61-0x0000000000000000-mapping.dmp

Download
memory/1760-58-0x0000000000000000-mapping.dmp

Download
memory/1784-75-0x0000000000000000-mapping.dmp

Download
memory/1960-57-0x0000000000000000-mapping.dmp

Download
memory/1996-63-0x0000000000000000-mapping.dmp

Download
memory/2000-60-0x0000000000000000-mapping.dmp

Download
memory/2012-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads