adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738

Analysis

max time kernel
42s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
Size

602KB
MD5

bf69fe5fd74278d28edd213879331f74
SHA1

ef1a7855fe1b70ffe35a5f59fade8758e4246b0b
SHA256

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738
SHA512

894955a6bb57fe94b097c8e237efab698f7ee78f6353ddf656d566b15da1ffd9f165537effad43756e1554bdd18e6b90edceb86cdea7e30580a068c2ee943914
SSDEEP

12288:NIny5DYTgJreGTX1DvoZbbG5diTdxygzqEypHjXXvjSi:ZUTMrt1DGbMdiTDzqhHTfO

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1248 installd.exe
1224 nethtsrv.exe
1448 netupdsrv.exe
1496 nethtsrv.exe
1532 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

pid	process
1248	installd.exe
1224	nethtsrv.exe
1448	netupdsrv.exe
1496	nethtsrv.exe
1532	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1248	installd.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1224	nethtsrv.exe
1224	nethtsrv.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
1496	nethtsrv.exe
1496	nethtsrv.exe
1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
File created	C:\Windows\SysWOW64\installd.exe	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

Drops file in Program Files directory 3 IoCs

Processes:

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1496 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1496	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1972 wrote to memory of 980	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 980	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 980	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 980	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 980 wrote to memory of 1104	980	net.exe	net1.exe
PID 980 wrote to memory of 1104	980	net.exe	net1.exe
PID 980 wrote to memory of 1104	980	net.exe	net1.exe
PID 980 wrote to memory of 1104	980	net.exe	net1.exe
PID 1972 wrote to memory of 1252	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1252	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1252	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1252	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1252 wrote to memory of 1064	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1064	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1064	1252	net.exe	net1.exe
PID 1252 wrote to memory of 1064	1252	net.exe	net1.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1248	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	installd.exe
PID 1972 wrote to memory of 1224	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	nethtsrv.exe
PID 1972 wrote to memory of 1224	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	nethtsrv.exe
PID 1972 wrote to memory of 1224	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	nethtsrv.exe
PID 1972 wrote to memory of 1224	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	nethtsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1448	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	netupdsrv.exe
PID 1972 wrote to memory of 1652	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1652	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1652	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1652	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1652 wrote to memory of 1404	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1404	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1404	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1404	1652	net.exe	net1.exe
PID 1972 wrote to memory of 1736	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1736	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1736	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1972 wrote to memory of 1736	1972	adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe	net.exe
PID 1736 wrote to memory of 1300	1736	net.exe	net1.exe
PID 1736 wrote to memory of 1300	1736	net.exe	net1.exe
PID 1736 wrote to memory of 1300	1736	net.exe	net1.exe
PID 1736 wrote to memory of 1300	1736	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe
"C:\Users\Admin\AppData\Local\Temp\adb51850a83370493a0318cf4c65a3430f7e8940606b9eacb58e488ff9310738.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1104

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1064

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1224

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1448

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1404

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1300

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1532

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
db2a4db916fb0ad0533c336436177e05

SHA1
0e3a8a61b87164b2bcf42397c2dd6c1d1962df02

SHA256
372d082c7f88324b15847945997e2210d347cdfee3757ee35d8a832859a345b4

SHA512
f0fe6902a08e1ee47869095c3f9e419cfb581d10d0fb84a111bb670cb2bc37d3640342e3814e9522fe41083f6a4e4c29ded4da31a592a89cb845870e9e4e8e2f

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
c1aba0ddef1e1c4ec6fe1f43fc527fa9

SHA1
03c5fd9942cecd7605960a85526953b72651d0f3

SHA256
da61fcb22ad580df870d7ff19b51ecb7e08e61e9e420694b66a203d5b07d1e4d

SHA512
f2d4be4aabcaced4e2d4de7ffa04ad9970da808620097a9065d7dd244fa822123f1ba6fe4c88454810dd4b06e5530a1e21550919300aff5ce67fa863667f373f

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
08d2034dd62e15d390066222f7f4fc07

SHA1
d4d32788a98798b3372c13ac4d719ffa9afd5d28

SHA256
8854e3a78592579b680c5bdace17df5678fae199752c86e7e7a946365436e67e

SHA512
f1f3012cd5019c4db81cbe80eccb2d73b8a67ba17b23adfd1e43fc560c6ab8514be85bac3ee19978b754cf0e33a52c6f475cb43dfdd0de296dce65595d93c9c0

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
732d9802aef4d21046b9717df596d2f5

SHA1
1c8f0e0c94875cb4373e0018ab5f69d3bdc898bb

SHA256
fcb9d895af4c8db07ac337a48f13fee96f0e74870eddd7f614c5381439393777

SHA512
deadf7d2750d2b4d3409911dc066bda5489fe02ac72099dcbe1d6ffa32bf094a1e67fb532f7322e559610f4bcf1348c26c9efbac7a55103ee73380c780ccc847

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
732d9802aef4d21046b9717df596d2f5

SHA1
1c8f0e0c94875cb4373e0018ab5f69d3bdc898bb

SHA256
fcb9d895af4c8db07ac337a48f13fee96f0e74870eddd7f614c5381439393777

SHA512
deadf7d2750d2b4d3409911dc066bda5489fe02ac72099dcbe1d6ffa32bf094a1e67fb532f7322e559610f4bcf1348c26c9efbac7a55103ee73380c780ccc847

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
23cea7dc29430701f18113de3cbf57e5

SHA1
f65e22cab4fba1f60d850f37acd5f7584751fd5c

SHA256
ed99b5d24ded40d763c0ac4e044af4a0e0e043b920ac49a5166e5fd8a1eb2ee4

SHA512
c8906bb32052bd6f901899a94fe08338a5956e35c5c4b25a5f7d7b0032c5ba1345164572e599defb22b9e87a8599078346de488a8768bea63d005caaa00d17c2

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
23cea7dc29430701f18113de3cbf57e5

SHA1
f65e22cab4fba1f60d850f37acd5f7584751fd5c

SHA256
ed99b5d24ded40d763c0ac4e044af4a0e0e043b920ac49a5166e5fd8a1eb2ee4

SHA512
c8906bb32052bd6f901899a94fe08338a5956e35c5c4b25a5f7d7b0032c5ba1345164572e599defb22b9e87a8599078346de488a8768bea63d005caaa00d17c2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B7F.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B7F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B7F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B7F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1B7F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
db2a4db916fb0ad0533c336436177e05

SHA1
0e3a8a61b87164b2bcf42397c2dd6c1d1962df02

SHA256
372d082c7f88324b15847945997e2210d347cdfee3757ee35d8a832859a345b4

SHA512
f0fe6902a08e1ee47869095c3f9e419cfb581d10d0fb84a111bb670cb2bc37d3640342e3814e9522fe41083f6a4e4c29ded4da31a592a89cb845870e9e4e8e2f

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
db2a4db916fb0ad0533c336436177e05

SHA1
0e3a8a61b87164b2bcf42397c2dd6c1d1962df02

SHA256
372d082c7f88324b15847945997e2210d347cdfee3757ee35d8a832859a345b4

SHA512
f0fe6902a08e1ee47869095c3f9e419cfb581d10d0fb84a111bb670cb2bc37d3640342e3814e9522fe41083f6a4e4c29ded4da31a592a89cb845870e9e4e8e2f

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
db2a4db916fb0ad0533c336436177e05

SHA1
0e3a8a61b87164b2bcf42397c2dd6c1d1962df02

SHA256
372d082c7f88324b15847945997e2210d347cdfee3757ee35d8a832859a345b4

SHA512
f0fe6902a08e1ee47869095c3f9e419cfb581d10d0fb84a111bb670cb2bc37d3640342e3814e9522fe41083f6a4e4c29ded4da31a592a89cb845870e9e4e8e2f

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
c1aba0ddef1e1c4ec6fe1f43fc527fa9

SHA1
03c5fd9942cecd7605960a85526953b72651d0f3

SHA256
da61fcb22ad580df870d7ff19b51ecb7e08e61e9e420694b66a203d5b07d1e4d

SHA512
f2d4be4aabcaced4e2d4de7ffa04ad9970da808620097a9065d7dd244fa822123f1ba6fe4c88454810dd4b06e5530a1e21550919300aff5ce67fa863667f373f

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
c1aba0ddef1e1c4ec6fe1f43fc527fa9

SHA1
03c5fd9942cecd7605960a85526953b72651d0f3

SHA256
da61fcb22ad580df870d7ff19b51ecb7e08e61e9e420694b66a203d5b07d1e4d

SHA512
f2d4be4aabcaced4e2d4de7ffa04ad9970da808620097a9065d7dd244fa822123f1ba6fe4c88454810dd4b06e5530a1e21550919300aff5ce67fa863667f373f

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
08d2034dd62e15d390066222f7f4fc07

SHA1
d4d32788a98798b3372c13ac4d719ffa9afd5d28

SHA256
8854e3a78592579b680c5bdace17df5678fae199752c86e7e7a946365436e67e

SHA512
f1f3012cd5019c4db81cbe80eccb2d73b8a67ba17b23adfd1e43fc560c6ab8514be85bac3ee19978b754cf0e33a52c6f475cb43dfdd0de296dce65595d93c9c0

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
732d9802aef4d21046b9717df596d2f5

SHA1
1c8f0e0c94875cb4373e0018ab5f69d3bdc898bb

SHA256
fcb9d895af4c8db07ac337a48f13fee96f0e74870eddd7f614c5381439393777

SHA512
deadf7d2750d2b4d3409911dc066bda5489fe02ac72099dcbe1d6ffa32bf094a1e67fb532f7322e559610f4bcf1348c26c9efbac7a55103ee73380c780ccc847

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
23cea7dc29430701f18113de3cbf57e5

SHA1
f65e22cab4fba1f60d850f37acd5f7584751fd5c

SHA256
ed99b5d24ded40d763c0ac4e044af4a0e0e043b920ac49a5166e5fd8a1eb2ee4

SHA512
c8906bb32052bd6f901899a94fe08338a5956e35c5c4b25a5f7d7b0032c5ba1345164572e599defb22b9e87a8599078346de488a8768bea63d005caaa00d17c2

Download Submit
memory/980-57-0x0000000000000000-mapping.dmp

Download
memory/1064-61-0x0000000000000000-mapping.dmp

Download
memory/1104-58-0x0000000000000000-mapping.dmp

Download
memory/1224-70-0x0000000000000000-mapping.dmp

Download
memory/1248-64-0x0000000000000000-mapping.dmp

Download
memory/1252-60-0x0000000000000000-mapping.dmp

Download
memory/1300-88-0x0000000000000000-mapping.dmp

Download
memory/1404-82-0x0000000000000000-mapping.dmp

Download
memory/1448-77-0x0000000000000000-mapping.dmp

Download
memory/1652-81-0x0000000000000000-mapping.dmp

Download
memory/1736-87-0x0000000000000000-mapping.dmp

Download
memory/1972-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1972-75-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1972-62-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1972-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads