aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
Size

602KB
MD5

111c300514f039fa3f94b00e46a09ea7
SHA1

d3fd41196859a71a8863e58c3da486e603027d32
SHA256

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89
SHA512

091c30d066fc785dae717d609edaf6a13d6c47b18deb73d175d2bc820b4ede57b4df0887b3d68867a1e26f6fa817060b76db8d9b9bfc29db8efc0f1a640ad905
SSDEEP

12288:EIny5DYTkIrVUPUOGh+qtBAuq31Rltq8K2W6cW:iUTks3DtBA1nXoccW

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1692 installd.exe
1656 nethtsrv.exe
1296 netupdsrv.exe
2012 nethtsrv.exe
1768 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

pid	process
1692	installd.exe
1656	nethtsrv.exe
1296	netupdsrv.exe
2012	nethtsrv.exe
1768	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
1692	installd.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
1656	nethtsrv.exe
1656	nethtsrv.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
2012	nethtsrv.exe
2012	nethtsrv.exe
1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

Drops file in Program Files directory 3 IoCs

Processes:

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

472
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 2012 nethtsrv.exe

pid	process
472

description	pid	process
Token: SeDebugPrivilege	2012	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1288 wrote to memory of 816	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 816	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 816	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 816	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 816 wrote to memory of 1728	816	net.exe	net1.exe
PID 816 wrote to memory of 1728	816	net.exe	net1.exe
PID 816 wrote to memory of 1728	816	net.exe	net1.exe
PID 816 wrote to memory of 1728	816	net.exe	net1.exe
PID 1288 wrote to memory of 372	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 372	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 372	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 372	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 372 wrote to memory of 1756	372	net.exe	net1.exe
PID 372 wrote to memory of 1756	372	net.exe	net1.exe
PID 372 wrote to memory of 1756	372	net.exe	net1.exe
PID 372 wrote to memory of 1756	372	net.exe	net1.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1692	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	installd.exe
PID 1288 wrote to memory of 1656	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	nethtsrv.exe
PID 1288 wrote to memory of 1656	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	nethtsrv.exe
PID 1288 wrote to memory of 1656	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	nethtsrv.exe
PID 1288 wrote to memory of 1656	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	nethtsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1296	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	netupdsrv.exe
PID 1288 wrote to memory of 1044	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 1044	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 1044	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 1044	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1044 wrote to memory of 2028	1044	net.exe	net1.exe
PID 1044 wrote to memory of 2028	1044	net.exe	net1.exe
PID 1044 wrote to memory of 2028	1044	net.exe	net1.exe
PID 1044 wrote to memory of 2028	1044	net.exe	net1.exe
PID 1288 wrote to memory of 1668	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 1668	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 1668	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1288 wrote to memory of 1668	1288	aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe	net.exe
PID 1668 wrote to memory of 740	1668	net.exe	net1.exe
PID 1668 wrote to memory of 740	1668	net.exe	net1.exe
PID 1668 wrote to memory of 740	1668	net.exe	net1.exe
PID 1668 wrote to memory of 740	1668	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe
"C:\Users\Admin\AppData\Local\Temp\aa584df13a96e262ae0d877799d392ee9b29411f5f891fe2a2f1bd9de57d8a89.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:816

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1728

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1756

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1296

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1668

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:740

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1768

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d1784429902895d518c838ac1d935657

SHA1
378db13b7e32dc397d127513af88a8cf1127c81d

SHA256
310d7f6db5bbc1438528cce859aa1484ac8efb20ee9901b4ba5eabcbf7f60b8e

SHA512
a115bdc70aea9cd306d9c3d5b777a3caddfbfd9a8e107638b0dba1116038c299e4dd1799c2708124a2c20a3cc58a7cbf3c5a323bf81ce1c0183fd303fdc0aeea

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
2b4810378cba9365aa25395f0e25924b

SHA1
c8db7b389b3264cd5f65f5f4fa177d16fc01a5c3

SHA256
fa9e4912a3493b7c5bf45cd57ce9f59a9679513436e278fbb91ae8246640de07

SHA512
d8435835462fab9acd0a6220e6e32f7303767516f0ae38497a064ffc91d2c8afc18f04b0554eef6a17429d038556a7c460ca9c594ddbfacc8f4c145c98a9fcb4

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
b42b9d96272aa433ffce51af250df652

SHA1
e0e21b0d410f3ce6aa52aeed4d27c4969f01db6c

SHA256
f2c14c10678a199d91e2b07baa8f1f977ca14b1a83a91fed892ddf1dda96644c

SHA512
dfae4f83de990bab22bf6f49f0c43a81d03135ec0ee62957d851930caf51e651e0dbe1dca880fce2644e5dc1fc40cd38e498027d3e2429141ed6f4ef2b364731

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
42fc9daa59064a8e663d78d3caa2447c

SHA1
ceb5cf16b1140ae1e54b13f109fc978b81332c63

SHA256
2602abe96374741a9d06f96f00e696e6b95db4f0c7f092ac8674c7a5de83ec53

SHA512
f0184dfe973a9ac14742a47948b379a7ddc436a586b56779bd762769dd81b0af9ee71697a13967652b4926d68f75dc25265ecf26964a470d51093dc986b81ed2

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
42fc9daa59064a8e663d78d3caa2447c

SHA1
ceb5cf16b1140ae1e54b13f109fc978b81332c63

SHA256
2602abe96374741a9d06f96f00e696e6b95db4f0c7f092ac8674c7a5de83ec53

SHA512
f0184dfe973a9ac14742a47948b379a7ddc436a586b56779bd762769dd81b0af9ee71697a13967652b4926d68f75dc25265ecf26964a470d51093dc986b81ed2

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
11d5e0fa1a8b82141704c773341d20cf

SHA1
bac0e857cfd4c046137b8b11edea9289d59df6b3

SHA256
f31561a0bc000fc6673599ad12d1c5d5e8327686fc76fcd2b4af07c77691529b

SHA512
c81802584478eec7d9e734caf2438decb74ad75c6c50d6c08adbc9af664ce4dbda33b53e4af3ecb38e7ba843c32daea0a668d94cf9f8e2bee9cc468906daaae1

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
11d5e0fa1a8b82141704c773341d20cf

SHA1
bac0e857cfd4c046137b8b11edea9289d59df6b3

SHA256
f31561a0bc000fc6673599ad12d1c5d5e8327686fc76fcd2b4af07c77691529b

SHA512
c81802584478eec7d9e734caf2438decb74ad75c6c50d6c08adbc9af664ce4dbda33b53e4af3ecb38e7ba843c32daea0a668d94cf9f8e2bee9cc468906daaae1

Download Submit
\Users\Admin\AppData\Local\Temp\nst210B.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst210B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst210B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst210B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst210B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d1784429902895d518c838ac1d935657

SHA1
378db13b7e32dc397d127513af88a8cf1127c81d

SHA256
310d7f6db5bbc1438528cce859aa1484ac8efb20ee9901b4ba5eabcbf7f60b8e

SHA512
a115bdc70aea9cd306d9c3d5b777a3caddfbfd9a8e107638b0dba1116038c299e4dd1799c2708124a2c20a3cc58a7cbf3c5a323bf81ce1c0183fd303fdc0aeea

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d1784429902895d518c838ac1d935657

SHA1
378db13b7e32dc397d127513af88a8cf1127c81d

SHA256
310d7f6db5bbc1438528cce859aa1484ac8efb20ee9901b4ba5eabcbf7f60b8e

SHA512
a115bdc70aea9cd306d9c3d5b777a3caddfbfd9a8e107638b0dba1116038c299e4dd1799c2708124a2c20a3cc58a7cbf3c5a323bf81ce1c0183fd303fdc0aeea

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d1784429902895d518c838ac1d935657

SHA1
378db13b7e32dc397d127513af88a8cf1127c81d

SHA256
310d7f6db5bbc1438528cce859aa1484ac8efb20ee9901b4ba5eabcbf7f60b8e

SHA512
a115bdc70aea9cd306d9c3d5b777a3caddfbfd9a8e107638b0dba1116038c299e4dd1799c2708124a2c20a3cc58a7cbf3c5a323bf81ce1c0183fd303fdc0aeea

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
2b4810378cba9365aa25395f0e25924b

SHA1
c8db7b389b3264cd5f65f5f4fa177d16fc01a5c3

SHA256
fa9e4912a3493b7c5bf45cd57ce9f59a9679513436e278fbb91ae8246640de07

SHA512
d8435835462fab9acd0a6220e6e32f7303767516f0ae38497a064ffc91d2c8afc18f04b0554eef6a17429d038556a7c460ca9c594ddbfacc8f4c145c98a9fcb4

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
2b4810378cba9365aa25395f0e25924b

SHA1
c8db7b389b3264cd5f65f5f4fa177d16fc01a5c3

SHA256
fa9e4912a3493b7c5bf45cd57ce9f59a9679513436e278fbb91ae8246640de07

SHA512
d8435835462fab9acd0a6220e6e32f7303767516f0ae38497a064ffc91d2c8afc18f04b0554eef6a17429d038556a7c460ca9c594ddbfacc8f4c145c98a9fcb4

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
b42b9d96272aa433ffce51af250df652

SHA1
e0e21b0d410f3ce6aa52aeed4d27c4969f01db6c

SHA256
f2c14c10678a199d91e2b07baa8f1f977ca14b1a83a91fed892ddf1dda96644c

SHA512
dfae4f83de990bab22bf6f49f0c43a81d03135ec0ee62957d851930caf51e651e0dbe1dca880fce2644e5dc1fc40cd38e498027d3e2429141ed6f4ef2b364731

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
42fc9daa59064a8e663d78d3caa2447c

SHA1
ceb5cf16b1140ae1e54b13f109fc978b81332c63

SHA256
2602abe96374741a9d06f96f00e696e6b95db4f0c7f092ac8674c7a5de83ec53

SHA512
f0184dfe973a9ac14742a47948b379a7ddc436a586b56779bd762769dd81b0af9ee71697a13967652b4926d68f75dc25265ecf26964a470d51093dc986b81ed2

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
11d5e0fa1a8b82141704c773341d20cf

SHA1
bac0e857cfd4c046137b8b11edea9289d59df6b3

SHA256
f31561a0bc000fc6673599ad12d1c5d5e8327686fc76fcd2b4af07c77691529b

SHA512
c81802584478eec7d9e734caf2438decb74ad75c6c50d6c08adbc9af664ce4dbda33b53e4af3ecb38e7ba843c32daea0a668d94cf9f8e2bee9cc468906daaae1

Download Submit
memory/372-61-0x0000000000000000-mapping.dmp

Download
memory/740-87-0x0000000000000000-mapping.dmp

Download
memory/816-57-0x0000000000000000-mapping.dmp

Download
memory/1044-80-0x0000000000000000-mapping.dmp

Download
memory/1288-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1288-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1288-54-0x0000000075FE1000-0x0000000075FE3000-memory.dmp

Filesize
8KB

Download
memory/1296-76-0x0000000000000000-mapping.dmp

Download
memory/1656-70-0x0000000000000000-mapping.dmp

Download
memory/1668-86-0x0000000000000000-mapping.dmp

Download
memory/1692-64-0x0000000000000000-mapping.dmp

Download
memory/1728-58-0x0000000000000000-mapping.dmp

Download
memory/1756-62-0x0000000000000000-mapping.dmp

Download
memory/2028-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads