a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375

Analysis

max time kernel
99s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
Size

602KB
MD5

5303640b857b28626b2ab5e568ade62d
SHA1

4622abc9f64002f589d5abc9f5d428c6a9eb0b4f
SHA256

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375
SHA512

3e280286674eaee8a56010f713e4430aad31de4bedbf0bf3b6ac14247de9a1aaa563c5a2b924213323fa66ebcbf3e24074cfe453763aeac646bf4374cc0b2933
SSDEEP

12288:iIny5DYTaYOuLtYuQYFTuxp9KgCLw0Fcrvz:EUTvLp7Fixp6Fmz

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1168 installd.exe
1816 nethtsrv.exe
316 netupdsrv.exe
1724 nethtsrv.exe
1828 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

pid	process
1168	installd.exe
1816	nethtsrv.exe
316	netupdsrv.exe
1724	nethtsrv.exe
1828	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
1168	installd.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
1816	nethtsrv.exe
1816	nethtsrv.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
1724	nethtsrv.exe
1724	nethtsrv.exe
824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

Drops file in Program Files directory 3 IoCs

Processes:

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1724 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1724	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 824 wrote to memory of 1000	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1000	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1000	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1000	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 1000 wrote to memory of 588	1000	net.exe	net1.exe
PID 1000 wrote to memory of 588	1000	net.exe	net1.exe
PID 1000 wrote to memory of 588	1000	net.exe	net1.exe
PID 1000 wrote to memory of 588	1000	net.exe	net1.exe
PID 824 wrote to memory of 324	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 324	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 324	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 324	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 324 wrote to memory of 908	324	net.exe	net1.exe
PID 324 wrote to memory of 908	324	net.exe	net1.exe
PID 324 wrote to memory of 908	324	net.exe	net1.exe
PID 324 wrote to memory of 908	324	net.exe	net1.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1168	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	installd.exe
PID 824 wrote to memory of 1816	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	nethtsrv.exe
PID 824 wrote to memory of 1816	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	nethtsrv.exe
PID 824 wrote to memory of 1816	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	nethtsrv.exe
PID 824 wrote to memory of 1816	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	nethtsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 316	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	netupdsrv.exe
PID 824 wrote to memory of 1956	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1956	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1956	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1956	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 1956 wrote to memory of 2008	1956	net.exe	net1.exe
PID 1956 wrote to memory of 2008	1956	net.exe	net1.exe
PID 1956 wrote to memory of 2008	1956	net.exe	net1.exe
PID 1956 wrote to memory of 2008	1956	net.exe	net1.exe
PID 824 wrote to memory of 1456	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1456	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1456	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 824 wrote to memory of 1456	824	a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe	net.exe
PID 1456 wrote to memory of 840	1456	net.exe	net1.exe
PID 1456 wrote to memory of 840	1456	net.exe	net1.exe
PID 1456 wrote to memory of 840	1456	net.exe	net1.exe
PID 1456 wrote to memory of 840	1456	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe
"C:\Users\Admin\AppData\Local\Temp\a96aed03d6b476763cb2c76432322844b6c19dac912afb26c5d92b77ab731375.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:588

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:908

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:316

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1956

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:2008

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:840

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1828

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
11edc1b70057eb02694818e8a0947e5f

SHA1
2deb9a4808ee236e518d9bc250776070cca52ea2

SHA256
bfe6b7a7f306bfb1048ff54891485185342dcbff68d7a328885b763901d6d88e

SHA512
b0c2426cf22215db8d3fd54e342eb74827aef8c0ec12deee64a89b5df93bd6d7cb7e4dfba33b8f4412cba308195562d3d9d638af3b2b988134b3609b0ddc8d78

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
4d3b8e10601f6d2e0f2402882b9cca97

SHA1
762772a0054ea82845d7c0a0b674f8b4a552a5fd

SHA256
129515372cc8b39255f8084a6ddf3f3e4341b4719411496d94c2dcd0f1c3f289

SHA512
ca4bb9496f431578b12dc342808a46dca7aef5548e0fe1bde4cc16bfdc92f987d06e6b3c44f9c12d593ac645865738dc9b2ae172a16b2c541f7ee8c7adda0569

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
249e8ce3d74b4d1456bf5f0b65715d78

SHA1
b4aeec19c234c126b89abf447d6eb0eba3417352

SHA256
ba56889f24634df14e2f46a45c366437e4e46a8776ae0f7eac3388bbe961383f

SHA512
bd1cf96cab78f8b2d592da3c419d24d5068efa5d761977a41f1c7e4d1e1ed0daa165d9f596d543205aa3d1ec5bc94262ef1b10b282b069be8084e6baa0cabfd3

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
320f23914009f0726cf314fe0602f3c6

SHA1
1a0697c167c4aab7f68b677ff63e67dabc8ce73a

SHA256
03c2471c64df0134383a0a1832ffa7ab659871cd8758fc8b2de873ccbefb3b00

SHA512
271d5c3f4b47f0eb4a9aa28340f543224a900848c8512890c97ae409157191652a406ddad509f34ffc4872a27cb01f4b66bc0b922edb956c90ad1f6a3300a6da

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
320f23914009f0726cf314fe0602f3c6

SHA1
1a0697c167c4aab7f68b677ff63e67dabc8ce73a

SHA256
03c2471c64df0134383a0a1832ffa7ab659871cd8758fc8b2de873ccbefb3b00

SHA512
271d5c3f4b47f0eb4a9aa28340f543224a900848c8512890c97ae409157191652a406ddad509f34ffc4872a27cb01f4b66bc0b922edb956c90ad1f6a3300a6da

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
777bcb37a7dbfcfe2494c48c7e71fcbc

SHA1
379ed55e3d40930b9daefee26814484a29709904

SHA256
a9ef40e7e25d02be346e78f6758a87b3866d55a29116ba8024a662cf1fc038a0

SHA512
661f3e95cdd99d6d3f6f448c30add8e74399cd8d7391f1bd8195a20d076441f2cd2977e04b14c82623fbb0586bccb0ef3b5222eaf7386c7b59d2d4aabc066e00

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
777bcb37a7dbfcfe2494c48c7e71fcbc

SHA1
379ed55e3d40930b9daefee26814484a29709904

SHA256
a9ef40e7e25d02be346e78f6758a87b3866d55a29116ba8024a662cf1fc038a0

SHA512
661f3e95cdd99d6d3f6f448c30add8e74399cd8d7391f1bd8195a20d076441f2cd2977e04b14c82623fbb0586bccb0ef3b5222eaf7386c7b59d2d4aabc066e00

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE42A.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE42A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE42A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE42A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE42A.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
11edc1b70057eb02694818e8a0947e5f

SHA1
2deb9a4808ee236e518d9bc250776070cca52ea2

SHA256
bfe6b7a7f306bfb1048ff54891485185342dcbff68d7a328885b763901d6d88e

SHA512
b0c2426cf22215db8d3fd54e342eb74827aef8c0ec12deee64a89b5df93bd6d7cb7e4dfba33b8f4412cba308195562d3d9d638af3b2b988134b3609b0ddc8d78

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
11edc1b70057eb02694818e8a0947e5f

SHA1
2deb9a4808ee236e518d9bc250776070cca52ea2

SHA256
bfe6b7a7f306bfb1048ff54891485185342dcbff68d7a328885b763901d6d88e

SHA512
b0c2426cf22215db8d3fd54e342eb74827aef8c0ec12deee64a89b5df93bd6d7cb7e4dfba33b8f4412cba308195562d3d9d638af3b2b988134b3609b0ddc8d78

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
11edc1b70057eb02694818e8a0947e5f

SHA1
2deb9a4808ee236e518d9bc250776070cca52ea2

SHA256
bfe6b7a7f306bfb1048ff54891485185342dcbff68d7a328885b763901d6d88e

SHA512
b0c2426cf22215db8d3fd54e342eb74827aef8c0ec12deee64a89b5df93bd6d7cb7e4dfba33b8f4412cba308195562d3d9d638af3b2b988134b3609b0ddc8d78

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
4d3b8e10601f6d2e0f2402882b9cca97

SHA1
762772a0054ea82845d7c0a0b674f8b4a552a5fd

SHA256
129515372cc8b39255f8084a6ddf3f3e4341b4719411496d94c2dcd0f1c3f289

SHA512
ca4bb9496f431578b12dc342808a46dca7aef5548e0fe1bde4cc16bfdc92f987d06e6b3c44f9c12d593ac645865738dc9b2ae172a16b2c541f7ee8c7adda0569

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
4d3b8e10601f6d2e0f2402882b9cca97

SHA1
762772a0054ea82845d7c0a0b674f8b4a552a5fd

SHA256
129515372cc8b39255f8084a6ddf3f3e4341b4719411496d94c2dcd0f1c3f289

SHA512
ca4bb9496f431578b12dc342808a46dca7aef5548e0fe1bde4cc16bfdc92f987d06e6b3c44f9c12d593ac645865738dc9b2ae172a16b2c541f7ee8c7adda0569

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
249e8ce3d74b4d1456bf5f0b65715d78

SHA1
b4aeec19c234c126b89abf447d6eb0eba3417352

SHA256
ba56889f24634df14e2f46a45c366437e4e46a8776ae0f7eac3388bbe961383f

SHA512
bd1cf96cab78f8b2d592da3c419d24d5068efa5d761977a41f1c7e4d1e1ed0daa165d9f596d543205aa3d1ec5bc94262ef1b10b282b069be8084e6baa0cabfd3

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
320f23914009f0726cf314fe0602f3c6

SHA1
1a0697c167c4aab7f68b677ff63e67dabc8ce73a

SHA256
03c2471c64df0134383a0a1832ffa7ab659871cd8758fc8b2de873ccbefb3b00

SHA512
271d5c3f4b47f0eb4a9aa28340f543224a900848c8512890c97ae409157191652a406ddad509f34ffc4872a27cb01f4b66bc0b922edb956c90ad1f6a3300a6da

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
777bcb37a7dbfcfe2494c48c7e71fcbc

SHA1
379ed55e3d40930b9daefee26814484a29709904

SHA256
a9ef40e7e25d02be346e78f6758a87b3866d55a29116ba8024a662cf1fc038a0

SHA512
661f3e95cdd99d6d3f6f448c30add8e74399cd8d7391f1bd8195a20d076441f2cd2977e04b14c82623fbb0586bccb0ef3b5222eaf7386c7b59d2d4aabc066e00

Download Submit
memory/316-77-0x0000000000000000-mapping.dmp

Download
memory/324-61-0x0000000000000000-mapping.dmp

Download
memory/588-59-0x0000000000000000-mapping.dmp

Download
memory/824-75-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/824-54-0x0000000075E11000-0x0000000075E13000-memory.dmp

Filesize
8KB

Download
memory/824-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/824-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/840-88-0x0000000000000000-mapping.dmp

Download
memory/908-62-0x0000000000000000-mapping.dmp

Download
memory/1000-57-0x0000000000000000-mapping.dmp

Download
memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/1456-87-0x0000000000000000-mapping.dmp

Download
memory/1816-70-0x0000000000000000-mapping.dmp

Download
memory/1956-81-0x0000000000000000-mapping.dmp

Download
memory/2008-82-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads