7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
Size

601KB
MD5

2652c0362618e778a447d80854f46dd2
SHA1

66ce5eaac08bc69805829109b2bb4243a8c2aeb2
SHA256

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946
SHA512

4c636bf862096f0f31591159318944b884ba922d6a7df299ab9044be22ae0a27f0b8e12eeaf28aa52e183e0e40b93ebabcbc0932dd224e7787ad7f84421a83f3
SSDEEP

12288:eIny5DYT44k7ghiFUZlpEC2O+LQXI3HAr/WS/Fc:AUT44qghPZl5yLK/zFc

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1548 installd.exe
1660 nethtsrv.exe
1712 netupdsrv.exe
792 nethtsrv.exe
1364 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

pid	process
1548	installd.exe
1660	nethtsrv.exe
1712	netupdsrv.exe
792	nethtsrv.exe
1364	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
1548	installd.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
1660	nethtsrv.exe
1660	nethtsrv.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
792	nethtsrv.exe
792	nethtsrv.exe
1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
File created	C:\Windows\SysWOW64\installd.exe	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

Drops file in Program Files directory 3 IoCs

Processes:

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 792 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	792	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1652 wrote to memory of 2028	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 2028	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 2028	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 2028	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 2028 wrote to memory of 960	2028	net.exe	net1.exe
PID 2028 wrote to memory of 960	2028	net.exe	net1.exe
PID 2028 wrote to memory of 960	2028	net.exe	net1.exe
PID 2028 wrote to memory of 960	2028	net.exe	net1.exe
PID 1652 wrote to memory of 1584	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 1584	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 1584	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 1584	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1584 wrote to memory of 1252	1584	net.exe	net1.exe
PID 1584 wrote to memory of 1252	1584	net.exe	net1.exe
PID 1584 wrote to memory of 1252	1584	net.exe	net1.exe
PID 1584 wrote to memory of 1252	1584	net.exe	net1.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1548	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	installd.exe
PID 1652 wrote to memory of 1660	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	nethtsrv.exe
PID 1652 wrote to memory of 1660	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	nethtsrv.exe
PID 1652 wrote to memory of 1660	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	nethtsrv.exe
PID 1652 wrote to memory of 1660	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	nethtsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1712	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	netupdsrv.exe
PID 1652 wrote to memory of 1204	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 1204	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 1204	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 1204	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1204 wrote to memory of 1196	1204	net.exe	net1.exe
PID 1204 wrote to memory of 1196	1204	net.exe	net1.exe
PID 1204 wrote to memory of 1196	1204	net.exe	net1.exe
PID 1204 wrote to memory of 1196	1204	net.exe	net1.exe
PID 1652 wrote to memory of 888	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 888	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 888	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 1652 wrote to memory of 888	1652	7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe	net.exe
PID 888 wrote to memory of 1656	888	net.exe	net1.exe
PID 888 wrote to memory of 1656	888	net.exe	net1.exe
PID 888 wrote to memory of 1656	888	net.exe	net1.exe
PID 888 wrote to memory of 1656	888	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe
"C:\Users\Admin\AppData\Local\Temp\7cf8c532153b7d4339f07f4ad65f837b6d86511e5d5355c2e410baec2a0c9946.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:960

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1252

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1196

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:888

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1656

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1364

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7b078d2bf9811105ba0e6777008d6c95

SHA1
74eb3da7a7f8168267e774d726d5792434907bbd

SHA256
6a547af1f73eac53447878b64fe75377215191c86c1a5781809fbb658027d77e

SHA512
bea14abd9c3cc373eaafb8c803587e4ae0df84d3333ae2945d1a4913f2a16243b1cc6e2eca6e98ad9ea44f5c0a8432cd2590aa9523dc9b76ec41de34d56a7a1b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
a3d42e9dd4784a71bec75f41a928b555

SHA1
9b93d163968829559f6db16837be699de0d2775c

SHA256
9a5cea1039ff79a01722a04de6c01e3d42610cadfcc1efb237643d59a6c8827e

SHA512
fb08e52f2fefacd247e2bcc34c75d16a5f2d8f51bf8e4877748e750fae988214c63e62c424faa1e1f7e762ad00f737c8c799109766e93d1111ce7763c8f3f8b4

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
cc574be6856093d0a862103158e2ba36

SHA1
6337c67b95de1f9cd67aa7cd6765fc96340a336e

SHA256
5e9ada9b45015ffd0261ad7f826a67bfb52c8058f08672a32db80b9350342ee2

SHA512
c5cccd9b9937ac08d8e08cef05b5356700fa5549c3be14752153b265dbdefc5a65402bfff1b2e2ebdc74a186ca5e0ccaa71c36efdfa98bf9aee71d6ce6fe3766

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
90982dd0d4846209433cb10de7ea47b3

SHA1
dc160d6ac042fa3ed4c9c46358eaf3c23806d593

SHA256
add277bf08bd4b9f0573b18f1bca217693171ea8ebc7025b4d07feec04c815cf

SHA512
9340064e6d9aeab4061576959d740bf91d8557e7eeefb9a77d3c476b311e6b3d80d0324518bf30950127bb7422f3bb3652684e81b48f5d82273e9ffdf88c6cb9

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
90982dd0d4846209433cb10de7ea47b3

SHA1
dc160d6ac042fa3ed4c9c46358eaf3c23806d593

SHA256
add277bf08bd4b9f0573b18f1bca217693171ea8ebc7025b4d07feec04c815cf

SHA512
9340064e6d9aeab4061576959d740bf91d8557e7eeefb9a77d3c476b311e6b3d80d0324518bf30950127bb7422f3bb3652684e81b48f5d82273e9ffdf88c6cb9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
0118ad1f4e4e66ac159925e411f897aa

SHA1
98444b33a6ec3c1c9b53b50cc2d996f54877ac5c

SHA256
6bf753fa9ee004ede09a7202decee59dd328ee62d7c2d0a89d3d66ad473dbed2

SHA512
ed5414adb10907b44df22e9f7a3fdd19ee8151d1f8774dfdd96208d5484cb3d34e95419d0be44ecbc31565de469dbbbb24c29ac751f3b1b3db169d7345a66055

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
0118ad1f4e4e66ac159925e411f897aa

SHA1
98444b33a6ec3c1c9b53b50cc2d996f54877ac5c

SHA256
6bf753fa9ee004ede09a7202decee59dd328ee62d7c2d0a89d3d66ad473dbed2

SHA512
ed5414adb10907b44df22e9f7a3fdd19ee8151d1f8774dfdd96208d5484cb3d34e95419d0be44ecbc31565de469dbbbb24c29ac751f3b1b3db169d7345a66055

Download Submit
\Users\Admin\AppData\Local\Temp\nstF04B.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstF04B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstF04B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstF04B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstF04B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7b078d2bf9811105ba0e6777008d6c95

SHA1
74eb3da7a7f8168267e774d726d5792434907bbd

SHA256
6a547af1f73eac53447878b64fe75377215191c86c1a5781809fbb658027d77e

SHA512
bea14abd9c3cc373eaafb8c803587e4ae0df84d3333ae2945d1a4913f2a16243b1cc6e2eca6e98ad9ea44f5c0a8432cd2590aa9523dc9b76ec41de34d56a7a1b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7b078d2bf9811105ba0e6777008d6c95

SHA1
74eb3da7a7f8168267e774d726d5792434907bbd

SHA256
6a547af1f73eac53447878b64fe75377215191c86c1a5781809fbb658027d77e

SHA512
bea14abd9c3cc373eaafb8c803587e4ae0df84d3333ae2945d1a4913f2a16243b1cc6e2eca6e98ad9ea44f5c0a8432cd2590aa9523dc9b76ec41de34d56a7a1b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7b078d2bf9811105ba0e6777008d6c95

SHA1
74eb3da7a7f8168267e774d726d5792434907bbd

SHA256
6a547af1f73eac53447878b64fe75377215191c86c1a5781809fbb658027d77e

SHA512
bea14abd9c3cc373eaafb8c803587e4ae0df84d3333ae2945d1a4913f2a16243b1cc6e2eca6e98ad9ea44f5c0a8432cd2590aa9523dc9b76ec41de34d56a7a1b

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
a3d42e9dd4784a71bec75f41a928b555

SHA1
9b93d163968829559f6db16837be699de0d2775c

SHA256
9a5cea1039ff79a01722a04de6c01e3d42610cadfcc1efb237643d59a6c8827e

SHA512
fb08e52f2fefacd247e2bcc34c75d16a5f2d8f51bf8e4877748e750fae988214c63e62c424faa1e1f7e762ad00f737c8c799109766e93d1111ce7763c8f3f8b4

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
a3d42e9dd4784a71bec75f41a928b555

SHA1
9b93d163968829559f6db16837be699de0d2775c

SHA256
9a5cea1039ff79a01722a04de6c01e3d42610cadfcc1efb237643d59a6c8827e

SHA512
fb08e52f2fefacd247e2bcc34c75d16a5f2d8f51bf8e4877748e750fae988214c63e62c424faa1e1f7e762ad00f737c8c799109766e93d1111ce7763c8f3f8b4

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
cc574be6856093d0a862103158e2ba36

SHA1
6337c67b95de1f9cd67aa7cd6765fc96340a336e

SHA256
5e9ada9b45015ffd0261ad7f826a67bfb52c8058f08672a32db80b9350342ee2

SHA512
c5cccd9b9937ac08d8e08cef05b5356700fa5549c3be14752153b265dbdefc5a65402bfff1b2e2ebdc74a186ca5e0ccaa71c36efdfa98bf9aee71d6ce6fe3766

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
90982dd0d4846209433cb10de7ea47b3

SHA1
dc160d6ac042fa3ed4c9c46358eaf3c23806d593

SHA256
add277bf08bd4b9f0573b18f1bca217693171ea8ebc7025b4d07feec04c815cf

SHA512
9340064e6d9aeab4061576959d740bf91d8557e7eeefb9a77d3c476b311e6b3d80d0324518bf30950127bb7422f3bb3652684e81b48f5d82273e9ffdf88c6cb9

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
0118ad1f4e4e66ac159925e411f897aa

SHA1
98444b33a6ec3c1c9b53b50cc2d996f54877ac5c

SHA256
6bf753fa9ee004ede09a7202decee59dd328ee62d7c2d0a89d3d66ad473dbed2

SHA512
ed5414adb10907b44df22e9f7a3fdd19ee8151d1f8774dfdd96208d5484cb3d34e95419d0be44ecbc31565de469dbbbb24c29ac751f3b1b3db169d7345a66055

Download Submit
memory/888-87-0x0000000000000000-mapping.dmp

Download
memory/960-58-0x0000000000000000-mapping.dmp

Download
memory/1196-82-0x0000000000000000-mapping.dmp

Download
memory/1204-81-0x0000000000000000-mapping.dmp

Download
memory/1252-62-0x0000000000000000-mapping.dmp

Download
memory/1548-64-0x0000000000000000-mapping.dmp

Download
memory/1584-61-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1652-79-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1652-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1652-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1656-88-0x0000000000000000-mapping.dmp

Download
memory/1660-70-0x0000000000000000-mapping.dmp

Download
memory/1712-76-0x0000000000000000-mapping.dmp

Download
memory/2028-57-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads