040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96

Analysis

max time kernel
34s
max time network
39s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
Size

446KB
MD5

0101f6f6ef8db0688a691d2628684feb
SHA1

da4ce7f440cebe24868c291a58b0e01d58cd103a
SHA256

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96
SHA512

9b76f76253d72e8cffcdf65cd1696f9cb5d83471eb497dbb480916ff943d796d4f41c636d87ffc90885f943f3ad03bd73a2bcf9a87dc07e6fa305293b6de16c1
SSDEEP

12288:NWe5bZSC7ozNH3wLZVihtJmA9dngAvQIr1HSsepPV:NWe597CNH3mVYvgNH

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1544 installd.exe
1220 nethtsrv.exe
948 netupdsrv.exe
1940 nethtsrv.exe
1108 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

pid	process
1544	installd.exe
1220	nethtsrv.exe
948	netupdsrv.exe
1940	nethtsrv.exe
1108	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1544	installd.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1220	nethtsrv.exe
1220	nethtsrv.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
1940	nethtsrv.exe
1940	nethtsrv.exe
1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

Drops file in Program Files directory 3 IoCs

Processes:

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1940 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1940	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1488 wrote to memory of 2036	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 2036	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 2036	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 2036	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 2036 wrote to memory of 940	2036	net.exe	net1.exe
PID 2036 wrote to memory of 940	2036	net.exe	net1.exe
PID 2036 wrote to memory of 940	2036	net.exe	net1.exe
PID 2036 wrote to memory of 940	2036	net.exe	net1.exe
PID 1488 wrote to memory of 1624	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1624	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1624	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1624	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1624 wrote to memory of 1416	1624	net.exe	net1.exe
PID 1624 wrote to memory of 1416	1624	net.exe	net1.exe
PID 1624 wrote to memory of 1416	1624	net.exe	net1.exe
PID 1624 wrote to memory of 1416	1624	net.exe	net1.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1544	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	installd.exe
PID 1488 wrote to memory of 1220	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	nethtsrv.exe
PID 1488 wrote to memory of 1220	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	nethtsrv.exe
PID 1488 wrote to memory of 1220	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	nethtsrv.exe
PID 1488 wrote to memory of 1220	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	nethtsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 948	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	netupdsrv.exe
PID 1488 wrote to memory of 1084	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1084	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1084	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1084	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1084 wrote to memory of 1072	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1072	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1072	1084	net.exe	net1.exe
PID 1084 wrote to memory of 1072	1084	net.exe	net1.exe
PID 1488 wrote to memory of 1176	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1176	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1176	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1488 wrote to memory of 1176	1488	040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe	net.exe
PID 1176 wrote to memory of 1124	1176	net.exe	net1.exe
PID 1176 wrote to memory of 1124	1176	net.exe	net1.exe
PID 1176 wrote to memory of 1124	1176	net.exe	net1.exe
PID 1176 wrote to memory of 1124	1176	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe
"C:\Users\Admin\AppData\Local\Temp\040a1a799df5972a44b1e225c9658adb3b85af0a10078587a7e6a18e40220b96.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:940

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1416

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1084

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1072

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1124

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1108

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
15d0c67dc3b37f98e119701453abf0d5

SHA1
3514b2d17260420d7ea59559f18ddc887f361872

SHA256
482b4a76c1e53900cbbe5575b134497ad3c418da207fcaee7a95bc38e0b7cd25

SHA512
7231aa60e35c430e9c3ba05da56c7985e4a6a9275ba9e5be98af6bd79c5379cb778876d4559fe6031a664e975e1bf16bd3f985210b50e1eaafcccbf337808564

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
b6e49541bfad1f9c8966322525a2165e

SHA1
2c18a24b63e9530661f055bcf7de64c887119aaf

SHA256
bd42fbf8fb8f20007be1df840321b378de533449c73c53605d4e8b8d189b162c

SHA512
94074699c540e428b6f39966ec6eb1917293eacd759deb9039d1fa851dfb5743a7bbdd53c63933ebfbdab995ea0caedf44255751b18a79564d59de96022d51be

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
cc91f43543ede3f3bc4649f82e48501b

SHA1
ef4249e0bbedbd32924a25872b2c2bf8f172a970

SHA256
eb296d068f8dd5b9396af0dd991746db31c3410e1b413f5f290e43533fc131ea

SHA512
c53d34e4cad5a3aae785f4582fc442a67560aa9fd842fc90feac6bc0eeac3f9bee0da8cb8713495f16f37212a02665355e391c0744b666264d9308204c6319da

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
adbe5f1804c55bbb5c2d0e5c679517a3

SHA1
1947f55de0fb0d0dfeb0e5c905d5c8168d278e82

SHA256
3b62c26dc70c1e0941ef356930747c6d38adf5067e1bc295a0fed9aef5a2aaf5

SHA512
be7400f69bc1ea54390c64a1e4bca206ce29df80c57e43c964db9fc6f5ee409400f3d04d41a4067fe2162eecbbf3a504a017dc28f5032e783cc982d91f3c1805

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
adbe5f1804c55bbb5c2d0e5c679517a3

SHA1
1947f55de0fb0d0dfeb0e5c905d5c8168d278e82

SHA256
3b62c26dc70c1e0941ef356930747c6d38adf5067e1bc295a0fed9aef5a2aaf5

SHA512
be7400f69bc1ea54390c64a1e4bca206ce29df80c57e43c964db9fc6f5ee409400f3d04d41a4067fe2162eecbbf3a504a017dc28f5032e783cc982d91f3c1805

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
c000756fda98ffd73c502392025d2a90

SHA1
47c9e96914ff714edbd54b893cf01bd12c4efe0d

SHA256
1acb7308e7d53546bb436717651056a1108a9838a3e019400c09559c4263ed88

SHA512
2e75471b938f0be7959e51a66f43ca4ba8ba54a3c4f8e91a10e73b90ed996f478a0949f53b5a8008ceb22b841b6d79c1992f536689645c866934751852ad864c

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
c000756fda98ffd73c502392025d2a90

SHA1
47c9e96914ff714edbd54b893cf01bd12c4efe0d

SHA256
1acb7308e7d53546bb436717651056a1108a9838a3e019400c09559c4263ed88

SHA512
2e75471b938f0be7959e51a66f43ca4ba8ba54a3c4f8e91a10e73b90ed996f478a0949f53b5a8008ceb22b841b6d79c1992f536689645c866934751852ad864c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy41C4.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy41C4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy41C4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy41C4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy41C4.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
15d0c67dc3b37f98e119701453abf0d5

SHA1
3514b2d17260420d7ea59559f18ddc887f361872

SHA256
482b4a76c1e53900cbbe5575b134497ad3c418da207fcaee7a95bc38e0b7cd25

SHA512
7231aa60e35c430e9c3ba05da56c7985e4a6a9275ba9e5be98af6bd79c5379cb778876d4559fe6031a664e975e1bf16bd3f985210b50e1eaafcccbf337808564

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
15d0c67dc3b37f98e119701453abf0d5

SHA1
3514b2d17260420d7ea59559f18ddc887f361872

SHA256
482b4a76c1e53900cbbe5575b134497ad3c418da207fcaee7a95bc38e0b7cd25

SHA512
7231aa60e35c430e9c3ba05da56c7985e4a6a9275ba9e5be98af6bd79c5379cb778876d4559fe6031a664e975e1bf16bd3f985210b50e1eaafcccbf337808564

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
15d0c67dc3b37f98e119701453abf0d5

SHA1
3514b2d17260420d7ea59559f18ddc887f361872

SHA256
482b4a76c1e53900cbbe5575b134497ad3c418da207fcaee7a95bc38e0b7cd25

SHA512
7231aa60e35c430e9c3ba05da56c7985e4a6a9275ba9e5be98af6bd79c5379cb778876d4559fe6031a664e975e1bf16bd3f985210b50e1eaafcccbf337808564

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
b6e49541bfad1f9c8966322525a2165e

SHA1
2c18a24b63e9530661f055bcf7de64c887119aaf

SHA256
bd42fbf8fb8f20007be1df840321b378de533449c73c53605d4e8b8d189b162c

SHA512
94074699c540e428b6f39966ec6eb1917293eacd759deb9039d1fa851dfb5743a7bbdd53c63933ebfbdab995ea0caedf44255751b18a79564d59de96022d51be

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
b6e49541bfad1f9c8966322525a2165e

SHA1
2c18a24b63e9530661f055bcf7de64c887119aaf

SHA256
bd42fbf8fb8f20007be1df840321b378de533449c73c53605d4e8b8d189b162c

SHA512
94074699c540e428b6f39966ec6eb1917293eacd759deb9039d1fa851dfb5743a7bbdd53c63933ebfbdab995ea0caedf44255751b18a79564d59de96022d51be

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
cc91f43543ede3f3bc4649f82e48501b

SHA1
ef4249e0bbedbd32924a25872b2c2bf8f172a970

SHA256
eb296d068f8dd5b9396af0dd991746db31c3410e1b413f5f290e43533fc131ea

SHA512
c53d34e4cad5a3aae785f4582fc442a67560aa9fd842fc90feac6bc0eeac3f9bee0da8cb8713495f16f37212a02665355e391c0744b666264d9308204c6319da

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
adbe5f1804c55bbb5c2d0e5c679517a3

SHA1
1947f55de0fb0d0dfeb0e5c905d5c8168d278e82

SHA256
3b62c26dc70c1e0941ef356930747c6d38adf5067e1bc295a0fed9aef5a2aaf5

SHA512
be7400f69bc1ea54390c64a1e4bca206ce29df80c57e43c964db9fc6f5ee409400f3d04d41a4067fe2162eecbbf3a504a017dc28f5032e783cc982d91f3c1805

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
c000756fda98ffd73c502392025d2a90

SHA1
47c9e96914ff714edbd54b893cf01bd12c4efe0d

SHA256
1acb7308e7d53546bb436717651056a1108a9838a3e019400c09559c4263ed88

SHA512
2e75471b938f0be7959e51a66f43ca4ba8ba54a3c4f8e91a10e73b90ed996f478a0949f53b5a8008ceb22b841b6d79c1992f536689645c866934751852ad864c

Download Submit
memory/940-58-0x0000000000000000-mapping.dmp

Download
memory/948-75-0x0000000000000000-mapping.dmp

Download
memory/1072-80-0x0000000000000000-mapping.dmp

Download
memory/1084-79-0x0000000000000000-mapping.dmp

Download
memory/1124-86-0x0000000000000000-mapping.dmp

Download
memory/1176-85-0x0000000000000000-mapping.dmp

Download
memory/1220-69-0x0000000000000000-mapping.dmp

Download
memory/1416-61-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000075AD1000-0x0000000075AD3000-memory.dmp

Filesize
8KB

Download
memory/1544-63-0x0000000000000000-mapping.dmp

Download
memory/1624-60-0x0000000000000000-mapping.dmp

Download
memory/2036-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads