966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3

Analysis

max time kernel
48s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
Size

602KB
MD5

4a04fa1956b58da093041bf9769cf9fa
SHA1

2a8f0e1a44123c7a0fa683ee0fb3cb3d0fcbe0de
SHA256

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3
SHA512

3c790247a8d45a9d9ba7bfbd4f3a3ea14770b24ae8a658ff3a85cca7057ea0406bfe0915079aacc9e40cd56c4b0154fa520815d21c9c9618fe16d27efe07d7cd
SSDEEP

12288:2Iny5DYTcIDHLrhQJXcZLWWp01/E5lwTG4e+QCmEGGuknK:4UTcYCJXsLWWp+s5lwTDeZE2X

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

904 installd.exe
1952 nethtsrv.exe
936 netupdsrv.exe
108 nethtsrv.exe
864 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

pid	process
904	installd.exe
1952	nethtsrv.exe
936	netupdsrv.exe
108	nethtsrv.exe
864	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
904	installd.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
1952	nethtsrv.exe
1952	nethtsrv.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
108	nethtsrv.exe
108	nethtsrv.exe
2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
File created	C:\Windows\SysWOW64\installd.exe	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

Drops file in Program Files directory 3 IoCs

Processes:

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 108 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	108	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2016 wrote to memory of 980	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 980	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 980	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 980	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 980 wrote to memory of 576	980	net.exe	net1.exe
PID 980 wrote to memory of 576	980	net.exe	net1.exe
PID 980 wrote to memory of 576	980	net.exe	net1.exe
PID 980 wrote to memory of 576	980	net.exe	net1.exe
PID 2016 wrote to memory of 1508	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 1508	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 1508	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 1508	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 1508 wrote to memory of 1940	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1940	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1940	1508	net.exe	net1.exe
PID 1508 wrote to memory of 1940	1508	net.exe	net1.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 904	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	installd.exe
PID 2016 wrote to memory of 1952	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	nethtsrv.exe
PID 2016 wrote to memory of 1952	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	nethtsrv.exe
PID 2016 wrote to memory of 1952	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	nethtsrv.exe
PID 2016 wrote to memory of 1952	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	nethtsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 936	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	netupdsrv.exe
PID 2016 wrote to memory of 280	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 280	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 280	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 280	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 280 wrote to memory of 1524	280	net.exe	net1.exe
PID 280 wrote to memory of 1524	280	net.exe	net1.exe
PID 280 wrote to memory of 1524	280	net.exe	net1.exe
PID 280 wrote to memory of 1524	280	net.exe	net1.exe
PID 2016 wrote to memory of 848	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 848	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 848	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 2016 wrote to memory of 848	2016	966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe	net.exe
PID 848 wrote to memory of 1256	848	net.exe	net1.exe
PID 848 wrote to memory of 1256	848	net.exe	net1.exe
PID 848 wrote to memory of 1256	848	net.exe	net1.exe
PID 848 wrote to memory of 1256	848	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe
"C:\Users\Admin\AppData\Local\Temp\966866f2c74b63b870d68d39698aab298bd681526dcd951cfac8f2e5be4f9fc3.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:576

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1940

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:936

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1524

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1256

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:864

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
3309b66404fc30c47470abc690e7af6c

SHA1
73b349dd25a0aafaf5a9fe5f2c44e494ab45e7f7

SHA256
a54cf81417025a2202c1750c250f1155d1db8f8959cc4cfd55bbbf65c88ed2fb

SHA512
7fa230fc0a0af1f37062d99ae751648105d584a70d28bda94fb9e106a3ad6928d6aeacd4a396e0261020400c798860a4524d1a828ad5ccce37e4d7eb07be6da6

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
bda4dc21725822f65180edc197608c27

SHA1
4f328255dea3c7f684ebc7d40c290db80ebd8dbf

SHA256
090cc4f13c071c113bcb676dc32a64a34f2764897b3fa6a655aab95a535cdd2c

SHA512
2d0ce69a2c0f80548b5d7f61466abbf4d52605b925f4c21e2f5ee7d1fca57a15328797662868bdec8a11c4bdc045e30d0b89dc29ef0cdfefbb68539d338af7a5

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
291a361c1fa13ffb742406a1ec3498cf

SHA1
2a6ff26951d925431461205afac854afb94f36e8

SHA256
71f292068910fc3bc7fd4a254c99804f96de1264209a93f4aab21bce47dd7694

SHA512
2e7d9474246219e261e569214e8a209413e01c061668a1e29fb98124fb6259185fa115127843ad0e154e24f1f61cdac212341f7a03dc9a1c9fa0fe14d1114dbb

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
7fce3f923d366d3c910e547c1ff76ac8

SHA1
8388da585575263bf91a061a44ced2f65fc5e2ea

SHA256
2bd0083ad4b4c7e94d6968ab7d97247307a29f761adb86d0e7e80a66620f3cd7

SHA512
dba463a75b990ddb85b8ea56caecac7ecbf102a88e2be233f34dc9486a347a666919525a5280b4e11fc4b08567476c9bdccd72ba1661f96281859e910ccf0177

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
7fce3f923d366d3c910e547c1ff76ac8

SHA1
8388da585575263bf91a061a44ced2f65fc5e2ea

SHA256
2bd0083ad4b4c7e94d6968ab7d97247307a29f761adb86d0e7e80a66620f3cd7

SHA512
dba463a75b990ddb85b8ea56caecac7ecbf102a88e2be233f34dc9486a347a666919525a5280b4e11fc4b08567476c9bdccd72ba1661f96281859e910ccf0177

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
62c00539abcf6dbef54ec8ec5dd513c0

SHA1
db684f40b9e726a73e773e26fa057d912f63e1a2

SHA256
ced576c98c18ab5ea009cefed11acc047a92da785aef5422f7f3c35d2f167c7b

SHA512
a193ae5e8309ea32023a1487b65e842c15699efd2a50c4bac853dcd28c479ea0b7093f377404b8a7eb36ee4c142353182f926ee03d9d521dd644fd1dad650e6d

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
62c00539abcf6dbef54ec8ec5dd513c0

SHA1
db684f40b9e726a73e773e26fa057d912f63e1a2

SHA256
ced576c98c18ab5ea009cefed11acc047a92da785aef5422f7f3c35d2f167c7b

SHA512
a193ae5e8309ea32023a1487b65e842c15699efd2a50c4bac853dcd28c479ea0b7093f377404b8a7eb36ee4c142353182f926ee03d9d521dd644fd1dad650e6d

Download Submit
\Users\Admin\AppData\Local\Temp\nso9FAC.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso9FAC.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso9FAC.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso9FAC.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso9FAC.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
3309b66404fc30c47470abc690e7af6c

SHA1
73b349dd25a0aafaf5a9fe5f2c44e494ab45e7f7

SHA256
a54cf81417025a2202c1750c250f1155d1db8f8959cc4cfd55bbbf65c88ed2fb

SHA512
7fa230fc0a0af1f37062d99ae751648105d584a70d28bda94fb9e106a3ad6928d6aeacd4a396e0261020400c798860a4524d1a828ad5ccce37e4d7eb07be6da6

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
3309b66404fc30c47470abc690e7af6c

SHA1
73b349dd25a0aafaf5a9fe5f2c44e494ab45e7f7

SHA256
a54cf81417025a2202c1750c250f1155d1db8f8959cc4cfd55bbbf65c88ed2fb

SHA512
7fa230fc0a0af1f37062d99ae751648105d584a70d28bda94fb9e106a3ad6928d6aeacd4a396e0261020400c798860a4524d1a828ad5ccce37e4d7eb07be6da6

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
3309b66404fc30c47470abc690e7af6c

SHA1
73b349dd25a0aafaf5a9fe5f2c44e494ab45e7f7

SHA256
a54cf81417025a2202c1750c250f1155d1db8f8959cc4cfd55bbbf65c88ed2fb

SHA512
7fa230fc0a0af1f37062d99ae751648105d584a70d28bda94fb9e106a3ad6928d6aeacd4a396e0261020400c798860a4524d1a828ad5ccce37e4d7eb07be6da6

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
bda4dc21725822f65180edc197608c27

SHA1
4f328255dea3c7f684ebc7d40c290db80ebd8dbf

SHA256
090cc4f13c071c113bcb676dc32a64a34f2764897b3fa6a655aab95a535cdd2c

SHA512
2d0ce69a2c0f80548b5d7f61466abbf4d52605b925f4c21e2f5ee7d1fca57a15328797662868bdec8a11c4bdc045e30d0b89dc29ef0cdfefbb68539d338af7a5

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
bda4dc21725822f65180edc197608c27

SHA1
4f328255dea3c7f684ebc7d40c290db80ebd8dbf

SHA256
090cc4f13c071c113bcb676dc32a64a34f2764897b3fa6a655aab95a535cdd2c

SHA512
2d0ce69a2c0f80548b5d7f61466abbf4d52605b925f4c21e2f5ee7d1fca57a15328797662868bdec8a11c4bdc045e30d0b89dc29ef0cdfefbb68539d338af7a5

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
291a361c1fa13ffb742406a1ec3498cf

SHA1
2a6ff26951d925431461205afac854afb94f36e8

SHA256
71f292068910fc3bc7fd4a254c99804f96de1264209a93f4aab21bce47dd7694

SHA512
2e7d9474246219e261e569214e8a209413e01c061668a1e29fb98124fb6259185fa115127843ad0e154e24f1f61cdac212341f7a03dc9a1c9fa0fe14d1114dbb

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
7fce3f923d366d3c910e547c1ff76ac8

SHA1
8388da585575263bf91a061a44ced2f65fc5e2ea

SHA256
2bd0083ad4b4c7e94d6968ab7d97247307a29f761adb86d0e7e80a66620f3cd7

SHA512
dba463a75b990ddb85b8ea56caecac7ecbf102a88e2be233f34dc9486a347a666919525a5280b4e11fc4b08567476c9bdccd72ba1661f96281859e910ccf0177

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
62c00539abcf6dbef54ec8ec5dd513c0

SHA1
db684f40b9e726a73e773e26fa057d912f63e1a2

SHA256
ced576c98c18ab5ea009cefed11acc047a92da785aef5422f7f3c35d2f167c7b

SHA512
a193ae5e8309ea32023a1487b65e842c15699efd2a50c4bac853dcd28c479ea0b7093f377404b8a7eb36ee4c142353182f926ee03d9d521dd644fd1dad650e6d

Download Submit
memory/280-81-0x0000000000000000-mapping.dmp

Download
memory/576-59-0x0000000000000000-mapping.dmp

Download
memory/848-87-0x0000000000000000-mapping.dmp

Download
memory/904-64-0x0000000000000000-mapping.dmp

Download
memory/936-77-0x0000000000000000-mapping.dmp

Download
memory/980-57-0x0000000000000000-mapping.dmp

Download
memory/1256-88-0x0000000000000000-mapping.dmp

Download
memory/1508-61-0x0000000000000000-mapping.dmp

Download
memory/1524-82-0x0000000000000000-mapping.dmp

Download
memory/1940-62-0x0000000000000000-mapping.dmp

Download
memory/1952-71-0x0000000000000000-mapping.dmp

Download
memory/2016-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2016-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/2016-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2016-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads