128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f

Analysis

max time kernel
46s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
Size

603KB
MD5

dee3d98911243156e3ef048745640a50
SHA1

8452f18ae85ef7c62a110adf3bc79e2c2fe4bb9a
SHA256

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f
SHA512

f64ba78b2f754b9e3c5960c307209914ea7bd8203cd513a9ea842c184fbd8994e90e63d2ba070f7669d681005ef65ea3979bcc750cb6fd3b4f5324afbbbd7270
SSDEEP

12288:uIny5DYTmIvRGzj/D4tNFPMUM4DzrY9fdTTczhckcsJ75YfZ+:wUTmMRi/DB3czS95U

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

596 installd.exe
1672 nethtsrv.exe
304 netupdsrv.exe
2024 nethtsrv.exe
1692 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

pid	process
596	installd.exe
1672	nethtsrv.exe
304	netupdsrv.exe
2024	nethtsrv.exe
1692	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
596	installd.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
1672	nethtsrv.exe
1672	nethtsrv.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
2024	nethtsrv.exe
2024	nethtsrv.exe
1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\netupdsrv.exe	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
File created	C:\Windows\SysWOW64\installd.exe	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

Drops file in Program Files directory 3 IoCs

Processes:

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 2024 nethtsrv.exe

pid	process
468

description	pid	process
Token: SeDebugPrivilege	2024	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1204 wrote to memory of 1088	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1088	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1088	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1088	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1088 wrote to memory of 1964	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1964	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1964	1088	net.exe	net1.exe
PID 1088 wrote to memory of 1964	1088	net.exe	net1.exe
PID 1204 wrote to memory of 580	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 580	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 580	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 580	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 580 wrote to memory of 1520	580	net.exe	net1.exe
PID 580 wrote to memory of 1520	580	net.exe	net1.exe
PID 580 wrote to memory of 1520	580	net.exe	net1.exe
PID 580 wrote to memory of 1520	580	net.exe	net1.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 596	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	installd.exe
PID 1204 wrote to memory of 1672	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	nethtsrv.exe
PID 1204 wrote to memory of 1672	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	nethtsrv.exe
PID 1204 wrote to memory of 1672	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	nethtsrv.exe
PID 1204 wrote to memory of 1672	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	nethtsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 304	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	netupdsrv.exe
PID 1204 wrote to memory of 1644	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1644	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1644	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1644	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1644 wrote to memory of 1996	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1996	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1996	1644	net.exe	net1.exe
PID 1644 wrote to memory of 1996	1644	net.exe	net1.exe
PID 1204 wrote to memory of 1368	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1368	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1368	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1204 wrote to memory of 1368	1204	128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe	net.exe
PID 1368 wrote to memory of 340	1368	net.exe	net1.exe
PID 1368 wrote to memory of 340	1368	net.exe	net1.exe
PID 1368 wrote to memory of 340	1368	net.exe	net1.exe
PID 1368 wrote to memory of 340	1368	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe
"C:\Users\Admin\AppData\Local\Temp\128ba7e074af0569c803a552f8928cc8f12eb2fbdc6b3bdd672be627d6e5225f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1088

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1964

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1520

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:304

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1996

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1368

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:340

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1692

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e06a05f278ee52f418a6f627044626ed

SHA1
b1fc93daa0770ac3521312d945c1917c3f0a5fda

SHA256
eeae69be65419b7a3d49764e679dfb3dc52e0d8036e7dff70fb27471846d13bb

SHA512
54ca7e958f646fbff5374d2aecf1a83af59e9769018b2d3a10c7dfe5f3c409dfdc9063b953cbeec5b4df1b2b8e6ba519f6e82be89b1af7a4429a50573f335d20

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
6086945e32e54dca07fdb62ca39418ee

SHA1
9a6d9c88e66ef2773150d5baced5c74827255550

SHA256
418e7bb114fdce4d3c4ddb446ede85193dc1c27dfb5aff91a4e04cd8dc50b470

SHA512
de1d2f0ae114b977ab9dc3ede55038f3ac5fb582fe2cdb4a7727945b38c0f32875822c473a472202b771b5cdd828047bd6062816cdc1b9b83893638177b38882

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
db847de2994f483e233e20100f5ffda5

SHA1
0270335f2e098ab6038a4935fb4c6cccc0ac4b11

SHA256
166ae491801eb055583aa8ec76f3d9f40e52dd8e89f39a46b478a87d925984c8

SHA512
9635a89cd0cadf12ab0221a99c71abae25665d341a9ed38e8446d19d9a37d4115bc9408cc934a486ee4f39b7e67537e80043e3d208f43cd3709619f4755cd2dc

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
f3a0cfbd31c148bae9b1386237f8bfa9

SHA1
e239108b4d5bf79a7ac04c85156c45b6127a8fa6

SHA256
0b1d1ff7c9571b97ded7bd9ed0d757dec723ac6c76c0802e267b63966389fab1

SHA512
4154e3e37d75baa5ea90819faa56600a1f68f83df1826e99dea1e2e58c4f931f20daab5cc3c27d7bff799464623d50fdb540f98af36e418d50ade6a032c58826

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
f3a0cfbd31c148bae9b1386237f8bfa9

SHA1
e239108b4d5bf79a7ac04c85156c45b6127a8fa6

SHA256
0b1d1ff7c9571b97ded7bd9ed0d757dec723ac6c76c0802e267b63966389fab1

SHA512
4154e3e37d75baa5ea90819faa56600a1f68f83df1826e99dea1e2e58c4f931f20daab5cc3c27d7bff799464623d50fdb540f98af36e418d50ade6a032c58826

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
8de33eb231338513435af1acce857b49

SHA1
67cfdbc13bcefe8d9a74b0f503bba57b92863144

SHA256
0f62c1c37e267a2b9df42f259490f8f3d6b5c1734091e2eae60f5f6fdc9f3c17

SHA512
6b4a8d21c3661fc8a65d11420cd2bccc53f9b3b88dd7e1899d366e0023d6e66614b3311e2cfb6c60fe6bf0b517c98e1bb29dda29b74bbfb0b6c4518c89851ce2

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
8de33eb231338513435af1acce857b49

SHA1
67cfdbc13bcefe8d9a74b0f503bba57b92863144

SHA256
0f62c1c37e267a2b9df42f259490f8f3d6b5c1734091e2eae60f5f6fdc9f3c17

SHA512
6b4a8d21c3661fc8a65d11420cd2bccc53f9b3b88dd7e1899d366e0023d6e66614b3311e2cfb6c60fe6bf0b517c98e1bb29dda29b74bbfb0b6c4518c89851ce2

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A9.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A9.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A9.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A9.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst28A9.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e06a05f278ee52f418a6f627044626ed

SHA1
b1fc93daa0770ac3521312d945c1917c3f0a5fda

SHA256
eeae69be65419b7a3d49764e679dfb3dc52e0d8036e7dff70fb27471846d13bb

SHA512
54ca7e958f646fbff5374d2aecf1a83af59e9769018b2d3a10c7dfe5f3c409dfdc9063b953cbeec5b4df1b2b8e6ba519f6e82be89b1af7a4429a50573f335d20

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e06a05f278ee52f418a6f627044626ed

SHA1
b1fc93daa0770ac3521312d945c1917c3f0a5fda

SHA256
eeae69be65419b7a3d49764e679dfb3dc52e0d8036e7dff70fb27471846d13bb

SHA512
54ca7e958f646fbff5374d2aecf1a83af59e9769018b2d3a10c7dfe5f3c409dfdc9063b953cbeec5b4df1b2b8e6ba519f6e82be89b1af7a4429a50573f335d20

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e06a05f278ee52f418a6f627044626ed

SHA1
b1fc93daa0770ac3521312d945c1917c3f0a5fda

SHA256
eeae69be65419b7a3d49764e679dfb3dc52e0d8036e7dff70fb27471846d13bb

SHA512
54ca7e958f646fbff5374d2aecf1a83af59e9769018b2d3a10c7dfe5f3c409dfdc9063b953cbeec5b4df1b2b8e6ba519f6e82be89b1af7a4429a50573f335d20

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
6086945e32e54dca07fdb62ca39418ee

SHA1
9a6d9c88e66ef2773150d5baced5c74827255550

SHA256
418e7bb114fdce4d3c4ddb446ede85193dc1c27dfb5aff91a4e04cd8dc50b470

SHA512
de1d2f0ae114b977ab9dc3ede55038f3ac5fb582fe2cdb4a7727945b38c0f32875822c473a472202b771b5cdd828047bd6062816cdc1b9b83893638177b38882

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
6086945e32e54dca07fdb62ca39418ee

SHA1
9a6d9c88e66ef2773150d5baced5c74827255550

SHA256
418e7bb114fdce4d3c4ddb446ede85193dc1c27dfb5aff91a4e04cd8dc50b470

SHA512
de1d2f0ae114b977ab9dc3ede55038f3ac5fb582fe2cdb4a7727945b38c0f32875822c473a472202b771b5cdd828047bd6062816cdc1b9b83893638177b38882

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
db847de2994f483e233e20100f5ffda5

SHA1
0270335f2e098ab6038a4935fb4c6cccc0ac4b11

SHA256
166ae491801eb055583aa8ec76f3d9f40e52dd8e89f39a46b478a87d925984c8

SHA512
9635a89cd0cadf12ab0221a99c71abae25665d341a9ed38e8446d19d9a37d4115bc9408cc934a486ee4f39b7e67537e80043e3d208f43cd3709619f4755cd2dc

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
f3a0cfbd31c148bae9b1386237f8bfa9

SHA1
e239108b4d5bf79a7ac04c85156c45b6127a8fa6

SHA256
0b1d1ff7c9571b97ded7bd9ed0d757dec723ac6c76c0802e267b63966389fab1

SHA512
4154e3e37d75baa5ea90819faa56600a1f68f83df1826e99dea1e2e58c4f931f20daab5cc3c27d7bff799464623d50fdb540f98af36e418d50ade6a032c58826

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
8de33eb231338513435af1acce857b49

SHA1
67cfdbc13bcefe8d9a74b0f503bba57b92863144

SHA256
0f62c1c37e267a2b9df42f259490f8f3d6b5c1734091e2eae60f5f6fdc9f3c17

SHA512
6b4a8d21c3661fc8a65d11420cd2bccc53f9b3b88dd7e1899d366e0023d6e66614b3311e2cfb6c60fe6bf0b517c98e1bb29dda29b74bbfb0b6c4518c89851ce2

Download Submit
memory/304-76-0x0000000000000000-mapping.dmp

Download
memory/340-87-0x0000000000000000-mapping.dmp

Download
memory/580-61-0x0000000000000000-mapping.dmp

Download
memory/596-64-0x0000000000000000-mapping.dmp

Download
memory/1088-57-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1204-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1204-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1368-86-0x0000000000000000-mapping.dmp

Download
memory/1520-62-0x0000000000000000-mapping.dmp

Download
memory/1644-80-0x0000000000000000-mapping.dmp

Download
memory/1672-70-0x0000000000000000-mapping.dmp

Download
memory/1964-58-0x0000000000000000-mapping.dmp

Download
memory/1996-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads