0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd

Analysis

max time kernel
66s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
Size

603KB
MD5

6bb1ff61456fe8f5b8a5cb92567366b6
SHA1

326b650614bfb84e3727feed2f79a78b79920417
SHA256

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd
SHA512

c21d895a3c7aad849971d260cde0b0faa2060363991e2bac4ab37161389c975eabc8bfdb911f0f8851cb9211d7a7857832b2f02dc00f660d2c9a2e6e3e3b6888
SSDEEP

12288:3Iny5DYTFWdloMNbCY5S0oFNgsHeNRBQOt:fUTcdlJZCQS1FgNRtt

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

896 installd.exe
1108 nethtsrv.exe
1396 netupdsrv.exe
1972 nethtsrv.exe
1760 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

pid	process
896	installd.exe
1108	nethtsrv.exe
1396	netupdsrv.exe
1972	nethtsrv.exe
1760	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
896	installd.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
1108	nethtsrv.exe
1108	nethtsrv.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
1972	nethtsrv.exe
1972	nethtsrv.exe
1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
File created	C:\Windows\SysWOW64\installd.exe	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

Drops file in Program Files directory 3 IoCs

Processes:

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1972 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1972	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1948 wrote to memory of 1712	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1712	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1712	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1712	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1712 wrote to memory of 572	1712	net.exe	net1.exe
PID 1712 wrote to memory of 572	1712	net.exe	net1.exe
PID 1712 wrote to memory of 572	1712	net.exe	net1.exe
PID 1712 wrote to memory of 572	1712	net.exe	net1.exe
PID 1948 wrote to memory of 1164	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1164	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1164	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1164	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1164 wrote to memory of 588	1164	net.exe	net1.exe
PID 1164 wrote to memory of 588	1164	net.exe	net1.exe
PID 1164 wrote to memory of 588	1164	net.exe	net1.exe
PID 1164 wrote to memory of 588	1164	net.exe	net1.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 896	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	installd.exe
PID 1948 wrote to memory of 1108	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	nethtsrv.exe
PID 1948 wrote to memory of 1108	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	nethtsrv.exe
PID 1948 wrote to memory of 1108	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	nethtsrv.exe
PID 1948 wrote to memory of 1108	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	nethtsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1396	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	netupdsrv.exe
PID 1948 wrote to memory of 1732	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1732	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1732	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1732	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1732 wrote to memory of 1556	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1556	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1556	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1556	1732	net.exe	net1.exe
PID 1948 wrote to memory of 1112	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1112	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1112	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1948 wrote to memory of 1112	1948	0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe	net.exe
PID 1112 wrote to memory of 1508	1112	net.exe	net1.exe
PID 1112 wrote to memory of 1508	1112	net.exe	net1.exe
PID 1112 wrote to memory of 1508	1112	net.exe	net1.exe
PID 1112 wrote to memory of 1508	1112	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe
"C:\Users\Admin\AppData\Local\Temp\0a5740744feca98bb5b6ca72c25c6b34d95d3e98b69d3baf916c14c236a363bd.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1712

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:572

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1164

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:588

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1396

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1556

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1112

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1508

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1972

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1760

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
084dbbf2a65984a5bba409c783a5609b

SHA1
a1b05a4cf2ed472322f45d702287d7b8ade59113

SHA256
f83065abe1df862e4ff4b72331e711e50df7197727cab9ae8d1d2b7a0f679318

SHA512
1354d515d24a30f3d969900b91485872bc37d16b184886a2fad2b746b2ac82e28cb03d27acde9a8a4f1b9d9554e4f6ae43b014751eb4fae96aeafe627f3a6669

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
0ca8cd7e705fab5c5d5290df6105a488

SHA1
51f7e8e0a483906542ce7e2641557a342abfefcd

SHA256
d5472542cdfb24047edce03ea9658076a1193f1b124c9b05a72c3300d813e10d

SHA512
424a85a7daacf69a17107ea7a6e745295ecc33022485414b92da8b45f8a54c01b06621b7632657568c0ec3a6cfd2bfadc18fa0cb5f95b52b407c940c9ed740b6

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
302726c2c1a03af10ac0b1365a219ea4

SHA1
571fcd9b2746e281707b0661a156e92f3c7e6df6

SHA256
2b1d3355f6582f8814b0795ff8f363a1418b0a2b8ef6a2ff2bbbd3b32ea216cf

SHA512
af57a89b763fa4ed5aab0acd84fb81d9dee1cc39a5e50ee0f7fd6973b4342e0a909acce7cbb51bafefeb4b7695029715c6b9877c62be0f8b2806c1f430d72df0

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
8c143828eb232b50790df61944b54abf

SHA1
d5d9a11fc7f9e2fc0177f30438f8a305ff753825

SHA256
827dd61b50efe926b9ec9010aa1e7c4597b5659a434aced9612299f4deb236d3

SHA512
f358c455e644e450fa09efd7699176d39e9f30da6001ce7b9c7d58c8193f5d83f1a57831dd6abe9f370b56271712dcb39e59416eecf774b389095ea1edfbf89b

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
8c143828eb232b50790df61944b54abf

SHA1
d5d9a11fc7f9e2fc0177f30438f8a305ff753825

SHA256
827dd61b50efe926b9ec9010aa1e7c4597b5659a434aced9612299f4deb236d3

SHA512
f358c455e644e450fa09efd7699176d39e9f30da6001ce7b9c7d58c8193f5d83f1a57831dd6abe9f370b56271712dcb39e59416eecf774b389095ea1edfbf89b

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
fc5de135d99d9a1f98c0677d35d82c08

SHA1
e9d2e2a64fe784470907903b224fe80abcf269d6

SHA256
2365e07a293501513550e3640facfcf61ebf42506cbbc14c4ff71fead5165ed0

SHA512
07c4969fa12cae6c0e26ad73ea939a981b515fdcfa386505333e1c3e68395ea10624111d3cf7e42237c6b3a25a1ac8f57347edae2341ed324ef5a8635c266cb4

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
fc5de135d99d9a1f98c0677d35d82c08

SHA1
e9d2e2a64fe784470907903b224fe80abcf269d6

SHA256
2365e07a293501513550e3640facfcf61ebf42506cbbc14c4ff71fead5165ed0

SHA512
07c4969fa12cae6c0e26ad73ea939a981b515fdcfa386505333e1c3e68395ea10624111d3cf7e42237c6b3a25a1ac8f57347edae2341ed324ef5a8635c266cb4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC59.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC59.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC59.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC59.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAC59.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
084dbbf2a65984a5bba409c783a5609b

SHA1
a1b05a4cf2ed472322f45d702287d7b8ade59113

SHA256
f83065abe1df862e4ff4b72331e711e50df7197727cab9ae8d1d2b7a0f679318

SHA512
1354d515d24a30f3d969900b91485872bc37d16b184886a2fad2b746b2ac82e28cb03d27acde9a8a4f1b9d9554e4f6ae43b014751eb4fae96aeafe627f3a6669

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
084dbbf2a65984a5bba409c783a5609b

SHA1
a1b05a4cf2ed472322f45d702287d7b8ade59113

SHA256
f83065abe1df862e4ff4b72331e711e50df7197727cab9ae8d1d2b7a0f679318

SHA512
1354d515d24a30f3d969900b91485872bc37d16b184886a2fad2b746b2ac82e28cb03d27acde9a8a4f1b9d9554e4f6ae43b014751eb4fae96aeafe627f3a6669

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
084dbbf2a65984a5bba409c783a5609b

SHA1
a1b05a4cf2ed472322f45d702287d7b8ade59113

SHA256
f83065abe1df862e4ff4b72331e711e50df7197727cab9ae8d1d2b7a0f679318

SHA512
1354d515d24a30f3d969900b91485872bc37d16b184886a2fad2b746b2ac82e28cb03d27acde9a8a4f1b9d9554e4f6ae43b014751eb4fae96aeafe627f3a6669

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
0ca8cd7e705fab5c5d5290df6105a488

SHA1
51f7e8e0a483906542ce7e2641557a342abfefcd

SHA256
d5472542cdfb24047edce03ea9658076a1193f1b124c9b05a72c3300d813e10d

SHA512
424a85a7daacf69a17107ea7a6e745295ecc33022485414b92da8b45f8a54c01b06621b7632657568c0ec3a6cfd2bfadc18fa0cb5f95b52b407c940c9ed740b6

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
0ca8cd7e705fab5c5d5290df6105a488

SHA1
51f7e8e0a483906542ce7e2641557a342abfefcd

SHA256
d5472542cdfb24047edce03ea9658076a1193f1b124c9b05a72c3300d813e10d

SHA512
424a85a7daacf69a17107ea7a6e745295ecc33022485414b92da8b45f8a54c01b06621b7632657568c0ec3a6cfd2bfadc18fa0cb5f95b52b407c940c9ed740b6

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
302726c2c1a03af10ac0b1365a219ea4

SHA1
571fcd9b2746e281707b0661a156e92f3c7e6df6

SHA256
2b1d3355f6582f8814b0795ff8f363a1418b0a2b8ef6a2ff2bbbd3b32ea216cf

SHA512
af57a89b763fa4ed5aab0acd84fb81d9dee1cc39a5e50ee0f7fd6973b4342e0a909acce7cbb51bafefeb4b7695029715c6b9877c62be0f8b2806c1f430d72df0

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
8c143828eb232b50790df61944b54abf

SHA1
d5d9a11fc7f9e2fc0177f30438f8a305ff753825

SHA256
827dd61b50efe926b9ec9010aa1e7c4597b5659a434aced9612299f4deb236d3

SHA512
f358c455e644e450fa09efd7699176d39e9f30da6001ce7b9c7d58c8193f5d83f1a57831dd6abe9f370b56271712dcb39e59416eecf774b389095ea1edfbf89b

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
fc5de135d99d9a1f98c0677d35d82c08

SHA1
e9d2e2a64fe784470907903b224fe80abcf269d6

SHA256
2365e07a293501513550e3640facfcf61ebf42506cbbc14c4ff71fead5165ed0

SHA512
07c4969fa12cae6c0e26ad73ea939a981b515fdcfa386505333e1c3e68395ea10624111d3cf7e42237c6b3a25a1ac8f57347edae2341ed324ef5a8635c266cb4

Download Submit
memory/572-58-0x0000000000000000-mapping.dmp

Download
memory/588-61-0x0000000000000000-mapping.dmp

Download
memory/896-64-0x0000000000000000-mapping.dmp

Download
memory/1108-70-0x0000000000000000-mapping.dmp

Download
memory/1112-87-0x0000000000000000-mapping.dmp

Download
memory/1164-60-0x0000000000000000-mapping.dmp

Download
memory/1396-76-0x0000000000000000-mapping.dmp

Download
memory/1508-88-0x0000000000000000-mapping.dmp

Download
memory/1556-82-0x0000000000000000-mapping.dmp

Download
memory/1712-57-0x0000000000000000-mapping.dmp

Download
memory/1732-81-0x0000000000000000-mapping.dmp

Download
memory/1948-54-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/1948-79-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1948-62-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1948-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads