4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d

Analysis

max time kernel
65s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
Size

602KB
MD5

7265c25a63dc49503cee41b4a29ea971
SHA1

86e85ba7890ffb3bb72f0bb1623854e866f11d70
SHA256

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d
SHA512

00ca09298a656af95a6a274b043499deac2173a6c0b6ec14033914c449aae1eb620d3a3eb660dea3fb4d51cd28507b3ae57d76d1e182356e0bc3ad1ff41acb37
SSDEEP

12288:lIny5DYTjrB3HtnU085z9j+dIx6Nsx6hwygqMEgzlo:RUTjl9D85ZjmIx6WwhMTE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

916 installd.exe
1804 nethtsrv.exe
580 netupdsrv.exe
1524 nethtsrv.exe
1788 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

pid	process
916	installd.exe
1804	nethtsrv.exe
580	netupdsrv.exe
1524	nethtsrv.exe
1788	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
916	installd.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
1804	nethtsrv.exe
1804	nethtsrv.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
1524	nethtsrv.exe
1524	nethtsrv.exe
268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
File created	C:\Windows\SysWOW64\installd.exe	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

Drops file in Program Files directory 3 IoCs

Processes:

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1524 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1524	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 268 wrote to memory of 876	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 876	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 876	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 876	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 876 wrote to memory of 332	876	net.exe	net1.exe
PID 876 wrote to memory of 332	876	net.exe	net1.exe
PID 876 wrote to memory of 332	876	net.exe	net1.exe
PID 876 wrote to memory of 332	876	net.exe	net1.exe
PID 268 wrote to memory of 872	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 872	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 872	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 872	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 872 wrote to memory of 1944	872	net.exe	net1.exe
PID 872 wrote to memory of 1944	872	net.exe	net1.exe
PID 872 wrote to memory of 1944	872	net.exe	net1.exe
PID 872 wrote to memory of 1944	872	net.exe	net1.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 916	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	installd.exe
PID 268 wrote to memory of 1804	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	nethtsrv.exe
PID 268 wrote to memory of 1804	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	nethtsrv.exe
PID 268 wrote to memory of 1804	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	nethtsrv.exe
PID 268 wrote to memory of 1804	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	nethtsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 580	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	netupdsrv.exe
PID 268 wrote to memory of 1368	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 1368	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 1368	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 1368	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 1368 wrote to memory of 1276	1368	net.exe	net1.exe
PID 1368 wrote to memory of 1276	1368	net.exe	net1.exe
PID 1368 wrote to memory of 1276	1368	net.exe	net1.exe
PID 1368 wrote to memory of 1276	1368	net.exe	net1.exe
PID 268 wrote to memory of 1880	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 1880	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 1880	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 268 wrote to memory of 1880	268	4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe	net.exe
PID 1880 wrote to memory of 1256	1880	net.exe	net1.exe
PID 1880 wrote to memory of 1256	1880	net.exe	net1.exe
PID 1880 wrote to memory of 1256	1880	net.exe	net1.exe
PID 1880 wrote to memory of 1256	1880	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe
"C:\Users\Admin\AppData\Local\Temp\4852f60fecf1e503b5d214f97ac20a7221d288350dca9d6d283fe3cce504924d.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:268

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:332

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:872

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1944

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:580

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1276

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1256

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1788

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
12554d13d13f35dcc99a3751b6552246

SHA1
510137c8a68eaf47a36d05e96e1989d5e9b1f4da

SHA256
c59d62e2dc7d51453d3d40a47fd8b689b951c88c4cd3bfb9caf843c4b86ffe67

SHA512
86dcb54f515fbac4104a162f030d2e868f7636e6dbc52e00fba6f8305c84b39b14fed3ab2d4b7b3518165d9f32b1f97060513e98a776af33a04ea088118643cb

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
722c84e4f4af0469987c5e11f23c54f8

SHA1
43ac3c9ed456b940113dc678815ee09ac96e9b93

SHA256
fd0a3505d287e8f1e75082f53f73d3e43e350936afae9bf91dead0927ecd25fa

SHA512
9edd646b40f9e6f1994fdb8b8917c39f323d689221c569e6284d86fe984de256272efa23b851baa88fbd76ed00fdf800671bcf5f6da6da58771e16fd5cee3eba

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
5ea1f0f0bf73645c83eb9bd76d6123cc

SHA1
87a6fb92de4a2c43f5ffd969f52823b353130a6a

SHA256
d0f9898d0cca9788ba84dc0df01042895285c2cdcc03a771312928fbe039eb14

SHA512
84d3c24d3a29432516554e438a66cfe28622becfa0020d48029ebd8a46168ec8fe324bb14d8b7ff4f552ca3ac507ee633f79a47915213f06fb5965a3ed58a22d

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3c9c763756fd19b9df10d1ecb93104c3

SHA1
134ac5be884527173e79757cd73124d9dd157334

SHA256
1b142b1a63a970c0e2390f152cefabb73fe9560a82e9490532094488f2dba1a1

SHA512
1e891f1d6eda4581aaf852cae8c7ab87313c4357bc393db41c601729fd3de55274c7920aa915617f2b4ee0eb07235e7ae170134318ec4b37f27903a4bba6c423

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3c9c763756fd19b9df10d1ecb93104c3

SHA1
134ac5be884527173e79757cd73124d9dd157334

SHA256
1b142b1a63a970c0e2390f152cefabb73fe9560a82e9490532094488f2dba1a1

SHA512
1e891f1d6eda4581aaf852cae8c7ab87313c4357bc393db41c601729fd3de55274c7920aa915617f2b4ee0eb07235e7ae170134318ec4b37f27903a4bba6c423

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
054fb5bbd794f010da8d5b37988627a4

SHA1
8ad4f13a0cab2c22d93f0e33fd54ba75c03532a2

SHA256
1009ed5d03a9b0f6ab69f4975ba0a67aad408d01575cf8b18db8ddb74d18d63f

SHA512
6482f4e4f19e8e7b73f75ac933255dee271878205d922673e75440b25b00774b19282f50239f17d666dea3592e1e0ce78dc928786ca28cde3f0f7bef2738cdfa

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
054fb5bbd794f010da8d5b37988627a4

SHA1
8ad4f13a0cab2c22d93f0e33fd54ba75c03532a2

SHA256
1009ed5d03a9b0f6ab69f4975ba0a67aad408d01575cf8b18db8ddb74d18d63f

SHA512
6482f4e4f19e8e7b73f75ac933255dee271878205d922673e75440b25b00774b19282f50239f17d666dea3592e1e0ce78dc928786ca28cde3f0f7bef2738cdfa

Download Submit
\Users\Admin\AppData\Local\Temp\nsj909F.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsj909F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj909F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj909F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsj909F.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
12554d13d13f35dcc99a3751b6552246

SHA1
510137c8a68eaf47a36d05e96e1989d5e9b1f4da

SHA256
c59d62e2dc7d51453d3d40a47fd8b689b951c88c4cd3bfb9caf843c4b86ffe67

SHA512
86dcb54f515fbac4104a162f030d2e868f7636e6dbc52e00fba6f8305c84b39b14fed3ab2d4b7b3518165d9f32b1f97060513e98a776af33a04ea088118643cb

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
12554d13d13f35dcc99a3751b6552246

SHA1
510137c8a68eaf47a36d05e96e1989d5e9b1f4da

SHA256
c59d62e2dc7d51453d3d40a47fd8b689b951c88c4cd3bfb9caf843c4b86ffe67

SHA512
86dcb54f515fbac4104a162f030d2e868f7636e6dbc52e00fba6f8305c84b39b14fed3ab2d4b7b3518165d9f32b1f97060513e98a776af33a04ea088118643cb

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
12554d13d13f35dcc99a3751b6552246

SHA1
510137c8a68eaf47a36d05e96e1989d5e9b1f4da

SHA256
c59d62e2dc7d51453d3d40a47fd8b689b951c88c4cd3bfb9caf843c4b86ffe67

SHA512
86dcb54f515fbac4104a162f030d2e868f7636e6dbc52e00fba6f8305c84b39b14fed3ab2d4b7b3518165d9f32b1f97060513e98a776af33a04ea088118643cb

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
722c84e4f4af0469987c5e11f23c54f8

SHA1
43ac3c9ed456b940113dc678815ee09ac96e9b93

SHA256
fd0a3505d287e8f1e75082f53f73d3e43e350936afae9bf91dead0927ecd25fa

SHA512
9edd646b40f9e6f1994fdb8b8917c39f323d689221c569e6284d86fe984de256272efa23b851baa88fbd76ed00fdf800671bcf5f6da6da58771e16fd5cee3eba

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
722c84e4f4af0469987c5e11f23c54f8

SHA1
43ac3c9ed456b940113dc678815ee09ac96e9b93

SHA256
fd0a3505d287e8f1e75082f53f73d3e43e350936afae9bf91dead0927ecd25fa

SHA512
9edd646b40f9e6f1994fdb8b8917c39f323d689221c569e6284d86fe984de256272efa23b851baa88fbd76ed00fdf800671bcf5f6da6da58771e16fd5cee3eba

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
5ea1f0f0bf73645c83eb9bd76d6123cc

SHA1
87a6fb92de4a2c43f5ffd969f52823b353130a6a

SHA256
d0f9898d0cca9788ba84dc0df01042895285c2cdcc03a771312928fbe039eb14

SHA512
84d3c24d3a29432516554e438a66cfe28622becfa0020d48029ebd8a46168ec8fe324bb14d8b7ff4f552ca3ac507ee633f79a47915213f06fb5965a3ed58a22d

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3c9c763756fd19b9df10d1ecb93104c3

SHA1
134ac5be884527173e79757cd73124d9dd157334

SHA256
1b142b1a63a970c0e2390f152cefabb73fe9560a82e9490532094488f2dba1a1

SHA512
1e891f1d6eda4581aaf852cae8c7ab87313c4357bc393db41c601729fd3de55274c7920aa915617f2b4ee0eb07235e7ae170134318ec4b37f27903a4bba6c423

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
054fb5bbd794f010da8d5b37988627a4

SHA1
8ad4f13a0cab2c22d93f0e33fd54ba75c03532a2

SHA256
1009ed5d03a9b0f6ab69f4975ba0a67aad408d01575cf8b18db8ddb74d18d63f

SHA512
6482f4e4f19e8e7b73f75ac933255dee271878205d922673e75440b25b00774b19282f50239f17d666dea3592e1e0ce78dc928786ca28cde3f0f7bef2738cdfa

Download Submit
memory/268-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/268-75-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/268-54-0x0000000075891000-0x0000000075893000-memory.dmp

Filesize
8KB

Download
memory/268-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/332-58-0x0000000000000000-mapping.dmp

Download
memory/580-77-0x0000000000000000-mapping.dmp

Download
memory/872-61-0x0000000000000000-mapping.dmp

Download
memory/876-57-0x0000000000000000-mapping.dmp

Download
memory/916-64-0x0000000000000000-mapping.dmp

Download
memory/1256-88-0x0000000000000000-mapping.dmp

Download
memory/1276-82-0x0000000000000000-mapping.dmp

Download
memory/1368-81-0x0000000000000000-mapping.dmp

Download
memory/1804-70-0x0000000000000000-mapping.dmp

Download
memory/1880-87-0x0000000000000000-mapping.dmp

Download
memory/1944-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads