431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc

Analysis

max time kernel
35s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
Size

446KB
MD5

2dbe916407c8a260dd1c0669fc39a920
SHA1

219f9d1de9f05efe7268dad2d4c07b9e79002db9
SHA256

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc
SHA512

0a1b8cace0df22c6f303ac7ec3ee7e5b533968ee406013e1b5ce67c0e8e45cb1094eaf32c0f7fe329c59eb16cf90ae5fc6a04fc40da0ca5d5c166f77996a3e8b
SSDEEP

12288:TAw2jIWDHQgtUh/OwTYKbVUtrp1dW+rpyNEdoFKv:TAw27DHQgt7wlVU3bPrD2cv

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

732 installd.exe
1608 nethtsrv.exe
1148 netupdsrv.exe
1480 nethtsrv.exe
2016 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

pid	process
732	installd.exe
1608	nethtsrv.exe
1148	netupdsrv.exe
1480	nethtsrv.exe
2016	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
732	installd.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
1608	nethtsrv.exe
1608	nethtsrv.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
1480	nethtsrv.exe
1480	nethtsrv.exe
1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
File created	C:\Windows\SysWOW64\installd.exe	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

Drops file in Program Files directory 3 IoCs

Processes:

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1480 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1480	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1348 wrote to memory of 604	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 604	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 604	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 604	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 604 wrote to memory of 304	604	net.exe	net1.exe
PID 604 wrote to memory of 304	604	net.exe	net1.exe
PID 604 wrote to memory of 304	604	net.exe	net1.exe
PID 604 wrote to memory of 304	604	net.exe	net1.exe
PID 1348 wrote to memory of 1280	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 1280	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 1280	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 1280	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1280 wrote to memory of 952	1280	net.exe	net1.exe
PID 1280 wrote to memory of 952	1280	net.exe	net1.exe
PID 1280 wrote to memory of 952	1280	net.exe	net1.exe
PID 1280 wrote to memory of 952	1280	net.exe	net1.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 732	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	installd.exe
PID 1348 wrote to memory of 1608	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	nethtsrv.exe
PID 1348 wrote to memory of 1608	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	nethtsrv.exe
PID 1348 wrote to memory of 1608	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	nethtsrv.exe
PID 1348 wrote to memory of 1608	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	nethtsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 1148	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	netupdsrv.exe
PID 1348 wrote to memory of 876	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 876	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 876	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 876	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 876 wrote to memory of 628	876	net.exe	net1.exe
PID 876 wrote to memory of 628	876	net.exe	net1.exe
PID 876 wrote to memory of 628	876	net.exe	net1.exe
PID 876 wrote to memory of 628	876	net.exe	net1.exe
PID 1348 wrote to memory of 316	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 316	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 316	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 1348 wrote to memory of 316	1348	431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe	net.exe
PID 316 wrote to memory of 1036	316	net.exe	net1.exe
PID 316 wrote to memory of 1036	316	net.exe	net1.exe
PID 316 wrote to memory of 1036	316	net.exe	net1.exe
PID 316 wrote to memory of 1036	316	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe
"C:\Users\Admin\AppData\Local\Temp\431a2d0bdc4a9523305ecb244730a991490fc07149a11e2e622c2ebb7816eccc.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:304

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:952

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:732

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:628

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1036

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:2016

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c78b00ad05613093af20f389cb1c51a7

SHA1
eb67b370d6ceb295c9b347b63b244015c04f2f43

SHA256
77f24ae92884aa4db97f992ad20a46f91ebee1342753c15e0d70277621763e03

SHA512
aaa73b91271e94f66e8a408ea001e26c2a501b0442fb82ae783c5e2a77cedc407bb86c44d1c85e31c3361e78e42874656d3602decc01fa2f90422550c5b0ef48

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
0fa6d62214a087292ddbee7114348968

SHA1
ce26dc35bff378c36d046c2d7ecac967c1af783e

SHA256
6b65d32bf76edcdc3673b6c84c936a0f654538bd268b517c33179a529025f1fc

SHA512
b3ef08a586644867d74e4c512ee13ab46dbd384fe83f8fafd4d0a8fadeccb5455764b4aa0a9270b636b22603ab4b9b70ef34941bcb8f7708e53815ae8fb8413e

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
7d03c4e59ed1605c279dc02ae16c8c0c

SHA1
ea048263ee65e738e0e24dd0c748f9eea994cb14

SHA256
411e1d5ffcf24444250e2893784bf5951ef1bb4c17c7a5e0aa9ebd5a96b088b7

SHA512
ec796f76782c238f16b88f2fbc4686bf4507fff76e52902bd9f15db561d59ffe6fb561defecce5b6093eb3e292f9a84767cbf5337bcb7e58f022344cd55a4615

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c709b87b3738d62467708a3757b1092b

SHA1
89c99469a70728ba82f4fb6734a523596b50cac1

SHA256
c7f24b9d6ab56cfa8e50e4f6579e7fb1ba6125695aba89e1f7374ff23b9abcda

SHA512
b5f047b0ed56ce2ee34c519c6e62904edcdd77a40e27c30704c49609d1f135971de2c8ca3a9cc210f2ca89e8d6811f91a1f2d51eb972f253aec64c04cc135dae

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c709b87b3738d62467708a3757b1092b

SHA1
89c99469a70728ba82f4fb6734a523596b50cac1

SHA256
c7f24b9d6ab56cfa8e50e4f6579e7fb1ba6125695aba89e1f7374ff23b9abcda

SHA512
b5f047b0ed56ce2ee34c519c6e62904edcdd77a40e27c30704c49609d1f135971de2c8ca3a9cc210f2ca89e8d6811f91a1f2d51eb972f253aec64c04cc135dae

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
30294bca90dfa3d1e2ec7bbb6176b5ac

SHA1
e802a5df549aad12c17d6aef62b9afcf4b81f0c7

SHA256
26072ae31ddf7541cd3c6af07526cea07bcd01ef4ef58c446f1ddcf7ffbea170

SHA512
6062b0b0ac668a7d26c52eff4605a4b76d67925c67f8831e105b6c719f4de2b2ecb131cace9630878e8607115353c081197d2ec6a5ef42c7d31cecfdfd318c78

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
30294bca90dfa3d1e2ec7bbb6176b5ac

SHA1
e802a5df549aad12c17d6aef62b9afcf4b81f0c7

SHA256
26072ae31ddf7541cd3c6af07526cea07bcd01ef4ef58c446f1ddcf7ffbea170

SHA512
6062b0b0ac668a7d26c52eff4605a4b76d67925c67f8831e105b6c719f4de2b2ecb131cace9630878e8607115353c081197d2ec6a5ef42c7d31cecfdfd318c78

Download Submit
\Users\Admin\AppData\Local\Temp\nso7DDA.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso7DDA.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso7DDA.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso7DDA.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso7DDA.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c78b00ad05613093af20f389cb1c51a7

SHA1
eb67b370d6ceb295c9b347b63b244015c04f2f43

SHA256
77f24ae92884aa4db97f992ad20a46f91ebee1342753c15e0d70277621763e03

SHA512
aaa73b91271e94f66e8a408ea001e26c2a501b0442fb82ae783c5e2a77cedc407bb86c44d1c85e31c3361e78e42874656d3602decc01fa2f90422550c5b0ef48

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c78b00ad05613093af20f389cb1c51a7

SHA1
eb67b370d6ceb295c9b347b63b244015c04f2f43

SHA256
77f24ae92884aa4db97f992ad20a46f91ebee1342753c15e0d70277621763e03

SHA512
aaa73b91271e94f66e8a408ea001e26c2a501b0442fb82ae783c5e2a77cedc407bb86c44d1c85e31c3361e78e42874656d3602decc01fa2f90422550c5b0ef48

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c78b00ad05613093af20f389cb1c51a7

SHA1
eb67b370d6ceb295c9b347b63b244015c04f2f43

SHA256
77f24ae92884aa4db97f992ad20a46f91ebee1342753c15e0d70277621763e03

SHA512
aaa73b91271e94f66e8a408ea001e26c2a501b0442fb82ae783c5e2a77cedc407bb86c44d1c85e31c3361e78e42874656d3602decc01fa2f90422550c5b0ef48

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
0fa6d62214a087292ddbee7114348968

SHA1
ce26dc35bff378c36d046c2d7ecac967c1af783e

SHA256
6b65d32bf76edcdc3673b6c84c936a0f654538bd268b517c33179a529025f1fc

SHA512
b3ef08a586644867d74e4c512ee13ab46dbd384fe83f8fafd4d0a8fadeccb5455764b4aa0a9270b636b22603ab4b9b70ef34941bcb8f7708e53815ae8fb8413e

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
0fa6d62214a087292ddbee7114348968

SHA1
ce26dc35bff378c36d046c2d7ecac967c1af783e

SHA256
6b65d32bf76edcdc3673b6c84c936a0f654538bd268b517c33179a529025f1fc

SHA512
b3ef08a586644867d74e4c512ee13ab46dbd384fe83f8fafd4d0a8fadeccb5455764b4aa0a9270b636b22603ab4b9b70ef34941bcb8f7708e53815ae8fb8413e

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
7d03c4e59ed1605c279dc02ae16c8c0c

SHA1
ea048263ee65e738e0e24dd0c748f9eea994cb14

SHA256
411e1d5ffcf24444250e2893784bf5951ef1bb4c17c7a5e0aa9ebd5a96b088b7

SHA512
ec796f76782c238f16b88f2fbc4686bf4507fff76e52902bd9f15db561d59ffe6fb561defecce5b6093eb3e292f9a84767cbf5337bcb7e58f022344cd55a4615

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c709b87b3738d62467708a3757b1092b

SHA1
89c99469a70728ba82f4fb6734a523596b50cac1

SHA256
c7f24b9d6ab56cfa8e50e4f6579e7fb1ba6125695aba89e1f7374ff23b9abcda

SHA512
b5f047b0ed56ce2ee34c519c6e62904edcdd77a40e27c30704c49609d1f135971de2c8ca3a9cc210f2ca89e8d6811f91a1f2d51eb972f253aec64c04cc135dae

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
30294bca90dfa3d1e2ec7bbb6176b5ac

SHA1
e802a5df549aad12c17d6aef62b9afcf4b81f0c7

SHA256
26072ae31ddf7541cd3c6af07526cea07bcd01ef4ef58c446f1ddcf7ffbea170

SHA512
6062b0b0ac668a7d26c52eff4605a4b76d67925c67f8831e105b6c719f4de2b2ecb131cace9630878e8607115353c081197d2ec6a5ef42c7d31cecfdfd318c78

Download Submit
memory/304-58-0x0000000000000000-mapping.dmp

Download
memory/316-85-0x0000000000000000-mapping.dmp

Download
memory/604-57-0x0000000000000000-mapping.dmp

Download
memory/628-80-0x0000000000000000-mapping.dmp

Download
memory/732-63-0x0000000000000000-mapping.dmp

Download
memory/876-79-0x0000000000000000-mapping.dmp

Download
memory/952-61-0x0000000000000000-mapping.dmp

Download
memory/1036-86-0x0000000000000000-mapping.dmp

Download
memory/1148-75-0x0000000000000000-mapping.dmp

Download
memory/1280-60-0x0000000000000000-mapping.dmp

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1608-69-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads