486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
Size

603KB
MD5

41eaa1ec43372ad14f6afe5ee1e05b3c
SHA1

ed090a599a241d30381db932e0ee491d9b8c8f37
SHA256

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd
SHA512

b6078c38be17487971b1f1fbe9efeb7e12b33580831e6467b47306237d46e900207a61910ecca0995c9e7d0c19e47f97d4a1a05cbef4b9de95bec7c0499c32ce
SSDEEP

12288:UIny5DYTmICKdnQXfWlU/cx5jzrJYExDl+bnH/4he7jqz52Q7I:SUTmJL8jHJYnh7uz5/

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1728 installd.exe
516 nethtsrv.exe
1788 netupdsrv.exe
1744 nethtsrv.exe
1684 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

pid	process
1728	installd.exe
516	nethtsrv.exe
1788	netupdsrv.exe
1744	nethtsrv.exe
1684	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
1728	installd.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
516	nethtsrv.exe
516	nethtsrv.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
1744	nethtsrv.exe
1744	nethtsrv.exe
2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
File created	C:\Windows\SysWOW64\installd.exe	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

Drops file in Program Files directory 3 IoCs

Processes:

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1744 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1744	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2032 wrote to memory of 828	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 828	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 828	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 828	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 828 wrote to memory of 2012	828	net.exe	net1.exe
PID 828 wrote to memory of 2012	828	net.exe	net1.exe
PID 828 wrote to memory of 2012	828	net.exe	net1.exe
PID 828 wrote to memory of 2012	828	net.exe	net1.exe
PID 2032 wrote to memory of 368	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 368	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 368	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 368	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 368 wrote to memory of 560	368	net.exe	net1.exe
PID 368 wrote to memory of 560	368	net.exe	net1.exe
PID 368 wrote to memory of 560	368	net.exe	net1.exe
PID 368 wrote to memory of 560	368	net.exe	net1.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 1728	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	installd.exe
PID 2032 wrote to memory of 516	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	nethtsrv.exe
PID 2032 wrote to memory of 516	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	nethtsrv.exe
PID 2032 wrote to memory of 516	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	nethtsrv.exe
PID 2032 wrote to memory of 516	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	nethtsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1788	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	netupdsrv.exe
PID 2032 wrote to memory of 1948	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 1948	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 1948	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 1948	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 1948 wrote to memory of 1956	1948	net.exe	net1.exe
PID 1948 wrote to memory of 1956	1948	net.exe	net1.exe
PID 1948 wrote to memory of 1956	1948	net.exe	net1.exe
PID 1948 wrote to memory of 1956	1948	net.exe	net1.exe
PID 2032 wrote to memory of 640	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 640	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 640	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 2032 wrote to memory of 640	2032	486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe	net.exe
PID 640 wrote to memory of 1392	640	net.exe	net1.exe
PID 640 wrote to memory of 1392	640	net.exe	net1.exe
PID 640 wrote to memory of 1392	640	net.exe	net1.exe
PID 640 wrote to memory of 1392	640	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe
"C:\Users\Admin\AppData\Local\Temp\486865cb5bda9342f24bcb30528b809775b6d3626da73e215b1ba5831dcbefdd.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:2012

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:560

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:516

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1956

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1392

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1684

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c2c6845917628708d58ca0b28e12ffc8

SHA1
f47e30f7c0f8cd632d1606a0c091c9bacd038659

SHA256
d37648d5c062f4f1ac1faae505b6a34f96f0bd530c3bd93240d04941b8dff3f3

SHA512
db433aa12acead1b51937fe0c074486aed18ba53ec53e6d3fea5603cc3b806c37f64e39f9f05b599ffe8a086b32ad7a140250b77a0cb7cdf9f96e4891a5a224b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
1fa2ede282fd24bc50359445f06ba2ef

SHA1
758a4c6222d89042d89671c8df0c214ac201c5a3

SHA256
248866baf258f86d8202200ee18528d779924ee011db330c6dcec05f8ec42224

SHA512
c5a615c36929138bcfbafcb17f990f99fce2c36fad04a44bbe127832c53c3e8c72b40a54b9fa47a469d58364cfc5397af549240a500630f98b9f9cca2a20c91a

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
e8ee0b0888e9a1f5301b7924e228dcaf

SHA1
3b8f09337b6dcb64d47f0bd7ec6c38b15fdcca77

SHA256
4a8773f9cbcb8b68bef8622b432b6ea9c9c25ee293289eae3cf03d9abb05eb26

SHA512
b1a123816b1f971a743b7e9292f4982b32714915c460de4cc161aff1f61e04d42840b9702b9ba1bca51287f2aae0d410e851f7a8b225ba173e501ab0ee37aa31

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c6cb02077050f17e423a5a44373cdf46

SHA1
827cd5a96b1f98236f1ab41cedeeb4f8b916c2c3

SHA256
e3504d8de56df5a3183c868af9989875fcee72ebf8bd58f005d68605b77715c4

SHA512
ac6437597f92d43767bb16b5cc890545282b9f6b50b49d8c8de642a2d3ce631a547a51a394ff42863581744d00dcbd6fdfcf9911b46b90b4c2df4966445a75d2

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c6cb02077050f17e423a5a44373cdf46

SHA1
827cd5a96b1f98236f1ab41cedeeb4f8b916c2c3

SHA256
e3504d8de56df5a3183c868af9989875fcee72ebf8bd58f005d68605b77715c4

SHA512
ac6437597f92d43767bb16b5cc890545282b9f6b50b49d8c8de642a2d3ce631a547a51a394ff42863581744d00dcbd6fdfcf9911b46b90b4c2df4966445a75d2

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
50fded46454496c1f71064be37821873

SHA1
0aef3ade5d31ed7915de1e2a9196a6c0a1ff386c

SHA256
0040fa7c7c79c2781527e4bbb4334678b16f5a2ee5031245c0b986edf3cc3261

SHA512
f765dc6f585504989aa840ff58b5234b74375238692a749d113d34616b57c01dd0e373d803758936ee05b6031cbe6338eafa3891aeee875fd654534fab59863c

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
50fded46454496c1f71064be37821873

SHA1
0aef3ade5d31ed7915de1e2a9196a6c0a1ff386c

SHA256
0040fa7c7c79c2781527e4bbb4334678b16f5a2ee5031245c0b986edf3cc3261

SHA512
f765dc6f585504989aa840ff58b5234b74375238692a749d113d34616b57c01dd0e373d803758936ee05b6031cbe6338eafa3891aeee875fd654534fab59863c

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F5D.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F5D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F5D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F5D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F5D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c2c6845917628708d58ca0b28e12ffc8

SHA1
f47e30f7c0f8cd632d1606a0c091c9bacd038659

SHA256
d37648d5c062f4f1ac1faae505b6a34f96f0bd530c3bd93240d04941b8dff3f3

SHA512
db433aa12acead1b51937fe0c074486aed18ba53ec53e6d3fea5603cc3b806c37f64e39f9f05b599ffe8a086b32ad7a140250b77a0cb7cdf9f96e4891a5a224b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c2c6845917628708d58ca0b28e12ffc8

SHA1
f47e30f7c0f8cd632d1606a0c091c9bacd038659

SHA256
d37648d5c062f4f1ac1faae505b6a34f96f0bd530c3bd93240d04941b8dff3f3

SHA512
db433aa12acead1b51937fe0c074486aed18ba53ec53e6d3fea5603cc3b806c37f64e39f9f05b599ffe8a086b32ad7a140250b77a0cb7cdf9f96e4891a5a224b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c2c6845917628708d58ca0b28e12ffc8

SHA1
f47e30f7c0f8cd632d1606a0c091c9bacd038659

SHA256
d37648d5c062f4f1ac1faae505b6a34f96f0bd530c3bd93240d04941b8dff3f3

SHA512
db433aa12acead1b51937fe0c074486aed18ba53ec53e6d3fea5603cc3b806c37f64e39f9f05b599ffe8a086b32ad7a140250b77a0cb7cdf9f96e4891a5a224b

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
1fa2ede282fd24bc50359445f06ba2ef

SHA1
758a4c6222d89042d89671c8df0c214ac201c5a3

SHA256
248866baf258f86d8202200ee18528d779924ee011db330c6dcec05f8ec42224

SHA512
c5a615c36929138bcfbafcb17f990f99fce2c36fad04a44bbe127832c53c3e8c72b40a54b9fa47a469d58364cfc5397af549240a500630f98b9f9cca2a20c91a

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
1fa2ede282fd24bc50359445f06ba2ef

SHA1
758a4c6222d89042d89671c8df0c214ac201c5a3

SHA256
248866baf258f86d8202200ee18528d779924ee011db330c6dcec05f8ec42224

SHA512
c5a615c36929138bcfbafcb17f990f99fce2c36fad04a44bbe127832c53c3e8c72b40a54b9fa47a469d58364cfc5397af549240a500630f98b9f9cca2a20c91a

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
e8ee0b0888e9a1f5301b7924e228dcaf

SHA1
3b8f09337b6dcb64d47f0bd7ec6c38b15fdcca77

SHA256
4a8773f9cbcb8b68bef8622b432b6ea9c9c25ee293289eae3cf03d9abb05eb26

SHA512
b1a123816b1f971a743b7e9292f4982b32714915c460de4cc161aff1f61e04d42840b9702b9ba1bca51287f2aae0d410e851f7a8b225ba173e501ab0ee37aa31

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
c6cb02077050f17e423a5a44373cdf46

SHA1
827cd5a96b1f98236f1ab41cedeeb4f8b916c2c3

SHA256
e3504d8de56df5a3183c868af9989875fcee72ebf8bd58f005d68605b77715c4

SHA512
ac6437597f92d43767bb16b5cc890545282b9f6b50b49d8c8de642a2d3ce631a547a51a394ff42863581744d00dcbd6fdfcf9911b46b90b4c2df4966445a75d2

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
50fded46454496c1f71064be37821873

SHA1
0aef3ade5d31ed7915de1e2a9196a6c0a1ff386c

SHA256
0040fa7c7c79c2781527e4bbb4334678b16f5a2ee5031245c0b986edf3cc3261

SHA512
f765dc6f585504989aa840ff58b5234b74375238692a749d113d34616b57c01dd0e373d803758936ee05b6031cbe6338eafa3891aeee875fd654534fab59863c

Download Submit
memory/368-61-0x0000000000000000-mapping.dmp

Download
memory/516-70-0x0000000000000000-mapping.dmp

Download
memory/560-62-0x0000000000000000-mapping.dmp

Download
memory/640-86-0x0000000000000000-mapping.dmp

Download
memory/828-57-0x0000000000000000-mapping.dmp

Download
memory/1392-87-0x0000000000000000-mapping.dmp

Download
memory/1728-64-0x0000000000000000-mapping.dmp

Download
memory/1788-76-0x0000000000000000-mapping.dmp

Download
memory/1948-80-0x0000000000000000-mapping.dmp

Download
memory/1956-81-0x0000000000000000-mapping.dmp

Download
memory/2012-58-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2032-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads