f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
Size

446KB
MD5

10e21457f9905e96eb43052bddf98e9b
SHA1

dc5929ca2c182ef426e1208c0ecaa9153110dfa3
SHA256

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20
SHA512

851fba12173f2d9ea70b71b820cdebb3015790fd6e91f19d551ea3b40fb4239de6e7db9a881457be394c6fccfa6831628e6487f355e9bf340c30d2cc9893e1a6
SSDEEP

12288:jtwZn0P5QDI6iJ5y+PRtBPGlhel9rbVcdaj:jtw1HDI6k0K3dJV++

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1992 installd.exe
956 nethtsrv.exe
1304 netupdsrv.exe
1568 nethtsrv.exe
1736 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

pid	process
1992	installd.exe
956	nethtsrv.exe
1304	netupdsrv.exe
1568	nethtsrv.exe
1736	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
1992	installd.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
956	nethtsrv.exe
956	nethtsrv.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
1568	nethtsrv.exe
1568	nethtsrv.exe
896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

Drops file in Program Files directory 3 IoCs

Processes:

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1568 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1568	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 896 wrote to memory of 684	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 684	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 684	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 684	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 684 wrote to memory of 428	684	net.exe	net1.exe
PID 684 wrote to memory of 428	684	net.exe	net1.exe
PID 684 wrote to memory of 428	684	net.exe	net1.exe
PID 684 wrote to memory of 428	684	net.exe	net1.exe
PID 896 wrote to memory of 2024	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 2024	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 2024	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 2024	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 2024 wrote to memory of 468	2024	net.exe	net1.exe
PID 2024 wrote to memory of 468	2024	net.exe	net1.exe
PID 2024 wrote to memory of 468	2024	net.exe	net1.exe
PID 2024 wrote to memory of 468	2024	net.exe	net1.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 1992	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	installd.exe
PID 896 wrote to memory of 956	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	nethtsrv.exe
PID 896 wrote to memory of 956	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	nethtsrv.exe
PID 896 wrote to memory of 956	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	nethtsrv.exe
PID 896 wrote to memory of 956	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	nethtsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 1304	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	netupdsrv.exe
PID 896 wrote to memory of 660	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 660	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 660	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 660	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 660 wrote to memory of 1592	660	net.exe	net1.exe
PID 660 wrote to memory of 1592	660	net.exe	net1.exe
PID 660 wrote to memory of 1592	660	net.exe	net1.exe
PID 660 wrote to memory of 1592	660	net.exe	net1.exe
PID 896 wrote to memory of 1864	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 1864	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 1864	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 896 wrote to memory of 1864	896	f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe	net.exe
PID 1864 wrote to memory of 1632	1864	net.exe	net1.exe
PID 1864 wrote to memory of 1632	1864	net.exe	net1.exe
PID 1864 wrote to memory of 1632	1864	net.exe	net1.exe
PID 1864 wrote to memory of 1632	1864	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe
"C:\Users\Admin\AppData\Local\Temp\f5ee13cf1355f33b5e4ff44bdebd21acf941df00b3b21f1bfe21a027cd1bfe20.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:428

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:468

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1304

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:660

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1592

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1632

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1736

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d61d12d3a6396a147176acbebf48c59e

SHA1
7163f2a8206c2aa4985db4772eebf00528de703c

SHA256
76cf3c13252f6ca51cda074e2a05b5ea3e82250e7f92fa7018933bcc88649da9

SHA512
b34f982fcd7591ac59b060543d14cedcfa6467b38b375d23f31efa4036262ff1c4c677675638a86318ab94ebcd4f8682f573905868d2e30e1312f3c5423f5840

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
df958f89fcbdf9d79f7c467d53006fb6

SHA1
bc6e304488940cd35c5ccea8310cb065b3f8b3aa

SHA256
fcf2b8ccd8c74d36d3398cceeb24d79b5ea1abd5ddfe60aa7fc08192f18e64fc

SHA512
c63ace1eb5651bc72dcad44a5d3ddf24dc4401d3e229eedcc2b81e56a4136d73f6bf0bb04070c5528d53a08ba2f050e887cf789dd82c92bd736f6bbb88375c99

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
e00a47d26c9db90f8ba6352d30b28bbd

SHA1
9cf9ec98e4bbbc4479cf1a2b78566e283ba431d7

SHA256
a1dd23a4a8510720ee7812987d7a152e3554cceb7679b539805aaaa2a62e01f8

SHA512
0dca9b77345e652e2a107d00643a3b422a8a858e01d472fe7dd21c9c76280fc6ba33f6d09c2da4d3b2fc09f15b2a6a49f90de655a25162340caf24d857286ff5

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
adcf15d51ec33a20df3c7efe3dab8b11

SHA1
a7762b0cf79b2da2acf26cc3bba8cff3cb7785e8

SHA256
47eacb1bf33b3e9f771d4c9d1025e65202c17227189aa07b978cc96f2c0f3cf3

SHA512
3d50026d5e08bb893988ef46e72ef7b499eb940a79d6070c5c35058ab8caf919e4afe8f78bfd619618489efde23852240ca15280fc008abd3f8ecbf7fc37efb7

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
adcf15d51ec33a20df3c7efe3dab8b11

SHA1
a7762b0cf79b2da2acf26cc3bba8cff3cb7785e8

SHA256
47eacb1bf33b3e9f771d4c9d1025e65202c17227189aa07b978cc96f2c0f3cf3

SHA512
3d50026d5e08bb893988ef46e72ef7b499eb940a79d6070c5c35058ab8caf919e4afe8f78bfd619618489efde23852240ca15280fc008abd3f8ecbf7fc37efb7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
76e9606c3436c070791b1e601fcb2bcc

SHA1
03c9062d9ffb17ca0e369ee03b72a0a1d0586114

SHA256
8999ca1f2c65e167b4000c0e42181f1724d44da7133f7f9db476256c3fffe544

SHA512
949c50863f061de55c6db840d0edd91f0fef77118400e3d73ef97466b7b83b5758fa53045c458a8d54bbb9f8fd84c390764d43b8ea018c0ed5b12cc3badd442c

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
76e9606c3436c070791b1e601fcb2bcc

SHA1
03c9062d9ffb17ca0e369ee03b72a0a1d0586114

SHA256
8999ca1f2c65e167b4000c0e42181f1724d44da7133f7f9db476256c3fffe544

SHA512
949c50863f061de55c6db840d0edd91f0fef77118400e3d73ef97466b7b83b5758fa53045c458a8d54bbb9f8fd84c390764d43b8ea018c0ed5b12cc3badd442c

Download Submit
\Users\Admin\AppData\Local\Temp\nstFC2D.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstFC2D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstFC2D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstFC2D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstFC2D.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d61d12d3a6396a147176acbebf48c59e

SHA1
7163f2a8206c2aa4985db4772eebf00528de703c

SHA256
76cf3c13252f6ca51cda074e2a05b5ea3e82250e7f92fa7018933bcc88649da9

SHA512
b34f982fcd7591ac59b060543d14cedcfa6467b38b375d23f31efa4036262ff1c4c677675638a86318ab94ebcd4f8682f573905868d2e30e1312f3c5423f5840

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d61d12d3a6396a147176acbebf48c59e

SHA1
7163f2a8206c2aa4985db4772eebf00528de703c

SHA256
76cf3c13252f6ca51cda074e2a05b5ea3e82250e7f92fa7018933bcc88649da9

SHA512
b34f982fcd7591ac59b060543d14cedcfa6467b38b375d23f31efa4036262ff1c4c677675638a86318ab94ebcd4f8682f573905868d2e30e1312f3c5423f5840

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
d61d12d3a6396a147176acbebf48c59e

SHA1
7163f2a8206c2aa4985db4772eebf00528de703c

SHA256
76cf3c13252f6ca51cda074e2a05b5ea3e82250e7f92fa7018933bcc88649da9

SHA512
b34f982fcd7591ac59b060543d14cedcfa6467b38b375d23f31efa4036262ff1c4c677675638a86318ab94ebcd4f8682f573905868d2e30e1312f3c5423f5840

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
df958f89fcbdf9d79f7c467d53006fb6

SHA1
bc6e304488940cd35c5ccea8310cb065b3f8b3aa

SHA256
fcf2b8ccd8c74d36d3398cceeb24d79b5ea1abd5ddfe60aa7fc08192f18e64fc

SHA512
c63ace1eb5651bc72dcad44a5d3ddf24dc4401d3e229eedcc2b81e56a4136d73f6bf0bb04070c5528d53a08ba2f050e887cf789dd82c92bd736f6bbb88375c99

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
df958f89fcbdf9d79f7c467d53006fb6

SHA1
bc6e304488940cd35c5ccea8310cb065b3f8b3aa

SHA256
fcf2b8ccd8c74d36d3398cceeb24d79b5ea1abd5ddfe60aa7fc08192f18e64fc

SHA512
c63ace1eb5651bc72dcad44a5d3ddf24dc4401d3e229eedcc2b81e56a4136d73f6bf0bb04070c5528d53a08ba2f050e887cf789dd82c92bd736f6bbb88375c99

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
e00a47d26c9db90f8ba6352d30b28bbd

SHA1
9cf9ec98e4bbbc4479cf1a2b78566e283ba431d7

SHA256
a1dd23a4a8510720ee7812987d7a152e3554cceb7679b539805aaaa2a62e01f8

SHA512
0dca9b77345e652e2a107d00643a3b422a8a858e01d472fe7dd21c9c76280fc6ba33f6d09c2da4d3b2fc09f15b2a6a49f90de655a25162340caf24d857286ff5

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
adcf15d51ec33a20df3c7efe3dab8b11

SHA1
a7762b0cf79b2da2acf26cc3bba8cff3cb7785e8

SHA256
47eacb1bf33b3e9f771d4c9d1025e65202c17227189aa07b978cc96f2c0f3cf3

SHA512
3d50026d5e08bb893988ef46e72ef7b499eb940a79d6070c5c35058ab8caf919e4afe8f78bfd619618489efde23852240ca15280fc008abd3f8ecbf7fc37efb7

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
76e9606c3436c070791b1e601fcb2bcc

SHA1
03c9062d9ffb17ca0e369ee03b72a0a1d0586114

SHA256
8999ca1f2c65e167b4000c0e42181f1724d44da7133f7f9db476256c3fffe544

SHA512
949c50863f061de55c6db840d0edd91f0fef77118400e3d73ef97466b7b83b5758fa53045c458a8d54bbb9f8fd84c390764d43b8ea018c0ed5b12cc3badd442c

Download Submit
memory/428-58-0x0000000000000000-mapping.dmp

Download
memory/468-61-0x0000000000000000-mapping.dmp

Download
memory/660-79-0x0000000000000000-mapping.dmp

Download
memory/684-57-0x0000000000000000-mapping.dmp

Download
memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/956-69-0x0000000000000000-mapping.dmp

Download
memory/1304-75-0x0000000000000000-mapping.dmp

Download
memory/1592-80-0x0000000000000000-mapping.dmp

Download
memory/1632-86-0x0000000000000000-mapping.dmp

Download
memory/1864-85-0x0000000000000000-mapping.dmp

Download
memory/1992-63-0x0000000000000000-mapping.dmp

Download
memory/2024-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads