1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896

Analysis

max time kernel
58s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
Size

601KB
MD5

a91a19a86ee847c23ba550ebefef0076
SHA1

e84a62f2bc36bcd91d158f95325578923b60d4b3
SHA256

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896
SHA512

cf928ae6f07e97ba34b1e80aaea13b8b75feb26eaba07b070fb91f2062ed26193e0bf8f7337c3f069235fbcbf7064198df381fffbfeda12b1a8c1da4b291a8be
SSDEEP

12288:sIny5DYTD9rG7aW21DFyLPFmYV30xgvxniJ:qUTD9rc8FyLJzvhO

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1104 installd.exe
1932 nethtsrv.exe
864 netupdsrv.exe
1736 nethtsrv.exe
944 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

pid	process
1104	installd.exe
1932	nethtsrv.exe
864	netupdsrv.exe
1736	nethtsrv.exe
944	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1104	installd.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1932	nethtsrv.exe
1932	nethtsrv.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
1736	nethtsrv.exe
1736	nethtsrv.exe
1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
File created	C:\Windows\SysWOW64\installd.exe	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

Drops file in Program Files directory 3 IoCs

Processes:

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1736 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1736	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1044 wrote to memory of 996	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 996	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 996	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 996	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 996 wrote to memory of 1368	996	net.exe	net1.exe
PID 996 wrote to memory of 1368	996	net.exe	net1.exe
PID 996 wrote to memory of 1368	996	net.exe	net1.exe
PID 996 wrote to memory of 1368	996	net.exe	net1.exe
PID 1044 wrote to memory of 1860	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1860	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1860	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1860	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1860 wrote to memory of 684	1860	net.exe	net1.exe
PID 1860 wrote to memory of 684	1860	net.exe	net1.exe
PID 1860 wrote to memory of 684	1860	net.exe	net1.exe
PID 1860 wrote to memory of 684	1860	net.exe	net1.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1104	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	installd.exe
PID 1044 wrote to memory of 1932	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	nethtsrv.exe
PID 1044 wrote to memory of 1932	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	nethtsrv.exe
PID 1044 wrote to memory of 1932	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	nethtsrv.exe
PID 1044 wrote to memory of 1932	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	nethtsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 864	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	netupdsrv.exe
PID 1044 wrote to memory of 1644	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1644	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1644	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1644	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1644 wrote to memory of 1408	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1408	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1408	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1408	1644	net.exe	net1.exe
PID 1044 wrote to memory of 1284	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1284	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1284	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1044 wrote to memory of 1284	1044	1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe	net.exe
PID 1284 wrote to memory of 1752	1284	net.exe	net1.exe
PID 1284 wrote to memory of 1752	1284	net.exe	net1.exe
PID 1284 wrote to memory of 1752	1284	net.exe	net1.exe
PID 1284 wrote to memory of 1752	1284	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe
"C:\Users\Admin\AppData\Local\Temp\1a74ce0558ce124d1b09686fadf14ea67012c8f5bc9cbdb9ff27875d7e0e6896.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1044

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1368

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:684

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:864

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1408

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1752

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:944

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
256518dfd19cc82b4d33883a177053d6

SHA1
696e9a6c3cbcc325ed716ce6fbeb77080d91c5a6

SHA256
2bcc39c036046d135684e8514b19205b665318953d9b2a9ca259bc23acbc2cc4

SHA512
271507852e38164c8727110b26fb147369ff6be68a889eb98c5d159d08f3dc0a0edf6fa961c7b45988608aee5536ca572c49ff8c95089585b2e34e3490c9539e

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
a7a84c97a71208e73c84ccc7897ebc9f

SHA1
7646f54c52468faff0033c04fe1d660ec493e498

SHA256
8d395597384cd6a7ebf78bbef1c13449cfb52948d9b4735f75f189be6bf87203

SHA512
585a9a94959c52665af289bff8867c91117d64ab4eb0cc53d2496d71e9e0d1199ced9fe644dd487928e0291f7e556f5f93dcb9494239359837fd7645abdd879c

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
8aa0604dd093704212b97d73e8a3a65d

SHA1
4a7dc26a2ded4fc5e9e8ec8625a26fbd512dd8f0

SHA256
8fe993e8029f78094901921d8c2e7117a8c9f136e3072d1e1946253b873b0954

SHA512
0c4bc89702acd706096c104a112fda783d7dac6049de18cb94eb12febca615b3d593834b12c19cf1aab553664aff9503016ff2010e75c1b72f9a79dd7c3dfe3e

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
e93702ee21a9ba1e8c6b94134dee7f5f

SHA1
ad0cb43291745a0523e6e3fe6c5792ae0c4f9f60

SHA256
ae2fd9d9f8f4bb646ffe3000c527c1cb0245147cd724e41ff4aa91970d7220c3

SHA512
c8263cf6582063e50ee9c587003d3bb4b9b1f241b4f6122a87ef522b10d6b7852f0afb249e84e462c8fccc185af0b663b862c799a982584b9609f2221da8e2b2

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
e93702ee21a9ba1e8c6b94134dee7f5f

SHA1
ad0cb43291745a0523e6e3fe6c5792ae0c4f9f60

SHA256
ae2fd9d9f8f4bb646ffe3000c527c1cb0245147cd724e41ff4aa91970d7220c3

SHA512
c8263cf6582063e50ee9c587003d3bb4b9b1f241b4f6122a87ef522b10d6b7852f0afb249e84e462c8fccc185af0b663b862c799a982584b9609f2221da8e2b2

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
5c932fe0b7c58cdc56ed8f032ed2fa84

SHA1
cb9a0d77750d582817ee0303f268828f7ee0353d

SHA256
872e29d18ae5fa1fa858c2a4189902dbd70b089d1161a8813090cba43cb92437

SHA512
561081ff893af55a24a3fdcf9fc730dc58a04d9c9432b3aa3e9d1d39b9f6ecc6e507d74792faba6217e762a2993c23f3747f790d1e5b721837a40d069ff1f81e

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
5c932fe0b7c58cdc56ed8f032ed2fa84

SHA1
cb9a0d77750d582817ee0303f268828f7ee0353d

SHA256
872e29d18ae5fa1fa858c2a4189902dbd70b089d1161a8813090cba43cb92437

SHA512
561081ff893af55a24a3fdcf9fc730dc58a04d9c9432b3aa3e9d1d39b9f6ecc6e507d74792faba6217e762a2993c23f3747f790d1e5b721837a40d069ff1f81e

Download Submit
\Users\Admin\AppData\Local\Temp\nso9688.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso9688.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso9688.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso9688.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso9688.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
256518dfd19cc82b4d33883a177053d6

SHA1
696e9a6c3cbcc325ed716ce6fbeb77080d91c5a6

SHA256
2bcc39c036046d135684e8514b19205b665318953d9b2a9ca259bc23acbc2cc4

SHA512
271507852e38164c8727110b26fb147369ff6be68a889eb98c5d159d08f3dc0a0edf6fa961c7b45988608aee5536ca572c49ff8c95089585b2e34e3490c9539e

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
256518dfd19cc82b4d33883a177053d6

SHA1
696e9a6c3cbcc325ed716ce6fbeb77080d91c5a6

SHA256
2bcc39c036046d135684e8514b19205b665318953d9b2a9ca259bc23acbc2cc4

SHA512
271507852e38164c8727110b26fb147369ff6be68a889eb98c5d159d08f3dc0a0edf6fa961c7b45988608aee5536ca572c49ff8c95089585b2e34e3490c9539e

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
256518dfd19cc82b4d33883a177053d6

SHA1
696e9a6c3cbcc325ed716ce6fbeb77080d91c5a6

SHA256
2bcc39c036046d135684e8514b19205b665318953d9b2a9ca259bc23acbc2cc4

SHA512
271507852e38164c8727110b26fb147369ff6be68a889eb98c5d159d08f3dc0a0edf6fa961c7b45988608aee5536ca572c49ff8c95089585b2e34e3490c9539e

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
a7a84c97a71208e73c84ccc7897ebc9f

SHA1
7646f54c52468faff0033c04fe1d660ec493e498

SHA256
8d395597384cd6a7ebf78bbef1c13449cfb52948d9b4735f75f189be6bf87203

SHA512
585a9a94959c52665af289bff8867c91117d64ab4eb0cc53d2496d71e9e0d1199ced9fe644dd487928e0291f7e556f5f93dcb9494239359837fd7645abdd879c

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
a7a84c97a71208e73c84ccc7897ebc9f

SHA1
7646f54c52468faff0033c04fe1d660ec493e498

SHA256
8d395597384cd6a7ebf78bbef1c13449cfb52948d9b4735f75f189be6bf87203

SHA512
585a9a94959c52665af289bff8867c91117d64ab4eb0cc53d2496d71e9e0d1199ced9fe644dd487928e0291f7e556f5f93dcb9494239359837fd7645abdd879c

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
8aa0604dd093704212b97d73e8a3a65d

SHA1
4a7dc26a2ded4fc5e9e8ec8625a26fbd512dd8f0

SHA256
8fe993e8029f78094901921d8c2e7117a8c9f136e3072d1e1946253b873b0954

SHA512
0c4bc89702acd706096c104a112fda783d7dac6049de18cb94eb12febca615b3d593834b12c19cf1aab553664aff9503016ff2010e75c1b72f9a79dd7c3dfe3e

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
e93702ee21a9ba1e8c6b94134dee7f5f

SHA1
ad0cb43291745a0523e6e3fe6c5792ae0c4f9f60

SHA256
ae2fd9d9f8f4bb646ffe3000c527c1cb0245147cd724e41ff4aa91970d7220c3

SHA512
c8263cf6582063e50ee9c587003d3bb4b9b1f241b4f6122a87ef522b10d6b7852f0afb249e84e462c8fccc185af0b663b862c799a982584b9609f2221da8e2b2

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
5c932fe0b7c58cdc56ed8f032ed2fa84

SHA1
cb9a0d77750d582817ee0303f268828f7ee0353d

SHA256
872e29d18ae5fa1fa858c2a4189902dbd70b089d1161a8813090cba43cb92437

SHA512
561081ff893af55a24a3fdcf9fc730dc58a04d9c9432b3aa3e9d1d39b9f6ecc6e507d74792faba6217e762a2993c23f3747f790d1e5b721837a40d069ff1f81e

Download Submit
memory/684-62-0x0000000000000000-mapping.dmp

Download
memory/864-77-0x0000000000000000-mapping.dmp

Download
memory/996-58-0x0000000000000000-mapping.dmp

Download
memory/1044-54-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/1044-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1044-56-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1044-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1104-64-0x0000000000000000-mapping.dmp

Download
memory/1284-87-0x0000000000000000-mapping.dmp

Download
memory/1368-59-0x0000000000000000-mapping.dmp

Download
memory/1408-82-0x0000000000000000-mapping.dmp

Download
memory/1644-81-0x0000000000000000-mapping.dmp

Download
memory/1752-88-0x0000000000000000-mapping.dmp

Download
memory/1860-61-0x0000000000000000-mapping.dmp

Download
memory/1932-71-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads