0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b

Analysis

max time kernel
61s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
Size

446KB
MD5

b08b4378e332526dca9afc6972150bef
SHA1

9086061e12068b3e7579140b67f5147498b0659d
SHA256

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b
SHA512

86134b9b02021583d0a5e68e5bee2a411cd61bab81796ac6227ad65374cfa4e585db6da7357e79f50cab7cbf2a386225fed4f265dfb5006d4ce1ab8758425764
SSDEEP

12288:EblOZVPh0iiQK0XdFL1AWvoRwQmeIPmAsJZNxIb4pQ+eY:EyiQKOkRwQmPmXLNeQ/

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1228 installd.exe
1188 nethtsrv.exe
1584 netupdsrv.exe
1820 nethtsrv.exe
1524 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

pid	process
1228	installd.exe
1188	nethtsrv.exe
1584	netupdsrv.exe
1820	nethtsrv.exe
1524	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
1228	installd.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
1188	nethtsrv.exe
1188	nethtsrv.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
1820	nethtsrv.exe
1820	nethtsrv.exe
928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
File created	C:\Windows\SysWOW64\installd.exe	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

Drops file in Program Files directory 3 IoCs

Processes:

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1820 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1820	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 928 wrote to memory of 628	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 628	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 628	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 628	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 628 wrote to memory of 1656	628	net.exe	net1.exe
PID 628 wrote to memory of 1656	628	net.exe	net1.exe
PID 628 wrote to memory of 1656	628	net.exe	net1.exe
PID 628 wrote to memory of 1656	628	net.exe	net1.exe
PID 928 wrote to memory of 1416	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 1416	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 1416	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 1416	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 1416 wrote to memory of 1364	1416	net.exe	net1.exe
PID 1416 wrote to memory of 1364	1416	net.exe	net1.exe
PID 1416 wrote to memory of 1364	1416	net.exe	net1.exe
PID 1416 wrote to memory of 1364	1416	net.exe	net1.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1228	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	installd.exe
PID 928 wrote to memory of 1188	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	nethtsrv.exe
PID 928 wrote to memory of 1188	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	nethtsrv.exe
PID 928 wrote to memory of 1188	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	nethtsrv.exe
PID 928 wrote to memory of 1188	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	nethtsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 1584	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	netupdsrv.exe
PID 928 wrote to memory of 608	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 608	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 608	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 608	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 608 wrote to memory of 584	608	net.exe	net1.exe
PID 608 wrote to memory of 584	608	net.exe	net1.exe
PID 608 wrote to memory of 584	608	net.exe	net1.exe
PID 608 wrote to memory of 584	608	net.exe	net1.exe
PID 928 wrote to memory of 1432	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 1432	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 1432	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 928 wrote to memory of 1432	928	0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe	net.exe
PID 1432 wrote to memory of 1388	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1388	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1388	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1388	1432	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe
"C:\Users\Admin\AppData\Local\Temp\0a5ded7dfade6fb8ff6043927074b6ba5c9bad65c82da2269e776b655633296b.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:928

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1656

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1416

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1364

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1584

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:608

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:584

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1388

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1820

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
a08c5ee75074090746b76409d1363269

SHA1
f44fd29ef5ee70d19cb1e7be37d186c0355ea57b

SHA256
b93792dc471dcaee7d75b75bd43367565ebf772c0b3ec10521d0adcae133aa94

SHA512
9b4cb9491a731844bf50b8401da87f9e955eec295030edc3e568cb539a8afa02f31bb97426ff2a148c1b3dde1f25c8907bd30fd8a25d4ce8587ba798c6ce95ef

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
dab826d5588f888bcf61c90f6b573f9f

SHA1
5d8d48d5309cc1741f87de2411b5765651abef5c

SHA256
f850ea1d10bdeea98df7a0a8d6671a062f6f5008a43e76533bb4a971c80f81c8

SHA512
ad7d5eb939f4d346956dd66b1528be6d66c1de8d754c54134c4a97a23c2a91c1b98824ab6d6c5ba2454470c80a5dcc602c332352e66f61f96e2d43bf0beecffb

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
36557e27269af224d9543235606fb3fd

SHA1
4ef29ec42f681dc88da346ecfc28610554d31814

SHA256
db4f53060cd29ac3d49caa7852db32eddc0d8246d08b21f0a4266f8aa14cb632

SHA512
fe7130291563caa4f49a354e185c98f016f9b4c67ae7fb403965c33055506b501e70a8e4d9b7dbecf6ac6babbae96f89d2affcdb8473a748023cbf77f102ea33

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
368e3029bb2d76240a6d3e6958bf3ace

SHA1
c2c92355fcad7b78ec11df61457d804d40e34ea4

SHA256
83a09756a9a478ee0d8dc6992eef95aa0133dc49b7a874e9e54805b4bee34aea

SHA512
4e6a109bdf5d9a041402d3ec7032f0d89ddeac974c86bc3652d78665330695695956485e394f3943ec36a07bcb29330a1a8645bdeec07e731a88925eaf423002

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
368e3029bb2d76240a6d3e6958bf3ace

SHA1
c2c92355fcad7b78ec11df61457d804d40e34ea4

SHA256
83a09756a9a478ee0d8dc6992eef95aa0133dc49b7a874e9e54805b4bee34aea

SHA512
4e6a109bdf5d9a041402d3ec7032f0d89ddeac974c86bc3652d78665330695695956485e394f3943ec36a07bcb29330a1a8645bdeec07e731a88925eaf423002

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
19173b4a11670cb5c92e70538b380571

SHA1
b15ca3e334c37c6516ea707092de6193deebdafc

SHA256
58aa3ee128bd1d3a09ebe67704dba8be00c8cdb3719e02d865b408f86a58b71d

SHA512
788fd2cfe94d51fd43033803f9db2f8467eb48f075dba9c54835f86d42c45770205cc21a5316626c96d731f9a66b4aea5dde3b0c178f7c95b9067b30717bcafa

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
19173b4a11670cb5c92e70538b380571

SHA1
b15ca3e334c37c6516ea707092de6193deebdafc

SHA256
58aa3ee128bd1d3a09ebe67704dba8be00c8cdb3719e02d865b408f86a58b71d

SHA512
788fd2cfe94d51fd43033803f9db2f8467eb48f075dba9c54835f86d42c45770205cc21a5316626c96d731f9a66b4aea5dde3b0c178f7c95b9067b30717bcafa

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA0D4.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA0D4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA0D4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA0D4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyA0D4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
a08c5ee75074090746b76409d1363269

SHA1
f44fd29ef5ee70d19cb1e7be37d186c0355ea57b

SHA256
b93792dc471dcaee7d75b75bd43367565ebf772c0b3ec10521d0adcae133aa94

SHA512
9b4cb9491a731844bf50b8401da87f9e955eec295030edc3e568cb539a8afa02f31bb97426ff2a148c1b3dde1f25c8907bd30fd8a25d4ce8587ba798c6ce95ef

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
a08c5ee75074090746b76409d1363269

SHA1
f44fd29ef5ee70d19cb1e7be37d186c0355ea57b

SHA256
b93792dc471dcaee7d75b75bd43367565ebf772c0b3ec10521d0adcae133aa94

SHA512
9b4cb9491a731844bf50b8401da87f9e955eec295030edc3e568cb539a8afa02f31bb97426ff2a148c1b3dde1f25c8907bd30fd8a25d4ce8587ba798c6ce95ef

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
a08c5ee75074090746b76409d1363269

SHA1
f44fd29ef5ee70d19cb1e7be37d186c0355ea57b

SHA256
b93792dc471dcaee7d75b75bd43367565ebf772c0b3ec10521d0adcae133aa94

SHA512
9b4cb9491a731844bf50b8401da87f9e955eec295030edc3e568cb539a8afa02f31bb97426ff2a148c1b3dde1f25c8907bd30fd8a25d4ce8587ba798c6ce95ef

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
dab826d5588f888bcf61c90f6b573f9f

SHA1
5d8d48d5309cc1741f87de2411b5765651abef5c

SHA256
f850ea1d10bdeea98df7a0a8d6671a062f6f5008a43e76533bb4a971c80f81c8

SHA512
ad7d5eb939f4d346956dd66b1528be6d66c1de8d754c54134c4a97a23c2a91c1b98824ab6d6c5ba2454470c80a5dcc602c332352e66f61f96e2d43bf0beecffb

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
dab826d5588f888bcf61c90f6b573f9f

SHA1
5d8d48d5309cc1741f87de2411b5765651abef5c

SHA256
f850ea1d10bdeea98df7a0a8d6671a062f6f5008a43e76533bb4a971c80f81c8

SHA512
ad7d5eb939f4d346956dd66b1528be6d66c1de8d754c54134c4a97a23c2a91c1b98824ab6d6c5ba2454470c80a5dcc602c332352e66f61f96e2d43bf0beecffb

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
36557e27269af224d9543235606fb3fd

SHA1
4ef29ec42f681dc88da346ecfc28610554d31814

SHA256
db4f53060cd29ac3d49caa7852db32eddc0d8246d08b21f0a4266f8aa14cb632

SHA512
fe7130291563caa4f49a354e185c98f016f9b4c67ae7fb403965c33055506b501e70a8e4d9b7dbecf6ac6babbae96f89d2affcdb8473a748023cbf77f102ea33

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
368e3029bb2d76240a6d3e6958bf3ace

SHA1
c2c92355fcad7b78ec11df61457d804d40e34ea4

SHA256
83a09756a9a478ee0d8dc6992eef95aa0133dc49b7a874e9e54805b4bee34aea

SHA512
4e6a109bdf5d9a041402d3ec7032f0d89ddeac974c86bc3652d78665330695695956485e394f3943ec36a07bcb29330a1a8645bdeec07e731a88925eaf423002

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
19173b4a11670cb5c92e70538b380571

SHA1
b15ca3e334c37c6516ea707092de6193deebdafc

SHA256
58aa3ee128bd1d3a09ebe67704dba8be00c8cdb3719e02d865b408f86a58b71d

SHA512
788fd2cfe94d51fd43033803f9db2f8467eb48f075dba9c54835f86d42c45770205cc21a5316626c96d731f9a66b4aea5dde3b0c178f7c95b9067b30717bcafa

Download Submit
memory/584-80-0x0000000000000000-mapping.dmp

Download
memory/608-79-0x0000000000000000-mapping.dmp

Download
memory/628-57-0x0000000000000000-mapping.dmp

Download
memory/928-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1188-69-0x0000000000000000-mapping.dmp

Download
memory/1228-63-0x0000000000000000-mapping.dmp

Download
memory/1364-61-0x0000000000000000-mapping.dmp

Download
memory/1388-86-0x0000000000000000-mapping.dmp

Download
memory/1416-60-0x0000000000000000-mapping.dmp

Download
memory/1432-85-0x0000000000000000-mapping.dmp

Download
memory/1584-75-0x0000000000000000-mapping.dmp

Download
memory/1656-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads