4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
Size

446KB
MD5

65133fcb1425bda5ae2dbbb6201d9430
SHA1

4c63ee9d95c8bbd170aef407676c0b173286c47b
SHA256

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0
SHA512

c2101f2b361f066d6a0dbaa0bcabffd1227a6a461284e8759cef1f65bc5830bb994df853b33253cc849eee06c1b45d42711df1544acd8a552e42ae3a92f78ef9
SSDEEP

12288:EFqJb95BB6yYN4Vp+Vv0n46Zip6ZLpS5j3UiT1A:EMJh5BB6yy47+m4egGQ5DPe

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

516 installd.exe
824 nethtsrv.exe
1660 netupdsrv.exe
1800 nethtsrv.exe
432 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

pid	process
516	installd.exe
824	nethtsrv.exe
1660	netupdsrv.exe
1800	nethtsrv.exe
432	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
516	installd.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
824	nethtsrv.exe
824	nethtsrv.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
1800	nethtsrv.exe
1800	nethtsrv.exe
1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
File created	C:\Windows\SysWOW64\installd.exe	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

Drops file in Program Files directory 3 IoCs

Processes:

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1800 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1800	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1672 wrote to memory of 1584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 1584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 1584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 1584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1584 wrote to memory of 552	1584	net.exe	net1.exe
PID 1584 wrote to memory of 552	1584	net.exe	net1.exe
PID 1584 wrote to memory of 552	1584	net.exe	net1.exe
PID 1584 wrote to memory of 552	1584	net.exe	net1.exe
PID 1672 wrote to memory of 584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 584	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 584 wrote to memory of 1620	584	net.exe	net1.exe
PID 584 wrote to memory of 1620	584	net.exe	net1.exe
PID 584 wrote to memory of 1620	584	net.exe	net1.exe
PID 584 wrote to memory of 1620	584	net.exe	net1.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 516	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	installd.exe
PID 1672 wrote to memory of 824	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	nethtsrv.exe
PID 1672 wrote to memory of 824	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	nethtsrv.exe
PID 1672 wrote to memory of 824	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	nethtsrv.exe
PID 1672 wrote to memory of 824	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	nethtsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 1660	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	netupdsrv.exe
PID 1672 wrote to memory of 852	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 852	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 852	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 852	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 852 wrote to memory of 1092	852	net.exe	net1.exe
PID 852 wrote to memory of 1092	852	net.exe	net1.exe
PID 852 wrote to memory of 1092	852	net.exe	net1.exe
PID 852 wrote to memory of 1092	852	net.exe	net1.exe
PID 1672 wrote to memory of 2032	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 2032	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 2032	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 1672 wrote to memory of 2032	1672	4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe	net.exe
PID 2032 wrote to memory of 764	2032	net.exe	net1.exe
PID 2032 wrote to memory of 764	2032	net.exe	net1.exe
PID 2032 wrote to memory of 764	2032	net.exe	net1.exe
PID 2032 wrote to memory of 764	2032	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe
"C:\Users\Admin\AppData\Local\Temp\4e135a62435b6cec41dd7462f6667ec609fd7f22d18c98216a0176c1a95024b0.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:552

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:516

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1660

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1092

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
1⤵
PID:1620

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1800

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:432

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ffcc3a0d30b3461dec3877417f6b21cc

SHA1
943ce0f842309ae2610f4010767642ceca0086b4

SHA256
ae4134ffc87cb7b6036d7e1ed57cdec080db6b3564e5ff90094ffb83ce551a12

SHA512
e7ad0d832e9982d012799bbaf4f5f085dd9e94d6e0db4e2476e3b5743940a2fbc7497372f3711e184c99f8d1ea8f089e0f09d0c1f25d58eb5d154d316cb5b304

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
f0a874ea3b874842549157015a45791f

SHA1
5c6233c7bb3cd40f996cc1783571746eae194f3c

SHA256
5b8b1ce0691ea4e8d34323dbbf56070ffa805ce6219f5f7872aba26f46f6a52b

SHA512
9ccf01e2a41befb548ca60f72b12701ff6a0ce087cf003ed51913a5d8bf95ab00283d65081493dcf6d970e7fda92afcfc9a367977a77ac6976791fbdc7a84bdd

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
555a1836ed410a264796d5c798b3490a

SHA1
b7b605b05ef7775ac585f241224eed27e0262b0f

SHA256
b725aa78960cc64166eed4268a338cbd29c1777898c4fa5aaf1ccc62f2f03c78

SHA512
0676db5a64135d2df5bf8d4edcea5df8bd9db63f1165726d3ac2688890dee195c347eb3be8529676ea51c9140250575ad32025b5153c85c35a1dd5e4a72bdd6c

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
07cfd837b9f39be036b9958864bc5d0d

SHA1
b9a02753206c71d4d54d37de937c6ce66680d763

SHA256
f9142b75be11e37b74559bc6612aca6e6187e93075c29528d32dfc7944cd4b6f

SHA512
ad5e61d156bb256d43055f92551db78f1ec547f5d4cff804c630d84abdc0889f1129ae79dee83bb80e5e2de1b17d66e738fb8883b3c101bac4d253078048b77f

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
07cfd837b9f39be036b9958864bc5d0d

SHA1
b9a02753206c71d4d54d37de937c6ce66680d763

SHA256
f9142b75be11e37b74559bc6612aca6e6187e93075c29528d32dfc7944cd4b6f

SHA512
ad5e61d156bb256d43055f92551db78f1ec547f5d4cff804c630d84abdc0889f1129ae79dee83bb80e5e2de1b17d66e738fb8883b3c101bac4d253078048b77f

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
9c8c2cb57eee71f2e71762869b9eb4ff

SHA1
f366add129df1dd0a031f2406bf298517db1c6f9

SHA256
aaac6e8a25d6425518f6138d29a721541eaa7d594e9c75f9a4c7d0e01ac15a41

SHA512
b5e7d9a2a4d3382e59dfadd9be5978985d61d268e2d5c03b0a1dbd474caf032be1c0792daeab2a1bfa98b51ce410d92df05bc8edac601fba24743b1ebe95caa9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
9c8c2cb57eee71f2e71762869b9eb4ff

SHA1
f366add129df1dd0a031f2406bf298517db1c6f9

SHA256
aaac6e8a25d6425518f6138d29a721541eaa7d594e9c75f9a4c7d0e01ac15a41

SHA512
b5e7d9a2a4d3382e59dfadd9be5978985d61d268e2d5c03b0a1dbd474caf032be1c0792daeab2a1bfa98b51ce410d92df05bc8edac601fba24743b1ebe95caa9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1C89.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1C89.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1C89.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1C89.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj1C89.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ffcc3a0d30b3461dec3877417f6b21cc

SHA1
943ce0f842309ae2610f4010767642ceca0086b4

SHA256
ae4134ffc87cb7b6036d7e1ed57cdec080db6b3564e5ff90094ffb83ce551a12

SHA512
e7ad0d832e9982d012799bbaf4f5f085dd9e94d6e0db4e2476e3b5743940a2fbc7497372f3711e184c99f8d1ea8f089e0f09d0c1f25d58eb5d154d316cb5b304

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ffcc3a0d30b3461dec3877417f6b21cc

SHA1
943ce0f842309ae2610f4010767642ceca0086b4

SHA256
ae4134ffc87cb7b6036d7e1ed57cdec080db6b3564e5ff90094ffb83ce551a12

SHA512
e7ad0d832e9982d012799bbaf4f5f085dd9e94d6e0db4e2476e3b5743940a2fbc7497372f3711e184c99f8d1ea8f089e0f09d0c1f25d58eb5d154d316cb5b304

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
ffcc3a0d30b3461dec3877417f6b21cc

SHA1
943ce0f842309ae2610f4010767642ceca0086b4

SHA256
ae4134ffc87cb7b6036d7e1ed57cdec080db6b3564e5ff90094ffb83ce551a12

SHA512
e7ad0d832e9982d012799bbaf4f5f085dd9e94d6e0db4e2476e3b5743940a2fbc7497372f3711e184c99f8d1ea8f089e0f09d0c1f25d58eb5d154d316cb5b304

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
f0a874ea3b874842549157015a45791f

SHA1
5c6233c7bb3cd40f996cc1783571746eae194f3c

SHA256
5b8b1ce0691ea4e8d34323dbbf56070ffa805ce6219f5f7872aba26f46f6a52b

SHA512
9ccf01e2a41befb548ca60f72b12701ff6a0ce087cf003ed51913a5d8bf95ab00283d65081493dcf6d970e7fda92afcfc9a367977a77ac6976791fbdc7a84bdd

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
f0a874ea3b874842549157015a45791f

SHA1
5c6233c7bb3cd40f996cc1783571746eae194f3c

SHA256
5b8b1ce0691ea4e8d34323dbbf56070ffa805ce6219f5f7872aba26f46f6a52b

SHA512
9ccf01e2a41befb548ca60f72b12701ff6a0ce087cf003ed51913a5d8bf95ab00283d65081493dcf6d970e7fda92afcfc9a367977a77ac6976791fbdc7a84bdd

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
555a1836ed410a264796d5c798b3490a

SHA1
b7b605b05ef7775ac585f241224eed27e0262b0f

SHA256
b725aa78960cc64166eed4268a338cbd29c1777898c4fa5aaf1ccc62f2f03c78

SHA512
0676db5a64135d2df5bf8d4edcea5df8bd9db63f1165726d3ac2688890dee195c347eb3be8529676ea51c9140250575ad32025b5153c85c35a1dd5e4a72bdd6c

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
07cfd837b9f39be036b9958864bc5d0d

SHA1
b9a02753206c71d4d54d37de937c6ce66680d763

SHA256
f9142b75be11e37b74559bc6612aca6e6187e93075c29528d32dfc7944cd4b6f

SHA512
ad5e61d156bb256d43055f92551db78f1ec547f5d4cff804c630d84abdc0889f1129ae79dee83bb80e5e2de1b17d66e738fb8883b3c101bac4d253078048b77f

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
9c8c2cb57eee71f2e71762869b9eb4ff

SHA1
f366add129df1dd0a031f2406bf298517db1c6f9

SHA256
aaac6e8a25d6425518f6138d29a721541eaa7d594e9c75f9a4c7d0e01ac15a41

SHA512
b5e7d9a2a4d3382e59dfadd9be5978985d61d268e2d5c03b0a1dbd474caf032be1c0792daeab2a1bfa98b51ce410d92df05bc8edac601fba24743b1ebe95caa9

Download Submit
memory/516-63-0x0000000000000000-mapping.dmp

Download
memory/552-58-0x0000000000000000-mapping.dmp

Download
memory/584-60-0x0000000000000000-mapping.dmp

Download
memory/764-86-0x0000000000000000-mapping.dmp

Download
memory/824-69-0x0000000000000000-mapping.dmp

Download
memory/852-79-0x0000000000000000-mapping.dmp

Download
memory/1092-80-0x0000000000000000-mapping.dmp

Download
memory/1584-57-0x0000000000000000-mapping.dmp

Download
memory/1620-61-0x0000000000000000-mapping.dmp

Download
memory/1660-75-0x0000000000000000-mapping.dmp

Download
memory/1672-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/2032-85-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads