9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5

Analysis

max time kernel
49s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
Size

601KB
MD5

f7e9c115da662f005f661c35bf5d1167
SHA1

4bddc12887f245e053cabe67169dbb2212b49571
SHA256

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5
SHA512

9e213f6e28bd3549b5a8fe5d23c1e226269372caf11c8436672cad29c5e1e28514cee9fecdbd6befc333ea7ca2e9504988378807411fb18a43b4c0f53ee4a5b0
SSDEEP

12288:/Iny5DYTt32baDKoEf7rQ22tzMBeUFKpUcS1P:nUTt32Fe229MBBVP

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1436 installd.exe
1160 nethtsrv.exe
2000 netupdsrv.exe
1728 nethtsrv.exe
2024 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

pid	process
1436	installd.exe
1160	nethtsrv.exe
2000	netupdsrv.exe
1728	nethtsrv.exe
2024	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
1436	installd.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
1160	nethtsrv.exe
1160	nethtsrv.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
1728	nethtsrv.exe
1728	nethtsrv.exe
892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
File created	C:\Windows\SysWOW64\installd.exe	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

Drops file in Program Files directory 3 IoCs

Processes:

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1728 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1728	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 892 wrote to memory of 1476	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1476	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1476	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1476	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 1476 wrote to memory of 268	1476	net.exe	net1.exe
PID 1476 wrote to memory of 268	1476	net.exe	net1.exe
PID 1476 wrote to memory of 268	1476	net.exe	net1.exe
PID 1476 wrote to memory of 268	1476	net.exe	net1.exe
PID 892 wrote to memory of 1652	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1652	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1652	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1652	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 1652 wrote to memory of 828	1652	net.exe	net1.exe
PID 1652 wrote to memory of 828	1652	net.exe	net1.exe
PID 1652 wrote to memory of 828	1652	net.exe	net1.exe
PID 1652 wrote to memory of 828	1652	net.exe	net1.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1436	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	installd.exe
PID 892 wrote to memory of 1160	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	nethtsrv.exe
PID 892 wrote to memory of 1160	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	nethtsrv.exe
PID 892 wrote to memory of 1160	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	nethtsrv.exe
PID 892 wrote to memory of 1160	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	nethtsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 2000	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	netupdsrv.exe
PID 892 wrote to memory of 1496	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1496	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1496	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 1496	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 1496 wrote to memory of 1532	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1532	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1532	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1532	1496	net.exe	net1.exe
PID 892 wrote to memory of 888	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 888	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 888	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 892 wrote to memory of 888	892	9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe	net.exe
PID 888 wrote to memory of 2040	888	net.exe	net1.exe
PID 888 wrote to memory of 2040	888	net.exe	net1.exe
PID 888 wrote to memory of 2040	888	net.exe	net1.exe
PID 888 wrote to memory of 2040	888	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe
"C:\Users\Admin\AppData\Local\Temp\9121db95aa838c57e6a6029732a59d4af12bdad5b753d28337b31e8a750dd6d5.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1476

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:268

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:828

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:2000

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1532

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2040

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1728

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:2024

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5844b8247755d1238915a67ab072eb32

SHA1
6700b47281b470943083f22eea9a67b09ed92122

SHA256
fa08c0f98a834ca0a006adec02107c7f1298a6ca69501e90792b7686b80354b7

SHA512
806ac9504a555db2ef03be1bdd8774ea6d0beaf0d8245b72c8106585f77e0970a421911d8b72c804a61fd775c0aa96b28395d932ba1dcc9ea74f71e79e6bf553

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
eccb01c5e8d2bd94cf101987e2095dc5

SHA1
bde656dd20b02d94a19765f19b1242cb9698b0ce

SHA256
ca6974a73a2443d10b4cfc7c45f1f95a70ce43a8654d54fdda073cde0cc6b23c

SHA512
20bcaaee6745affb3d57466c57219c1b581ab827b4820f65601906b46e61a3ffaa06072fb69cfb5268cc1e172bc2106b3fc25f2e2c583c79243c40fabb54e66a

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a5b89d670229ff84439f6b43ce1848a3

SHA1
f9b3669238ebb1609c566af6af1e3c8dd7691566

SHA256
f4ec67a108f0205884078fa5e2e4d71f8436f91ee733a061082146c3cb307cfd

SHA512
badbbf40a831cf6eb19d8eb8b99960c990c59318a71e4cef10e8ac19d95f23a5193d3d3c3eae38bdf2ca9c2ed42016d785550536ce8cfa2c8de61f68c6d6f6fd

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
5de7b6c0bd0e68f43e80afdf24f0f1fb

SHA1
28403fc684d45fb00ee76e20929cb6be86ef1a3d

SHA256
ad730ba2c9692751417357ed4dd4847b9cb49d8eda840b8d5488136b5b34dccf

SHA512
5ad148706737b2bf5e73b9d374b2abd8a84a06bcddedbce975414caea0f60619656e34c7dcf520fb606a62f28508170ed284b3e7481efda33fdd8250b4189615

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
5de7b6c0bd0e68f43e80afdf24f0f1fb

SHA1
28403fc684d45fb00ee76e20929cb6be86ef1a3d

SHA256
ad730ba2c9692751417357ed4dd4847b9cb49d8eda840b8d5488136b5b34dccf

SHA512
5ad148706737b2bf5e73b9d374b2abd8a84a06bcddedbce975414caea0f60619656e34c7dcf520fb606a62f28508170ed284b3e7481efda33fdd8250b4189615

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
e871187057354fa945ea6b1768fdfcc3

SHA1
9f360132a14811925154f99fc63e13fd947c3762

SHA256
62e8fad0cfcaee3d8c9227257f5ea6204c0380159b9ee28dd54edba786c66e6a

SHA512
4ad52943aaccd4eb67939cb583d2e8e9acad0220fe3fb15ac3dd5f72554e31f607cb8c76f47567ff231ccb2238e084d1e63800b332b28539e4de5a375f53c2fb

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
e871187057354fa945ea6b1768fdfcc3

SHA1
9f360132a14811925154f99fc63e13fd947c3762

SHA256
62e8fad0cfcaee3d8c9227257f5ea6204c0380159b9ee28dd54edba786c66e6a

SHA512
4ad52943aaccd4eb67939cb583d2e8e9acad0220fe3fb15ac3dd5f72554e31f607cb8c76f47567ff231ccb2238e084d1e63800b332b28539e4de5a375f53c2fb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy81E.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsy81E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy81E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy81E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsy81E.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5844b8247755d1238915a67ab072eb32

SHA1
6700b47281b470943083f22eea9a67b09ed92122

SHA256
fa08c0f98a834ca0a006adec02107c7f1298a6ca69501e90792b7686b80354b7

SHA512
806ac9504a555db2ef03be1bdd8774ea6d0beaf0d8245b72c8106585f77e0970a421911d8b72c804a61fd775c0aa96b28395d932ba1dcc9ea74f71e79e6bf553

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5844b8247755d1238915a67ab072eb32

SHA1
6700b47281b470943083f22eea9a67b09ed92122

SHA256
fa08c0f98a834ca0a006adec02107c7f1298a6ca69501e90792b7686b80354b7

SHA512
806ac9504a555db2ef03be1bdd8774ea6d0beaf0d8245b72c8106585f77e0970a421911d8b72c804a61fd775c0aa96b28395d932ba1dcc9ea74f71e79e6bf553

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
5844b8247755d1238915a67ab072eb32

SHA1
6700b47281b470943083f22eea9a67b09ed92122

SHA256
fa08c0f98a834ca0a006adec02107c7f1298a6ca69501e90792b7686b80354b7

SHA512
806ac9504a555db2ef03be1bdd8774ea6d0beaf0d8245b72c8106585f77e0970a421911d8b72c804a61fd775c0aa96b28395d932ba1dcc9ea74f71e79e6bf553

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
eccb01c5e8d2bd94cf101987e2095dc5

SHA1
bde656dd20b02d94a19765f19b1242cb9698b0ce

SHA256
ca6974a73a2443d10b4cfc7c45f1f95a70ce43a8654d54fdda073cde0cc6b23c

SHA512
20bcaaee6745affb3d57466c57219c1b581ab827b4820f65601906b46e61a3ffaa06072fb69cfb5268cc1e172bc2106b3fc25f2e2c583c79243c40fabb54e66a

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
eccb01c5e8d2bd94cf101987e2095dc5

SHA1
bde656dd20b02d94a19765f19b1242cb9698b0ce

SHA256
ca6974a73a2443d10b4cfc7c45f1f95a70ce43a8654d54fdda073cde0cc6b23c

SHA512
20bcaaee6745affb3d57466c57219c1b581ab827b4820f65601906b46e61a3ffaa06072fb69cfb5268cc1e172bc2106b3fc25f2e2c583c79243c40fabb54e66a

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a5b89d670229ff84439f6b43ce1848a3

SHA1
f9b3669238ebb1609c566af6af1e3c8dd7691566

SHA256
f4ec67a108f0205884078fa5e2e4d71f8436f91ee733a061082146c3cb307cfd

SHA512
badbbf40a831cf6eb19d8eb8b99960c990c59318a71e4cef10e8ac19d95f23a5193d3d3c3eae38bdf2ca9c2ed42016d785550536ce8cfa2c8de61f68c6d6f6fd

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
5de7b6c0bd0e68f43e80afdf24f0f1fb

SHA1
28403fc684d45fb00ee76e20929cb6be86ef1a3d

SHA256
ad730ba2c9692751417357ed4dd4847b9cb49d8eda840b8d5488136b5b34dccf

SHA512
5ad148706737b2bf5e73b9d374b2abd8a84a06bcddedbce975414caea0f60619656e34c7dcf520fb606a62f28508170ed284b3e7481efda33fdd8250b4189615

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
e871187057354fa945ea6b1768fdfcc3

SHA1
9f360132a14811925154f99fc63e13fd947c3762

SHA256
62e8fad0cfcaee3d8c9227257f5ea6204c0380159b9ee28dd54edba786c66e6a

SHA512
4ad52943aaccd4eb67939cb583d2e8e9acad0220fe3fb15ac3dd5f72554e31f607cb8c76f47567ff231ccb2238e084d1e63800b332b28539e4de5a375f53c2fb

Download Submit
memory/268-59-0x0000000000000000-mapping.dmp

Download
memory/828-62-0x0000000000000000-mapping.dmp

Download
memory/888-87-0x0000000000000000-mapping.dmp

Download
memory/892-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/892-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/892-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/892-85-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1160-70-0x0000000000000000-mapping.dmp

Download
memory/1436-64-0x0000000000000000-mapping.dmp

Download
memory/1476-58-0x0000000000000000-mapping.dmp

Download
memory/1496-80-0x0000000000000000-mapping.dmp

Download
memory/1532-81-0x0000000000000000-mapping.dmp

Download
memory/1652-61-0x0000000000000000-mapping.dmp

Download
memory/2000-76-0x0000000000000000-mapping.dmp

Download
memory/2040-88-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads