1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
Size

603KB
MD5

8e2504633b6fd960a05732b6690648c2
SHA1

a3d48be96631642d5080493ea7aa0ab4128ef978
SHA256

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539
SHA512

9c77f4d4b07d59dd6a56477a716a60e22cc4191173403537103559be0b75abca051327dd4cb6ad15fffad170bb61a6de2eaca8622344366d278865b6b45ddb26
SSDEEP

12288:1Iny5DYTTAhS+YiW2njM+IFHJkfzteSIyEePW:BUTTArRWNPkpIyEePW

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1412 installd.exe
1564 nethtsrv.exe
1312 netupdsrv.exe
1788 nethtsrv.exe
984 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

pid	process
1412	installd.exe
1564	nethtsrv.exe
1312	netupdsrv.exe
1788	nethtsrv.exe
984	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1412	installd.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1564	nethtsrv.exe
1564	nethtsrv.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
1788	nethtsrv.exe
1788	nethtsrv.exe
1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
File created	C:\Windows\SysWOW64\installd.exe	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

Drops file in Program Files directory 3 IoCs

Processes:

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1788 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1788	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1688 wrote to memory of 916	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 916	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 916	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 916	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 916 wrote to memory of 628	916	net.exe	net1.exe
PID 916 wrote to memory of 628	916	net.exe	net1.exe
PID 916 wrote to memory of 628	916	net.exe	net1.exe
PID 916 wrote to memory of 628	916	net.exe	net1.exe
PID 1688 wrote to memory of 1556	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 1556	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 1556	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 1556	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1556 wrote to memory of 1416	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1416	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1416	1556	net.exe	net1.exe
PID 1556 wrote to memory of 1416	1556	net.exe	net1.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1412	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	installd.exe
PID 1688 wrote to memory of 1564	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	nethtsrv.exe
PID 1688 wrote to memory of 1564	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	nethtsrv.exe
PID 1688 wrote to memory of 1564	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	nethtsrv.exe
PID 1688 wrote to memory of 1564	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	nethtsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 1312	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	netupdsrv.exe
PID 1688 wrote to memory of 540	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 540	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 540	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 540	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 540 wrote to memory of 1400	540	net.exe	net1.exe
PID 540 wrote to memory of 1400	540	net.exe	net1.exe
PID 540 wrote to memory of 1400	540	net.exe	net1.exe
PID 540 wrote to memory of 1400	540	net.exe	net1.exe
PID 1688 wrote to memory of 1436	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 1436	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 1436	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1688 wrote to memory of 1436	1688	1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe	net.exe
PID 1436 wrote to memory of 1644	1436	net.exe	net1.exe
PID 1436 wrote to memory of 1644	1436	net.exe	net1.exe
PID 1436 wrote to memory of 1644	1436	net.exe	net1.exe
PID 1436 wrote to memory of 1644	1436	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe
"C:\Users\Admin\AppData\Local\Temp\1bd6e6171ce88274fe171b0217ce2f13c327d4595653bac15b2d38dc28cb2539.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:916

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:628

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1416

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1400

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1436

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1644

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:984

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
afd62768123a6b7d7341756cf9e99c6a

SHA1
ccc5cbdcb8a4016e584761be083c15d91f35da73

SHA256
0c7c13160746f43911cf8488cc0bae01695d13a02729b541b0643a98e5d03361

SHA512
01a3dddd45f6ea3477cb56f589c915c7dd849c047fcc124608a6a3fe7c22e9d4e46086c73fe57887a7e5bcf7b25efee34e3ffdc255bd860abc8844e6c456ab4b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
826d506483c4f5f1fb8489d7c5235c6f

SHA1
87d393b391d54c4a958925230e812ca8e2d5c4e3

SHA256
277832524f3778b520eba0d108a559494d0a8a825806759cbb8a8d510a43c0d4

SHA512
6a72901c2bdddd991886784dba725cdd8fae2a95747f63b33081a736cb3b0500c554170c3767ef52ad198424c626d9dd886d287c49d06b577b5ddcc68207b930

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
d957897947f0ca2dd873f7c5f8c31889

SHA1
234f499c4fbd3518b065332a4baec41958fe0ed2

SHA256
58df19cef1965655578e3dfbd8a3c5b19634cee3e2112889dcf2eed764cc6659

SHA512
f11439951355d3e0f1c362d5a7041096a92f4866664f9de21d6ec3946e40ba451a474f544311be37a65b60a2510cb06f34a4a079169b1708d2491932fd48eeb1

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
6cf7b85fea0a6073436f33f617b07bd1

SHA1
a07026b02d468b2fc202a72a7f33fd0b1ba7a8f9

SHA256
67bbddf3a81fdabb823694200b085d09eaf513c03d3dbea7f6d4d7534d492b0c

SHA512
ab0bc380b7054ea8e449aac056c875e27ec3a1ec1bdef358e95d55ba59cec8ff5b6d35b18c5fc39c4dcb62738ed50ade6ccbcfd07d1308d210afb70e8e9140e0

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
6cf7b85fea0a6073436f33f617b07bd1

SHA1
a07026b02d468b2fc202a72a7f33fd0b1ba7a8f9

SHA256
67bbddf3a81fdabb823694200b085d09eaf513c03d3dbea7f6d4d7534d492b0c

SHA512
ab0bc380b7054ea8e449aac056c875e27ec3a1ec1bdef358e95d55ba59cec8ff5b6d35b18c5fc39c4dcb62738ed50ade6ccbcfd07d1308d210afb70e8e9140e0

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
9ed57503583f90d9ba7396677c2f012e

SHA1
c2b294a72104fd948d7a3c35b208dfe1bb840eea

SHA256
07e829e0b95c5c10ffa5ba4bdba2b29da2727a819479beeceab0c2eb2201f0db

SHA512
02c05abb84b81c07bef7ab30975bf52f55427e57401e498401b3bbbb32f6ae8d4ca1bd790e229b0ecc4a14c95c23a7ccb3f260407623530ac8ef16c1b5a3c5ea

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
9ed57503583f90d9ba7396677c2f012e

SHA1
c2b294a72104fd948d7a3c35b208dfe1bb840eea

SHA256
07e829e0b95c5c10ffa5ba4bdba2b29da2727a819479beeceab0c2eb2201f0db

SHA512
02c05abb84b81c07bef7ab30975bf52f55427e57401e498401b3bbbb32f6ae8d4ca1bd790e229b0ecc4a14c95c23a7ccb3f260407623530ac8ef16c1b5a3c5ea

Download Submit
\Users\Admin\AppData\Local\Temp\nso1162.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso1162.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1162.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1162.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso1162.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
afd62768123a6b7d7341756cf9e99c6a

SHA1
ccc5cbdcb8a4016e584761be083c15d91f35da73

SHA256
0c7c13160746f43911cf8488cc0bae01695d13a02729b541b0643a98e5d03361

SHA512
01a3dddd45f6ea3477cb56f589c915c7dd849c047fcc124608a6a3fe7c22e9d4e46086c73fe57887a7e5bcf7b25efee34e3ffdc255bd860abc8844e6c456ab4b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
afd62768123a6b7d7341756cf9e99c6a

SHA1
ccc5cbdcb8a4016e584761be083c15d91f35da73

SHA256
0c7c13160746f43911cf8488cc0bae01695d13a02729b541b0643a98e5d03361

SHA512
01a3dddd45f6ea3477cb56f589c915c7dd849c047fcc124608a6a3fe7c22e9d4e46086c73fe57887a7e5bcf7b25efee34e3ffdc255bd860abc8844e6c456ab4b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
afd62768123a6b7d7341756cf9e99c6a

SHA1
ccc5cbdcb8a4016e584761be083c15d91f35da73

SHA256
0c7c13160746f43911cf8488cc0bae01695d13a02729b541b0643a98e5d03361

SHA512
01a3dddd45f6ea3477cb56f589c915c7dd849c047fcc124608a6a3fe7c22e9d4e46086c73fe57887a7e5bcf7b25efee34e3ffdc255bd860abc8844e6c456ab4b

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
826d506483c4f5f1fb8489d7c5235c6f

SHA1
87d393b391d54c4a958925230e812ca8e2d5c4e3

SHA256
277832524f3778b520eba0d108a559494d0a8a825806759cbb8a8d510a43c0d4

SHA512
6a72901c2bdddd991886784dba725cdd8fae2a95747f63b33081a736cb3b0500c554170c3767ef52ad198424c626d9dd886d287c49d06b577b5ddcc68207b930

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
826d506483c4f5f1fb8489d7c5235c6f

SHA1
87d393b391d54c4a958925230e812ca8e2d5c4e3

SHA256
277832524f3778b520eba0d108a559494d0a8a825806759cbb8a8d510a43c0d4

SHA512
6a72901c2bdddd991886784dba725cdd8fae2a95747f63b33081a736cb3b0500c554170c3767ef52ad198424c626d9dd886d287c49d06b577b5ddcc68207b930

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
d957897947f0ca2dd873f7c5f8c31889

SHA1
234f499c4fbd3518b065332a4baec41958fe0ed2

SHA256
58df19cef1965655578e3dfbd8a3c5b19634cee3e2112889dcf2eed764cc6659

SHA512
f11439951355d3e0f1c362d5a7041096a92f4866664f9de21d6ec3946e40ba451a474f544311be37a65b60a2510cb06f34a4a079169b1708d2491932fd48eeb1

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
6cf7b85fea0a6073436f33f617b07bd1

SHA1
a07026b02d468b2fc202a72a7f33fd0b1ba7a8f9

SHA256
67bbddf3a81fdabb823694200b085d09eaf513c03d3dbea7f6d4d7534d492b0c

SHA512
ab0bc380b7054ea8e449aac056c875e27ec3a1ec1bdef358e95d55ba59cec8ff5b6d35b18c5fc39c4dcb62738ed50ade6ccbcfd07d1308d210afb70e8e9140e0

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
9ed57503583f90d9ba7396677c2f012e

SHA1
c2b294a72104fd948d7a3c35b208dfe1bb840eea

SHA256
07e829e0b95c5c10ffa5ba4bdba2b29da2727a819479beeceab0c2eb2201f0db

SHA512
02c05abb84b81c07bef7ab30975bf52f55427e57401e498401b3bbbb32f6ae8d4ca1bd790e229b0ecc4a14c95c23a7ccb3f260407623530ac8ef16c1b5a3c5ea

Download Submit
memory/540-81-0x0000000000000000-mapping.dmp

Download
memory/628-59-0x0000000000000000-mapping.dmp

Download
memory/916-57-0x0000000000000000-mapping.dmp

Download
memory/1312-77-0x0000000000000000-mapping.dmp

Download
memory/1400-82-0x0000000000000000-mapping.dmp

Download
memory/1412-64-0x0000000000000000-mapping.dmp

Download
memory/1416-62-0x0000000000000000-mapping.dmp

Download
memory/1436-87-0x0000000000000000-mapping.dmp

Download
memory/1556-61-0x0000000000000000-mapping.dmp

Download
memory/1564-71-0x0000000000000000-mapping.dmp

Download
memory/1644-88-0x0000000000000000-mapping.dmp

Download
memory/1688-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1688-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1688-58-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1688-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads