a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee

Analysis

max time kernel
39s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
Size

602KB
MD5

895cbe7a49e0a57a6ae9a9fbb0ee9c9d
SHA1

e53cf4b890b09e3a0a2729ebb6f9574cb1c4ead7
SHA256

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee
SHA512

4ac9ef6609205f51e0620d6d0159c51d405e7e11d04038eacde282bf0ef9f1e43643198a24fd5470caccce0d51a37502bb46db60732ec18f26f2730dc9d6553c
SSDEEP

12288:aIny5DYTu/sZpgTeO+9eVTIApJn7U35etLvMFIZkQaDkvu2d2kvO1VRfoh:8UTuQCqCIAC5eFvMSkQQkvu2Yk21VRQh

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1560 installd.exe
572 nethtsrv.exe
1492 netupdsrv.exe
1384 nethtsrv.exe
1552 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

pid	process
1560	installd.exe
572	nethtsrv.exe
1492	netupdsrv.exe
1384	nethtsrv.exe
1552	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
1560	installd.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
572	nethtsrv.exe
572	nethtsrv.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
1384	nethtsrv.exe
1384	nethtsrv.exe
1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
File created	C:\Windows\SysWOW64\installd.exe	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

Drops file in Program Files directory 3 IoCs

Processes:

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1384 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1384	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1488 wrote to memory of 1988	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1988	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1988	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1988	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1988 wrote to memory of 1800	1988	net.exe	net1.exe
PID 1988 wrote to memory of 1800	1988	net.exe	net1.exe
PID 1988 wrote to memory of 1800	1988	net.exe	net1.exe
PID 1988 wrote to memory of 1800	1988	net.exe	net1.exe
PID 1488 wrote to memory of 1480	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1480	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1480	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1480	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1480 wrote to memory of 1632	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1632	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1632	1480	net.exe	net1.exe
PID 1480 wrote to memory of 1632	1480	net.exe	net1.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 1560	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	installd.exe
PID 1488 wrote to memory of 572	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	nethtsrv.exe
PID 1488 wrote to memory of 572	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	nethtsrv.exe
PID 1488 wrote to memory of 572	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	nethtsrv.exe
PID 1488 wrote to memory of 572	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	nethtsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1492	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	netupdsrv.exe
PID 1488 wrote to memory of 1376	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1376	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1376	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1376	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1376 wrote to memory of 1952	1376	net.exe	net1.exe
PID 1488 wrote to memory of 1936	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1936	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1936	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1488 wrote to memory of 1936	1488	a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe	net.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe
PID 1936 wrote to memory of 2016	1936	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe
"C:\Users\Admin\AppData\Local\Temp\a127dcf76a5bda74fad14bffa1fce147e4944a33b637d275d98ff0266068a0ee.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1488

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1800

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1632

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1492

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1952

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2016

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1552

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8de1e278e2f8d2eada0d3417eee86376

SHA1
ef482be95cc8940914b60b9312ebcf81cef81ab1

SHA256
f2266a2d70d29faf099f0e7cda8847e9071c11d9d24065c58d51822aac1cbeba

SHA512
7181606e42c0f54f33d440e47e489a7321b96923260a2113063439e3deae7fc03ff1d5b00701a32f8c9b5d34bfd54dac263095ec0555d168ecc53c90d50f0e7a

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
4979619cdf99cda0eb4630ef19b9bfea

SHA1
9fedf742222ec808eada558c98622b11f0009fc9

SHA256
a1f925b808ee67d122dee9e70712e97ed2d453f67e02d968598bd41021ecf582

SHA512
b70279bf0c2c7dabd33ba14ae1ee6ee49b6d4144cc29a3018a582639e9993d48d6788c13dfd88791592f5a555d03191c866c24b6eaac00b01601b78d0748a56b

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
64577e1430017208afbc829bed8ab3d9

SHA1
7f6d176bc87f57c3c734464b084ca656d087f3c4

SHA256
6d33ad8a3e5eccc4791bf589700401577f9a612d010f355f9559ded94dddb10d

SHA512
74b97f507714efb426f04bf037cf82510ea0957675130438878ffd71f22c308e112e91de394b023541ea57d492f038c371e00edd21e52bd59d7a1755d4bf9039

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
fb7aa9499fe5a0946e86ac3d95035d6f

SHA1
49e7b9390afb9b34c83667caf6155b708e79912c

SHA256
4df2e81f3435eddb8eab88d9b2170aa5fc5d5622619ca5a1ea82b1d8720d9af2

SHA512
7c6925c0b7ce0b8de73a3442b8ef8969282d2f3811eb94c87b0978e0d0d8b8adb1eb6ca1630df9d51d100b0af1a026f9b7522b3da4029d8df6a3fe4b513a6fd3

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
fb7aa9499fe5a0946e86ac3d95035d6f

SHA1
49e7b9390afb9b34c83667caf6155b708e79912c

SHA256
4df2e81f3435eddb8eab88d9b2170aa5fc5d5622619ca5a1ea82b1d8720d9af2

SHA512
7c6925c0b7ce0b8de73a3442b8ef8969282d2f3811eb94c87b0978e0d0d8b8adb1eb6ca1630df9d51d100b0af1a026f9b7522b3da4029d8df6a3fe4b513a6fd3

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
fc304b0c06f08b8739b71b392a2b9219

SHA1
e34ca9fe7762e3b4314debdd11ef74b48bd3a28b

SHA256
276bb276187c435220776ee1a2f490204becec68faf8285fd13c3d1dc2a4fb90

SHA512
2324c524c7b8ec3c2ba80a9e2fe72c79cf571c542bf5eccf438a4ab9dc4ceb8e9979bf9ac3566bc2148685cbb1b2f1285b775f6e9b0dcf72afde79cf5a5a8ea7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
fc304b0c06f08b8739b71b392a2b9219

SHA1
e34ca9fe7762e3b4314debdd11ef74b48bd3a28b

SHA256
276bb276187c435220776ee1a2f490204becec68faf8285fd13c3d1dc2a4fb90

SHA512
2324c524c7b8ec3c2ba80a9e2fe72c79cf571c542bf5eccf438a4ab9dc4ceb8e9979bf9ac3566bc2148685cbb1b2f1285b775f6e9b0dcf72afde79cf5a5a8ea7

Download Submit
\Users\Admin\AppData\Local\Temp\nst5045.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst5045.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst5045.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst5045.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst5045.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8de1e278e2f8d2eada0d3417eee86376

SHA1
ef482be95cc8940914b60b9312ebcf81cef81ab1

SHA256
f2266a2d70d29faf099f0e7cda8847e9071c11d9d24065c58d51822aac1cbeba

SHA512
7181606e42c0f54f33d440e47e489a7321b96923260a2113063439e3deae7fc03ff1d5b00701a32f8c9b5d34bfd54dac263095ec0555d168ecc53c90d50f0e7a

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8de1e278e2f8d2eada0d3417eee86376

SHA1
ef482be95cc8940914b60b9312ebcf81cef81ab1

SHA256
f2266a2d70d29faf099f0e7cda8847e9071c11d9d24065c58d51822aac1cbeba

SHA512
7181606e42c0f54f33d440e47e489a7321b96923260a2113063439e3deae7fc03ff1d5b00701a32f8c9b5d34bfd54dac263095ec0555d168ecc53c90d50f0e7a

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
8de1e278e2f8d2eada0d3417eee86376

SHA1
ef482be95cc8940914b60b9312ebcf81cef81ab1

SHA256
f2266a2d70d29faf099f0e7cda8847e9071c11d9d24065c58d51822aac1cbeba

SHA512
7181606e42c0f54f33d440e47e489a7321b96923260a2113063439e3deae7fc03ff1d5b00701a32f8c9b5d34bfd54dac263095ec0555d168ecc53c90d50f0e7a

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
4979619cdf99cda0eb4630ef19b9bfea

SHA1
9fedf742222ec808eada558c98622b11f0009fc9

SHA256
a1f925b808ee67d122dee9e70712e97ed2d453f67e02d968598bd41021ecf582

SHA512
b70279bf0c2c7dabd33ba14ae1ee6ee49b6d4144cc29a3018a582639e9993d48d6788c13dfd88791592f5a555d03191c866c24b6eaac00b01601b78d0748a56b

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
4979619cdf99cda0eb4630ef19b9bfea

SHA1
9fedf742222ec808eada558c98622b11f0009fc9

SHA256
a1f925b808ee67d122dee9e70712e97ed2d453f67e02d968598bd41021ecf582

SHA512
b70279bf0c2c7dabd33ba14ae1ee6ee49b6d4144cc29a3018a582639e9993d48d6788c13dfd88791592f5a555d03191c866c24b6eaac00b01601b78d0748a56b

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
64577e1430017208afbc829bed8ab3d9

SHA1
7f6d176bc87f57c3c734464b084ca656d087f3c4

SHA256
6d33ad8a3e5eccc4791bf589700401577f9a612d010f355f9559ded94dddb10d

SHA512
74b97f507714efb426f04bf037cf82510ea0957675130438878ffd71f22c308e112e91de394b023541ea57d492f038c371e00edd21e52bd59d7a1755d4bf9039

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
fb7aa9499fe5a0946e86ac3d95035d6f

SHA1
49e7b9390afb9b34c83667caf6155b708e79912c

SHA256
4df2e81f3435eddb8eab88d9b2170aa5fc5d5622619ca5a1ea82b1d8720d9af2

SHA512
7c6925c0b7ce0b8de73a3442b8ef8969282d2f3811eb94c87b0978e0d0d8b8adb1eb6ca1630df9d51d100b0af1a026f9b7522b3da4029d8df6a3fe4b513a6fd3

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
fc304b0c06f08b8739b71b392a2b9219

SHA1
e34ca9fe7762e3b4314debdd11ef74b48bd3a28b

SHA256
276bb276187c435220776ee1a2f490204becec68faf8285fd13c3d1dc2a4fb90

SHA512
2324c524c7b8ec3c2ba80a9e2fe72c79cf571c542bf5eccf438a4ab9dc4ceb8e9979bf9ac3566bc2148685cbb1b2f1285b775f6e9b0dcf72afde79cf5a5a8ea7

Download Submit
memory/572-70-0x0000000000000000-mapping.dmp

Download
memory/1376-80-0x0000000000000000-mapping.dmp

Download
memory/1480-61-0x0000000000000000-mapping.dmp

Download
memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1488-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1488-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1492-76-0x0000000000000000-mapping.dmp

Download
memory/1560-64-0x0000000000000000-mapping.dmp

Download
memory/1632-62-0x0000000000000000-mapping.dmp

Download
memory/1800-59-0x0000000000000000-mapping.dmp

Download
memory/1936-86-0x0000000000000000-mapping.dmp

Download
memory/1952-81-0x0000000000000000-mapping.dmp

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download
memory/2016-87-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads