561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef

Analysis

max time kernel
38s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
Size

602KB
MD5

2194cd15949b31e9610699f6a1fb4dc0
SHA1

ae6e5e1bb0357bc95a6e880aea2a7102bfed56ee
SHA256

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef
SHA512

4dfeb9c8366e9f0475c474dc6589e32287f3806dc31a57d9dfaebc58a19923175e1043ed8c94baebb04af56b3f4a4822c00f141d00af84b6f7816e139789c10a
SSDEEP

12288:MIny5DYTgp7XZuD4GMDEDosS7zOp01Bn6XF2y7EY:KUTgx8DKDEBSy+Bn24Y

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1308 installd.exe
1788 nethtsrv.exe
1844 netupdsrv.exe
1924 nethtsrv.exe
1920 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

pid	process
1308	installd.exe
1788	nethtsrv.exe
1844	netupdsrv.exe
1924	nethtsrv.exe
1920	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1308	installd.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1788	nethtsrv.exe
1788	nethtsrv.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
1924	nethtsrv.exe
1924	nethtsrv.exe
1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

description	ioc	process
File created	C:\Windows\SysWOW64\netupdsrv.exe	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
File created	C:\Windows\SysWOW64\installd.exe	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

Drops file in Program Files directory 3 IoCs

Processes:

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1924 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1924	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1960 wrote to memory of 1496	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 1496	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 1496	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 1496	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1496 wrote to memory of 1188	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1188	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1188	1496	net.exe	net1.exe
PID 1496 wrote to memory of 1188	1496	net.exe	net1.exe
PID 1960 wrote to memory of 1176	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 1176	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 1176	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 1176	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1176 wrote to memory of 976	1176	net.exe	net1.exe
PID 1176 wrote to memory of 976	1176	net.exe	net1.exe
PID 1176 wrote to memory of 976	1176	net.exe	net1.exe
PID 1176 wrote to memory of 976	1176	net.exe	net1.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1308	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	installd.exe
PID 1960 wrote to memory of 1788	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	nethtsrv.exe
PID 1960 wrote to memory of 1788	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	nethtsrv.exe
PID 1960 wrote to memory of 1788	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	nethtsrv.exe
PID 1960 wrote to memory of 1788	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	nethtsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 1844	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	netupdsrv.exe
PID 1960 wrote to memory of 2004	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 2004	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 2004	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 2004	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 2004 wrote to memory of 2008	2004	net.exe	net1.exe
PID 2004 wrote to memory of 2008	2004	net.exe	net1.exe
PID 2004 wrote to memory of 2008	2004	net.exe	net1.exe
PID 2004 wrote to memory of 2008	2004	net.exe	net1.exe
PID 1960 wrote to memory of 428	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 428	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 428	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 1960 wrote to memory of 428	1960	561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe	net.exe
PID 428 wrote to memory of 1932	428	net.exe	net1.exe
PID 428 wrote to memory of 1932	428	net.exe	net1.exe
PID 428 wrote to memory of 1932	428	net.exe	net1.exe
PID 428 wrote to memory of 1932	428	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe
"C:\Users\Admin\AppData\Local\Temp\561cac904d6c7226566ddfcd444a2e19264d3b8a6792b3f6fff99fd4a06172ef.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1188

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:976

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1844

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:2008

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1932

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1924

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1920

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0448cb86f3e3af4ba2362a3fcf64558f

SHA1
6b94534eb82379240e999efc174be72269e9ff2f

SHA256
aad0cd7f2c240ea8aec1f5415af45f60c6ec98f71f75621049330bd4532b6f26

SHA512
d40700a4fe8ea7df6f2785ed7de088d05551747797fe2fd3dfeeddb3193102cef4ef4526db1a03204ba8e8aa74577ce634382652e8c2f9649e6aa352d93feb0e

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
fd4e4391d93136638c7fb48f41134f3f

SHA1
24f38f648cd5900c77eda72d46dc4a401edcd291

SHA256
6edde8cdab7257acc29002494f8a499238b5ef5bb8d0f1ca2c2abcfcf8dde718

SHA512
2bcf3ce9a1cedaeae03e7e38f61b7e3e7794ef5d35588937f95d9358eb171c9532316e8047ac379bc2ed959223f996d045c43775b2de46e70c76ac38b36b7e72

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a3638a17e734dfb25eda53d7a1be7241

SHA1
caaf8843d8f939d765a47c44d93f0484ba86773e

SHA256
9eb21bb8b91eca385c7645d7114d26012826fa5b2c7fa5cb0d3e5791e01a1b56

SHA512
5c04a6fe2d0529f83f3fc0a19a7a8823513ab15e3807ab1eb12504c1e27f758adfcadce5c1684ee5329d999e7e8d8c646f9da9be1c0628b5889da35cb40acf08

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
7d4cfc1d0bf780bb18ebc00ea2e63499

SHA1
71eb75e2c9f51584a6c0bd5e0b47647e5a0d0cbe

SHA256
f7e45c44241ac69b033466699bb5093db2380f9d8d9960c1dbc1118650c0917b

SHA512
14c659d999b5c223b5d1146780ef6a561f1532a31fa0ec9e0bf73a5ff4688cb5b89f69fe857149d78407dc7b9d0fd56feec3efd12817ac46b0eaabe3f89a3d84

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
7d4cfc1d0bf780bb18ebc00ea2e63499

SHA1
71eb75e2c9f51584a6c0bd5e0b47647e5a0d0cbe

SHA256
f7e45c44241ac69b033466699bb5093db2380f9d8d9960c1dbc1118650c0917b

SHA512
14c659d999b5c223b5d1146780ef6a561f1532a31fa0ec9e0bf73a5ff4688cb5b89f69fe857149d78407dc7b9d0fd56feec3efd12817ac46b0eaabe3f89a3d84

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
b70a6891beb8a8a1b5350b5b7b15e567

SHA1
1a2c9dad719187e0331d176f0f7f924194d8678a

SHA256
ec7c72c5e71fbeb798b1d12143565ee427696c0d15d017276b01e0b937e8f1e5

SHA512
be580a1117e0006a14ada7e6656441d5c226048e17674bedc85a505aa8b14828abd864179be949334b67d4522d8767d0e14dc735f71387522ac95a1ae035906f

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
b70a6891beb8a8a1b5350b5b7b15e567

SHA1
1a2c9dad719187e0331d176f0f7f924194d8678a

SHA256
ec7c72c5e71fbeb798b1d12143565ee427696c0d15d017276b01e0b937e8f1e5

SHA512
be580a1117e0006a14ada7e6656441d5c226048e17674bedc85a505aa8b14828abd864179be949334b67d4522d8767d0e14dc735f71387522ac95a1ae035906f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6847.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6847.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6847.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6847.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6847.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0448cb86f3e3af4ba2362a3fcf64558f

SHA1
6b94534eb82379240e999efc174be72269e9ff2f

SHA256
aad0cd7f2c240ea8aec1f5415af45f60c6ec98f71f75621049330bd4532b6f26

SHA512
d40700a4fe8ea7df6f2785ed7de088d05551747797fe2fd3dfeeddb3193102cef4ef4526db1a03204ba8e8aa74577ce634382652e8c2f9649e6aa352d93feb0e

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0448cb86f3e3af4ba2362a3fcf64558f

SHA1
6b94534eb82379240e999efc174be72269e9ff2f

SHA256
aad0cd7f2c240ea8aec1f5415af45f60c6ec98f71f75621049330bd4532b6f26

SHA512
d40700a4fe8ea7df6f2785ed7de088d05551747797fe2fd3dfeeddb3193102cef4ef4526db1a03204ba8e8aa74577ce634382652e8c2f9649e6aa352d93feb0e

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
0448cb86f3e3af4ba2362a3fcf64558f

SHA1
6b94534eb82379240e999efc174be72269e9ff2f

SHA256
aad0cd7f2c240ea8aec1f5415af45f60c6ec98f71f75621049330bd4532b6f26

SHA512
d40700a4fe8ea7df6f2785ed7de088d05551747797fe2fd3dfeeddb3193102cef4ef4526db1a03204ba8e8aa74577ce634382652e8c2f9649e6aa352d93feb0e

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
fd4e4391d93136638c7fb48f41134f3f

SHA1
24f38f648cd5900c77eda72d46dc4a401edcd291

SHA256
6edde8cdab7257acc29002494f8a499238b5ef5bb8d0f1ca2c2abcfcf8dde718

SHA512
2bcf3ce9a1cedaeae03e7e38f61b7e3e7794ef5d35588937f95d9358eb171c9532316e8047ac379bc2ed959223f996d045c43775b2de46e70c76ac38b36b7e72

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
fd4e4391d93136638c7fb48f41134f3f

SHA1
24f38f648cd5900c77eda72d46dc4a401edcd291

SHA256
6edde8cdab7257acc29002494f8a499238b5ef5bb8d0f1ca2c2abcfcf8dde718

SHA512
2bcf3ce9a1cedaeae03e7e38f61b7e3e7794ef5d35588937f95d9358eb171c9532316e8047ac379bc2ed959223f996d045c43775b2de46e70c76ac38b36b7e72

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a3638a17e734dfb25eda53d7a1be7241

SHA1
caaf8843d8f939d765a47c44d93f0484ba86773e

SHA256
9eb21bb8b91eca385c7645d7114d26012826fa5b2c7fa5cb0d3e5791e01a1b56

SHA512
5c04a6fe2d0529f83f3fc0a19a7a8823513ab15e3807ab1eb12504c1e27f758adfcadce5c1684ee5329d999e7e8d8c646f9da9be1c0628b5889da35cb40acf08

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
7d4cfc1d0bf780bb18ebc00ea2e63499

SHA1
71eb75e2c9f51584a6c0bd5e0b47647e5a0d0cbe

SHA256
f7e45c44241ac69b033466699bb5093db2380f9d8d9960c1dbc1118650c0917b

SHA512
14c659d999b5c223b5d1146780ef6a561f1532a31fa0ec9e0bf73a5ff4688cb5b89f69fe857149d78407dc7b9d0fd56feec3efd12817ac46b0eaabe3f89a3d84

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
b70a6891beb8a8a1b5350b5b7b15e567

SHA1
1a2c9dad719187e0331d176f0f7f924194d8678a

SHA256
ec7c72c5e71fbeb798b1d12143565ee427696c0d15d017276b01e0b937e8f1e5

SHA512
be580a1117e0006a14ada7e6656441d5c226048e17674bedc85a505aa8b14828abd864179be949334b67d4522d8767d0e14dc735f71387522ac95a1ae035906f

Download Submit
memory/428-86-0x0000000000000000-mapping.dmp

Download
memory/976-62-0x0000000000000000-mapping.dmp

Download
memory/1176-61-0x0000000000000000-mapping.dmp

Download
memory/1188-59-0x0000000000000000-mapping.dmp

Download
memory/1308-64-0x0000000000000000-mapping.dmp

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1788-70-0x0000000000000000-mapping.dmp

Download
memory/1844-76-0x0000000000000000-mapping.dmp

Download
memory/1932-87-0x0000000000000000-mapping.dmp

Download
memory/1960-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1960-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1960-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2004-80-0x0000000000000000-mapping.dmp

Download
memory/2008-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads