74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948

Analysis

max time kernel
62s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
Size

603KB
MD5

5a06214bf5acb5a31e5c5e1438ee292a
SHA1

7caae8ae7ccba4d18b2dbc19a9426c12b25ab7d6
SHA256

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948
SHA512

602f612a03fc75cddb0709bbf4ccb6067dff183328d792179e7d136ee09955b920d284f135b7783ab3c32e732631447bf464bcbcc75615f16d691d391ac7efb1
SSDEEP

12288:EIny5DYTmIUmpuqA6y5A2Es/mWLU9jHkTlW9+j3q9odUzKD1b:iUTmfmpXTkFAxE3t+mD9

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

568 installd.exe
1968 nethtsrv.exe
1332 netupdsrv.exe
1812 nethtsrv.exe
1048 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

pid	process
568	installd.exe
1968	nethtsrv.exe
1332	netupdsrv.exe
1812	nethtsrv.exe
1048	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
568	installd.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
1968	nethtsrv.exe
1968	nethtsrv.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
1812	nethtsrv.exe
1812	nethtsrv.exe
1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
File created	C:\Windows\SysWOW64\installd.exe	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

Drops file in Program Files directory 3 IoCs

Processes:

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1812 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1812	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1748 wrote to memory of 952	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 952	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 952	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 952	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 952 wrote to memory of 1788	952	net.exe	net1.exe
PID 952 wrote to memory of 1788	952	net.exe	net1.exe
PID 952 wrote to memory of 1788	952	net.exe	net1.exe
PID 952 wrote to memory of 1788	952	net.exe	net1.exe
PID 1748 wrote to memory of 1456	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1456	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1456	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1456	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1456 wrote to memory of 524	1456	net.exe	net1.exe
PID 1456 wrote to memory of 524	1456	net.exe	net1.exe
PID 1456 wrote to memory of 524	1456	net.exe	net1.exe
PID 1456 wrote to memory of 524	1456	net.exe	net1.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 568	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	installd.exe
PID 1748 wrote to memory of 1968	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	nethtsrv.exe
PID 1748 wrote to memory of 1968	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	nethtsrv.exe
PID 1748 wrote to memory of 1968	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	nethtsrv.exe
PID 1748 wrote to memory of 1968	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	nethtsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1332	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	netupdsrv.exe
PID 1748 wrote to memory of 1036	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1036	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1036	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1036	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1036 wrote to memory of 1528	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1528	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1528	1036	net.exe	net1.exe
PID 1036 wrote to memory of 1528	1036	net.exe	net1.exe
PID 1748 wrote to memory of 1068	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1068	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1068	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1748 wrote to memory of 1068	1748	74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe	net.exe
PID 1068 wrote to memory of 1828	1068	net.exe	net1.exe
PID 1068 wrote to memory of 1828	1068	net.exe	net1.exe
PID 1068 wrote to memory of 1828	1068	net.exe	net1.exe
PID 1068 wrote to memory of 1828	1068	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe
"C:\Users\Admin\AppData\Local\Temp\74697c576baba097185c2c9d98da6809a63ee9520167ebb16a52ca787d4d3948.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:952

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1788

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1456

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:524

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1332

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1036

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1528

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1828

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1812

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1048

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f19a24cc9041cf29e2022c1ce5850978

SHA1
71932b1b5c1557e530e26a2c10131cc83177b6f5

SHA256
4fe3e73d26df81195083cfe5f3c59d847c660f43b09dfcf860e590f4bf3fa461

SHA512
2ef8ef92d165e80ee33157ec8a9b4addfbcb3dc1f29993415df1cb3a2ea2e3d08c935dce4a9fe4744541ddb94a624e77fb5388074e6aca7cdc2e6c0da883e2ab

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
999896a18bb5aa6077827b5f220f31c6

SHA1
d23857cb3539bf940a374fa499a93b8321c855c9

SHA256
08dc6871f11fc82f5b9394a499038f828c16c50eb13863220740ec440f946070

SHA512
b2673a8f825c5cc75d02aebc9669260175d6e9ff5c46938302914a61a7fb4c5512ad526c1ce228e08bb30c254599a5892acee9da2a2c62de629fe42c4d92fde3

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
d960c0749858712dfcca7d18a868c29d

SHA1
38cd4473fdb87c587c5bfcd7d50f25174f51fb7c

SHA256
eda323c3f3ec6f01df19848f4fcb248d7ffc19bb2f40692420e3482f7cfc2047

SHA512
c945cfd3bdfb04bbd837740c21cf1efb9f978aa0600b6f4b3d85fef0906e25fe09610d7408d06f3c0e5e4d69f20e5074c66a138a62201ee811d49402d23841ef

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9947733db1c709c580462e7f69fceae5

SHA1
3e4835d5da817bbc1ad0e2310b1425c6ef7df2ac

SHA256
0b76fdd4770badf39f1201aa789cd91b7a468698099a7dd27dc62d34674502d5

SHA512
3dd50b828be736b63bf2136bf25c9710f41a21270afb6fb65d07657cf6c26e6c29de5b4bbdea35f2caeff66043c486d1912ac87d7b93b63879b15d90bdcf1211

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9947733db1c709c580462e7f69fceae5

SHA1
3e4835d5da817bbc1ad0e2310b1425c6ef7df2ac

SHA256
0b76fdd4770badf39f1201aa789cd91b7a468698099a7dd27dc62d34674502d5

SHA512
3dd50b828be736b63bf2136bf25c9710f41a21270afb6fb65d07657cf6c26e6c29de5b4bbdea35f2caeff66043c486d1912ac87d7b93b63879b15d90bdcf1211

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
a8e636e94fdabd48faab6eb148a0d950

SHA1
6402c71957b283cdf6bfb8f30d8d9f5fdd7834ed

SHA256
0b7a85abc02b9b50cdc08b07fae16645ed996990c57e30909cace92ffc136871

SHA512
58b92ebbca6bc40839b4a6c82c9d28ccb367348481078aa214a7d4dcb908cc45bd6c6cf2b2604b023f3a92543e1e54c32ca79829970fb1757d746ed1061b1059

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
a8e636e94fdabd48faab6eb148a0d950

SHA1
6402c71957b283cdf6bfb8f30d8d9f5fdd7834ed

SHA256
0b7a85abc02b9b50cdc08b07fae16645ed996990c57e30909cace92ffc136871

SHA512
58b92ebbca6bc40839b4a6c82c9d28ccb367348481078aa214a7d4dcb908cc45bd6c6cf2b2604b023f3a92543e1e54c32ca79829970fb1757d746ed1061b1059

Download Submit
\Users\Admin\AppData\Local\Temp\nseA586.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseA586.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseA586.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseA586.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseA586.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f19a24cc9041cf29e2022c1ce5850978

SHA1
71932b1b5c1557e530e26a2c10131cc83177b6f5

SHA256
4fe3e73d26df81195083cfe5f3c59d847c660f43b09dfcf860e590f4bf3fa461

SHA512
2ef8ef92d165e80ee33157ec8a9b4addfbcb3dc1f29993415df1cb3a2ea2e3d08c935dce4a9fe4744541ddb94a624e77fb5388074e6aca7cdc2e6c0da883e2ab

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f19a24cc9041cf29e2022c1ce5850978

SHA1
71932b1b5c1557e530e26a2c10131cc83177b6f5

SHA256
4fe3e73d26df81195083cfe5f3c59d847c660f43b09dfcf860e590f4bf3fa461

SHA512
2ef8ef92d165e80ee33157ec8a9b4addfbcb3dc1f29993415df1cb3a2ea2e3d08c935dce4a9fe4744541ddb94a624e77fb5388074e6aca7cdc2e6c0da883e2ab

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f19a24cc9041cf29e2022c1ce5850978

SHA1
71932b1b5c1557e530e26a2c10131cc83177b6f5

SHA256
4fe3e73d26df81195083cfe5f3c59d847c660f43b09dfcf860e590f4bf3fa461

SHA512
2ef8ef92d165e80ee33157ec8a9b4addfbcb3dc1f29993415df1cb3a2ea2e3d08c935dce4a9fe4744541ddb94a624e77fb5388074e6aca7cdc2e6c0da883e2ab

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
999896a18bb5aa6077827b5f220f31c6

SHA1
d23857cb3539bf940a374fa499a93b8321c855c9

SHA256
08dc6871f11fc82f5b9394a499038f828c16c50eb13863220740ec440f946070

SHA512
b2673a8f825c5cc75d02aebc9669260175d6e9ff5c46938302914a61a7fb4c5512ad526c1ce228e08bb30c254599a5892acee9da2a2c62de629fe42c4d92fde3

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
999896a18bb5aa6077827b5f220f31c6

SHA1
d23857cb3539bf940a374fa499a93b8321c855c9

SHA256
08dc6871f11fc82f5b9394a499038f828c16c50eb13863220740ec440f946070

SHA512
b2673a8f825c5cc75d02aebc9669260175d6e9ff5c46938302914a61a7fb4c5512ad526c1ce228e08bb30c254599a5892acee9da2a2c62de629fe42c4d92fde3

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
d960c0749858712dfcca7d18a868c29d

SHA1
38cd4473fdb87c587c5bfcd7d50f25174f51fb7c

SHA256
eda323c3f3ec6f01df19848f4fcb248d7ffc19bb2f40692420e3482f7cfc2047

SHA512
c945cfd3bdfb04bbd837740c21cf1efb9f978aa0600b6f4b3d85fef0906e25fe09610d7408d06f3c0e5e4d69f20e5074c66a138a62201ee811d49402d23841ef

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9947733db1c709c580462e7f69fceae5

SHA1
3e4835d5da817bbc1ad0e2310b1425c6ef7df2ac

SHA256
0b76fdd4770badf39f1201aa789cd91b7a468698099a7dd27dc62d34674502d5

SHA512
3dd50b828be736b63bf2136bf25c9710f41a21270afb6fb65d07657cf6c26e6c29de5b4bbdea35f2caeff66043c486d1912ac87d7b93b63879b15d90bdcf1211

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
a8e636e94fdabd48faab6eb148a0d950

SHA1
6402c71957b283cdf6bfb8f30d8d9f5fdd7834ed

SHA256
0b7a85abc02b9b50cdc08b07fae16645ed996990c57e30909cace92ffc136871

SHA512
58b92ebbca6bc40839b4a6c82c9d28ccb367348481078aa214a7d4dcb908cc45bd6c6cf2b2604b023f3a92543e1e54c32ca79829970fb1757d746ed1061b1059

Download Submit
memory/524-62-0x0000000000000000-mapping.dmp

Download
memory/568-64-0x0000000000000000-mapping.dmp

Download
memory/952-58-0x0000000000000000-mapping.dmp

Download
memory/1036-81-0x0000000000000000-mapping.dmp

Download
memory/1068-87-0x0000000000000000-mapping.dmp

Download
memory/1332-77-0x0000000000000000-mapping.dmp

Download
memory/1456-61-0x0000000000000000-mapping.dmp

Download
memory/1528-82-0x0000000000000000-mapping.dmp

Download
memory/1748-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1748-54-0x0000000075631000-0x0000000075633000-memory.dmp

Filesize
8KB

Download
memory/1748-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1748-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1788-59-0x0000000000000000-mapping.dmp

Download
memory/1828-88-0x0000000000000000-mapping.dmp

Download
memory/1968-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads