4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f

Analysis

max time kernel
31s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
Size

602KB
MD5

a1d25be08e82d6e58a4afc496a5b8dfe
SHA1

767389abe905dbe883aff8d3ea731d1936b1dc47
SHA256

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f
SHA512

296c641e99a3e99f09972c80c41f072e6d4f42f3ad06a74af7bc4c6605ed997db0724aa271ec6ca2a231298a2afe6a10765775428407f3104ff22fa77ba440c2
SSDEEP

12288:eIny5DYTgO4Brf+c4kX//mR2AnS+uFIKsNVLBRScs35a2OwXd:AUTgOmnAS+44NVLBRI5tOwN

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1744 installd.exe
1616 nethtsrv.exe
1016 netupdsrv.exe
472 nethtsrv.exe
1464 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

pid	process
1744	installd.exe
1616	nethtsrv.exe
1016	netupdsrv.exe
472	nethtsrv.exe
1464	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
1744	installd.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
1616	nethtsrv.exe
1616	nethtsrv.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
472	nethtsrv.exe
472	nethtsrv.exe
1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
File created	C:\Windows\SysWOW64\installd.exe	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

Drops file in Program Files directory 3 IoCs

Processes:

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 472 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	472	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1072 wrote to memory of 560	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 560	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 560	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 560	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 560 wrote to memory of 1536	560	net.exe	net1.exe
PID 560 wrote to memory of 1536	560	net.exe	net1.exe
PID 560 wrote to memory of 1536	560	net.exe	net1.exe
PID 560 wrote to memory of 1536	560	net.exe	net1.exe
PID 1072 wrote to memory of 1756	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 1756	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 1756	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 1756	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1756 wrote to memory of 1500	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1500	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1500	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1500	1756	net.exe	net1.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1744	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	installd.exe
PID 1072 wrote to memory of 1616	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	nethtsrv.exe
PID 1072 wrote to memory of 1616	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	nethtsrv.exe
PID 1072 wrote to memory of 1616	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	nethtsrv.exe
PID 1072 wrote to memory of 1616	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	nethtsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1016	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	netupdsrv.exe
PID 1072 wrote to memory of 1372	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 1372	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 1372	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 1372	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1372 wrote to memory of 1468	1372	net.exe	net1.exe
PID 1372 wrote to memory of 1468	1372	net.exe	net1.exe
PID 1372 wrote to memory of 1468	1372	net.exe	net1.exe
PID 1372 wrote to memory of 1468	1372	net.exe	net1.exe
PID 1072 wrote to memory of 2044	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 2044	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 2044	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 1072 wrote to memory of 2044	1072	4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe	net.exe
PID 2044 wrote to memory of 1100	2044	net.exe	net1.exe
PID 2044 wrote to memory of 1100	2044	net.exe	net1.exe
PID 2044 wrote to memory of 1100	2044	net.exe	net1.exe
PID 2044 wrote to memory of 1100	2044	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe
"C:\Users\Admin\AppData\Local\Temp\4bffd7e7f8c2747615332645e1d9c12dd8e577312133737411faec598c34b96f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1072

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1536

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1500

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1016

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1468

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1100

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:472

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1464

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c371709233247abc520dc9f24af1d391

SHA1
4717380d67a5aed1d93b59e995850cf2cb1bd325

SHA256
e673c06dab43010d289f4759c4c96549cfa52e530a01224a63e0df7ddb6b5fdb

SHA512
ed44dfda527fa9973f1fa72db83b7efc989119fea88ac2f75de66cee73df1bf51a6810bb74ae5a7d634b4254590af99a6167ee0f51802255b632318fca5f12e5

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
931e392d47cc89ae32582c888eddabba

SHA1
91618782282cb8caa2a4f79c4ebc14b795cb0163

SHA256
d96beb79d9c6d6097c34cb87ca7a5af0598a3abf5273f800a810e240b447a42b

SHA512
15d8bf6a426336048ac60eefe16b3fd20bb1473221d0edc04cd46e56f9e76ea04cafed9c9e52315d6ffdd4e0ff0629073926779de848e785eb576bb8ac1f7d61

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
be053ba1b03a5019302bb4dd33f7d332

SHA1
ed2702a4ff319d60c9c85135020bbd802c13c1b3

SHA256
6092a61d3d5c53ac02c41fc49a83aaf9650a3c2ab9f03518b56d57e0b34c9b3f

SHA512
a3f909d1b36e31f2f9809c7028314636f67c0b40411187d2970c07a683622fa0ee012c046e36438f01377558caa795fdd819edf62c42e084503338c4acd79c47

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
51ae3d069f61a5d67e6caaebdb6b3624

SHA1
a67f5eba782461c9ff4932e07518ee85529bdf6b

SHA256
d54ff2ae84fd4a9692e693879b653c5bf003970b11d1478ac86ae5e28ed29b75

SHA512
88c6ccf6354abd84df4311f10de9f5f58d08ef5b8782157558cdf6f04b2f971b2c396545b480c5174c51f23483f2abf73d8b5cf43ef9ac2eac54cd22eb9d696f

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
51ae3d069f61a5d67e6caaebdb6b3624

SHA1
a67f5eba782461c9ff4932e07518ee85529bdf6b

SHA256
d54ff2ae84fd4a9692e693879b653c5bf003970b11d1478ac86ae5e28ed29b75

SHA512
88c6ccf6354abd84df4311f10de9f5f58d08ef5b8782157558cdf6f04b2f971b2c396545b480c5174c51f23483f2abf73d8b5cf43ef9ac2eac54cd22eb9d696f

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
386ed0b3aea4dee4b1e9555acc1e95b7

SHA1
3dab34520cdbe1b05e8c71203cd5b8668de76ae6

SHA256
691982ef0c42c1f795073750a7f4855e1cd5d566cbf63a796bfc8b2cdac24ace

SHA512
b0f001225ddf2e002baaf961fe4cb832d6b0e3e25b796c093ce32696c8cb1d57bda2e98370d9de7a799f93e01122892032d64bab57c51919717e4d5cf39a82b7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
386ed0b3aea4dee4b1e9555acc1e95b7

SHA1
3dab34520cdbe1b05e8c71203cd5b8668de76ae6

SHA256
691982ef0c42c1f795073750a7f4855e1cd5d566cbf63a796bfc8b2cdac24ace

SHA512
b0f001225ddf2e002baaf961fe4cb832d6b0e3e25b796c093ce32696c8cb1d57bda2e98370d9de7a799f93e01122892032d64bab57c51919717e4d5cf39a82b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F73.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F73.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F73.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F73.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd3F73.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c371709233247abc520dc9f24af1d391

SHA1
4717380d67a5aed1d93b59e995850cf2cb1bd325

SHA256
e673c06dab43010d289f4759c4c96549cfa52e530a01224a63e0df7ddb6b5fdb

SHA512
ed44dfda527fa9973f1fa72db83b7efc989119fea88ac2f75de66cee73df1bf51a6810bb74ae5a7d634b4254590af99a6167ee0f51802255b632318fca5f12e5

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c371709233247abc520dc9f24af1d391

SHA1
4717380d67a5aed1d93b59e995850cf2cb1bd325

SHA256
e673c06dab43010d289f4759c4c96549cfa52e530a01224a63e0df7ddb6b5fdb

SHA512
ed44dfda527fa9973f1fa72db83b7efc989119fea88ac2f75de66cee73df1bf51a6810bb74ae5a7d634b4254590af99a6167ee0f51802255b632318fca5f12e5

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
c371709233247abc520dc9f24af1d391

SHA1
4717380d67a5aed1d93b59e995850cf2cb1bd325

SHA256
e673c06dab43010d289f4759c4c96549cfa52e530a01224a63e0df7ddb6b5fdb

SHA512
ed44dfda527fa9973f1fa72db83b7efc989119fea88ac2f75de66cee73df1bf51a6810bb74ae5a7d634b4254590af99a6167ee0f51802255b632318fca5f12e5

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
931e392d47cc89ae32582c888eddabba

SHA1
91618782282cb8caa2a4f79c4ebc14b795cb0163

SHA256
d96beb79d9c6d6097c34cb87ca7a5af0598a3abf5273f800a810e240b447a42b

SHA512
15d8bf6a426336048ac60eefe16b3fd20bb1473221d0edc04cd46e56f9e76ea04cafed9c9e52315d6ffdd4e0ff0629073926779de848e785eb576bb8ac1f7d61

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
931e392d47cc89ae32582c888eddabba

SHA1
91618782282cb8caa2a4f79c4ebc14b795cb0163

SHA256
d96beb79d9c6d6097c34cb87ca7a5af0598a3abf5273f800a810e240b447a42b

SHA512
15d8bf6a426336048ac60eefe16b3fd20bb1473221d0edc04cd46e56f9e76ea04cafed9c9e52315d6ffdd4e0ff0629073926779de848e785eb576bb8ac1f7d61

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
be053ba1b03a5019302bb4dd33f7d332

SHA1
ed2702a4ff319d60c9c85135020bbd802c13c1b3

SHA256
6092a61d3d5c53ac02c41fc49a83aaf9650a3c2ab9f03518b56d57e0b34c9b3f

SHA512
a3f909d1b36e31f2f9809c7028314636f67c0b40411187d2970c07a683622fa0ee012c046e36438f01377558caa795fdd819edf62c42e084503338c4acd79c47

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
51ae3d069f61a5d67e6caaebdb6b3624

SHA1
a67f5eba782461c9ff4932e07518ee85529bdf6b

SHA256
d54ff2ae84fd4a9692e693879b653c5bf003970b11d1478ac86ae5e28ed29b75

SHA512
88c6ccf6354abd84df4311f10de9f5f58d08ef5b8782157558cdf6f04b2f971b2c396545b480c5174c51f23483f2abf73d8b5cf43ef9ac2eac54cd22eb9d696f

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
386ed0b3aea4dee4b1e9555acc1e95b7

SHA1
3dab34520cdbe1b05e8c71203cd5b8668de76ae6

SHA256
691982ef0c42c1f795073750a7f4855e1cd5d566cbf63a796bfc8b2cdac24ace

SHA512
b0f001225ddf2e002baaf961fe4cb832d6b0e3e25b796c093ce32696c8cb1d57bda2e98370d9de7a799f93e01122892032d64bab57c51919717e4d5cf39a82b7

Download Submit
memory/560-58-0x0000000000000000-mapping.dmp

Download
memory/1016-76-0x0000000000000000-mapping.dmp

Download
memory/1072-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1072-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1072-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1100-87-0x0000000000000000-mapping.dmp

Download
memory/1372-80-0x0000000000000000-mapping.dmp

Download
memory/1468-81-0x0000000000000000-mapping.dmp

Download
memory/1500-62-0x0000000000000000-mapping.dmp

Download
memory/1536-59-0x0000000000000000-mapping.dmp

Download
memory/1616-70-0x0000000000000000-mapping.dmp

Download
memory/1744-64-0x0000000000000000-mapping.dmp

Download
memory/1756-61-0x0000000000000000-mapping.dmp

Download
memory/2044-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads