176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d

Analysis

max time kernel
69s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
Size

602KB
MD5

940498e1f3b85888268f9d6887441fd3
SHA1

78eaad50b26b2ee435de27beed49b60ac334d11f
SHA256

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d
SHA512

0bff59ba8c40f60284df93d08836c691a8b4a74060986aeb18f3fef4ac996f758d283522f080487a13a07983cd7b54898927cabe443e00862be2f94e38c05d3a
SSDEEP

12288:BIny5DYTZItw14ZfMHIOPYp9+q0NTTkZRexeHWXdgtb8e5ciNWmO9Y:9UTZeWDoZkRkZEvXytJciVAY

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

848 installd.exe
1236 nethtsrv.exe
1944 netupdsrv.exe
1588 nethtsrv.exe
884 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

pid	process
848	installd.exe
1236	nethtsrv.exe
1944	netupdsrv.exe
1588	nethtsrv.exe
884	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
848	installd.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
1236	nethtsrv.exe
1236	nethtsrv.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
1588	nethtsrv.exe
1588	nethtsrv.exe
316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

Drops file in Program Files directory 3 IoCs

Processes:

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1588 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1588	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 316 wrote to memory of 1312	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1312	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1312	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1312	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 1312 wrote to memory of 580	1312	net.exe	net1.exe
PID 1312 wrote to memory of 580	1312	net.exe	net1.exe
PID 1312 wrote to memory of 580	1312	net.exe	net1.exe
PID 1312 wrote to memory of 580	1312	net.exe	net1.exe
PID 316 wrote to memory of 568	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 568	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 568	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 568	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 568 wrote to memory of 1600	568	net.exe	net1.exe
PID 568 wrote to memory of 1600	568	net.exe	net1.exe
PID 568 wrote to memory of 1600	568	net.exe	net1.exe
PID 568 wrote to memory of 1600	568	net.exe	net1.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 848	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	installd.exe
PID 316 wrote to memory of 1236	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	nethtsrv.exe
PID 316 wrote to memory of 1236	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	nethtsrv.exe
PID 316 wrote to memory of 1236	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	nethtsrv.exe
PID 316 wrote to memory of 1236	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	nethtsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1944	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	netupdsrv.exe
PID 316 wrote to memory of 1544	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1544	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1544	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1544	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 1544 wrote to memory of 1724	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1724	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1724	1544	net.exe	net1.exe
PID 1544 wrote to memory of 1724	1544	net.exe	net1.exe
PID 316 wrote to memory of 1388	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1388	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1388	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 316 wrote to memory of 1388	316	176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe	net.exe
PID 1388 wrote to memory of 1784	1388	net.exe	net1.exe
PID 1388 wrote to memory of 1784	1388	net.exe	net1.exe
PID 1388 wrote to memory of 1784	1388	net.exe	net1.exe
PID 1388 wrote to memory of 1784	1388	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe
"C:\Users\Admin\AppData\Local\Temp\176c68c270bfd6fb7caf2f19beade791dbff3db5774d4eff514dcf187675548d.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1312

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:580

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:568

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1600

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1944

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1724

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1388

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1784

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:884

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
b78178d269564ac17670f8e6c407adcc

SHA1
69e4f1cbc8ef0deaa8aaa7a3c8c6d91ac2296a9a

SHA256
b22b691ce543870b74b899237815e581d30e81f210d64cc44e29f38e2a1aa9aa

SHA512
df5252ff678215a143e32866169732961390421a2929a3ed254db18056cafc4eb7b2f402f389787251f8aa9c1376282706ec69186da38ab248e64ded2a36d19b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
70a9a8b4e2eae7f27befadb3b99b1522

SHA1
98d25a457b1194bf26c816edc6ff99e7c255c5e6

SHA256
86ff0090c3f4378748144fdc3364d065d695d2cde2d5dace1895c253b8862c05

SHA512
9fa6c825ad2f10786e9658bdec234ab1a5612ca29ed028b7b6e0da366151f1d8ecd83f058afe18bf53b2f62a50df321c39e9e97984d30e6f3acf2606b081d185

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
d6b9300d6f11182ad33aff39a20058aa

SHA1
d0ffc704627241bea5707621aa888fb8eef54c22

SHA256
5b570707d16bd5da29bd4d8b5190720e85c0406c44144637a15ae9e892c91cb3

SHA512
f4e0515ab40486eef948360f4e8f1436898200cd711cccee1dbdaecf9efb24960ce1980c67c079436d6f139b0f065f00c5a25a15cdc01a76b2917b22d57e0c1a

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9e980c925fb6b1bfc43c108a7820b92b

SHA1
4a74afda5dab8a984fd40f1701abd2f2736c2e9a

SHA256
c4077cfa31a1ed29c372a82154392de9e181e327e5cc06f0aa06d05a9e940f40

SHA512
0c233d902605178d805f6dac03a07ab6924d2c1f39d14fb12b380e486db89ce2de67a36026a49def492b78d216f742b89d5debcb3b0c88923ca0fe9271d08905

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9e980c925fb6b1bfc43c108a7820b92b

SHA1
4a74afda5dab8a984fd40f1701abd2f2736c2e9a

SHA256
c4077cfa31a1ed29c372a82154392de9e181e327e5cc06f0aa06d05a9e940f40

SHA512
0c233d902605178d805f6dac03a07ab6924d2c1f39d14fb12b380e486db89ce2de67a36026a49def492b78d216f742b89d5debcb3b0c88923ca0fe9271d08905

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
17b193776ad5dbdbda42752a13aec014

SHA1
974e8c2e5fdd02f67155d4c4bae7cb9dea413f05

SHA256
0d6d60a801bd4a4b1efd9704a03fb56eac9102d0fdf9dc4efe39d78cf091809e

SHA512
82d89eed469d8867b6f32cd4383b4d8ea7eff9cdc846b5ba3b572d3977ce1139564c2ade4004eaf9a0bcefb5cc5784a1bf137cf0e600ebaa241c23022246a6b0

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
17b193776ad5dbdbda42752a13aec014

SHA1
974e8c2e5fdd02f67155d4c4bae7cb9dea413f05

SHA256
0d6d60a801bd4a4b1efd9704a03fb56eac9102d0fdf9dc4efe39d78cf091809e

SHA512
82d89eed469d8867b6f32cd4383b4d8ea7eff9cdc846b5ba3b572d3977ce1139564c2ade4004eaf9a0bcefb5cc5784a1bf137cf0e600ebaa241c23022246a6b0

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE9E5.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE9E5.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE9E5.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE9E5.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjE9E5.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
b78178d269564ac17670f8e6c407adcc

SHA1
69e4f1cbc8ef0deaa8aaa7a3c8c6d91ac2296a9a

SHA256
b22b691ce543870b74b899237815e581d30e81f210d64cc44e29f38e2a1aa9aa

SHA512
df5252ff678215a143e32866169732961390421a2929a3ed254db18056cafc4eb7b2f402f389787251f8aa9c1376282706ec69186da38ab248e64ded2a36d19b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
b78178d269564ac17670f8e6c407adcc

SHA1
69e4f1cbc8ef0deaa8aaa7a3c8c6d91ac2296a9a

SHA256
b22b691ce543870b74b899237815e581d30e81f210d64cc44e29f38e2a1aa9aa

SHA512
df5252ff678215a143e32866169732961390421a2929a3ed254db18056cafc4eb7b2f402f389787251f8aa9c1376282706ec69186da38ab248e64ded2a36d19b

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
b78178d269564ac17670f8e6c407adcc

SHA1
69e4f1cbc8ef0deaa8aaa7a3c8c6d91ac2296a9a

SHA256
b22b691ce543870b74b899237815e581d30e81f210d64cc44e29f38e2a1aa9aa

SHA512
df5252ff678215a143e32866169732961390421a2929a3ed254db18056cafc4eb7b2f402f389787251f8aa9c1376282706ec69186da38ab248e64ded2a36d19b

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
70a9a8b4e2eae7f27befadb3b99b1522

SHA1
98d25a457b1194bf26c816edc6ff99e7c255c5e6

SHA256
86ff0090c3f4378748144fdc3364d065d695d2cde2d5dace1895c253b8862c05

SHA512
9fa6c825ad2f10786e9658bdec234ab1a5612ca29ed028b7b6e0da366151f1d8ecd83f058afe18bf53b2f62a50df321c39e9e97984d30e6f3acf2606b081d185

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
70a9a8b4e2eae7f27befadb3b99b1522

SHA1
98d25a457b1194bf26c816edc6ff99e7c255c5e6

SHA256
86ff0090c3f4378748144fdc3364d065d695d2cde2d5dace1895c253b8862c05

SHA512
9fa6c825ad2f10786e9658bdec234ab1a5612ca29ed028b7b6e0da366151f1d8ecd83f058afe18bf53b2f62a50df321c39e9e97984d30e6f3acf2606b081d185

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
d6b9300d6f11182ad33aff39a20058aa

SHA1
d0ffc704627241bea5707621aa888fb8eef54c22

SHA256
5b570707d16bd5da29bd4d8b5190720e85c0406c44144637a15ae9e892c91cb3

SHA512
f4e0515ab40486eef948360f4e8f1436898200cd711cccee1dbdaecf9efb24960ce1980c67c079436d6f139b0f065f00c5a25a15cdc01a76b2917b22d57e0c1a

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9e980c925fb6b1bfc43c108a7820b92b

SHA1
4a74afda5dab8a984fd40f1701abd2f2736c2e9a

SHA256
c4077cfa31a1ed29c372a82154392de9e181e327e5cc06f0aa06d05a9e940f40

SHA512
0c233d902605178d805f6dac03a07ab6924d2c1f39d14fb12b380e486db89ce2de67a36026a49def492b78d216f742b89d5debcb3b0c88923ca0fe9271d08905

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
17b193776ad5dbdbda42752a13aec014

SHA1
974e8c2e5fdd02f67155d4c4bae7cb9dea413f05

SHA256
0d6d60a801bd4a4b1efd9704a03fb56eac9102d0fdf9dc4efe39d78cf091809e

SHA512
82d89eed469d8867b6f32cd4383b4d8ea7eff9cdc846b5ba3b572d3977ce1139564c2ade4004eaf9a0bcefb5cc5784a1bf137cf0e600ebaa241c23022246a6b0

Download Submit
memory/316-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/316-54-0x00000000765A1000-0x00000000765A3000-memory.dmp

Filesize
8KB

Download
memory/316-57-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/568-61-0x0000000000000000-mapping.dmp

Download
memory/580-59-0x0000000000000000-mapping.dmp

Download
memory/848-64-0x0000000000000000-mapping.dmp

Download
memory/1236-70-0x0000000000000000-mapping.dmp

Download
memory/1312-58-0x0000000000000000-mapping.dmp

Download
memory/1388-86-0x0000000000000000-mapping.dmp

Download
memory/1544-80-0x0000000000000000-mapping.dmp

Download
memory/1600-62-0x0000000000000000-mapping.dmp

Download
memory/1724-81-0x0000000000000000-mapping.dmp

Download
memory/1784-87-0x0000000000000000-mapping.dmp

Download
memory/1944-76-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads