f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
Size

446KB
MD5

73b80f9bf3ef61cf57f461ab683486ec
SHA1

378a9e40674b893180bd4b7aa1715299cedad2a9
SHA256

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c
SHA512

0511cd7241b6eddb968ad5a2f631b42a1f32633b86649ed64296b2123ca12b6ee0a29b6c9f2c7c83f92176d780bbee8c524ef3acca2fb59cf803eade1e37bd8a
SSDEEP

12288:IcdccoqMiYNkT+DpMLhzJ0BEcyjkV6Z28v:IQpYNZiLhzOVyYVc2C

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1452 installd.exe
1488 nethtsrv.exe
540 netupdsrv.exe
1732 nethtsrv.exe
1936 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

pid	process
1452	installd.exe
1488	nethtsrv.exe
540	netupdsrv.exe
1732	nethtsrv.exe
1936	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
1452	installd.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
1488	nethtsrv.exe
1488	nethtsrv.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
1732	nethtsrv.exe
1732	nethtsrv.exe
2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfpapi.dll	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
File created	C:\Windows\SysWOW64\installd.exe	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

Drops file in Program Files directory 3 IoCs

Processes:

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1732 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1732	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2020 wrote to memory of 936	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 936	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 936	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 936	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 936 wrote to memory of 1396	936	net.exe	net1.exe
PID 936 wrote to memory of 1396	936	net.exe	net1.exe
PID 936 wrote to memory of 1396	936	net.exe	net1.exe
PID 936 wrote to memory of 1396	936	net.exe	net1.exe
PID 2020 wrote to memory of 1696	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 1696	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 1696	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 1696	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 1696 wrote to memory of 1080	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1080	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1080	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1080	1696	net.exe	net1.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1452	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	installd.exe
PID 2020 wrote to memory of 1488	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	nethtsrv.exe
PID 2020 wrote to memory of 1488	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	nethtsrv.exe
PID 2020 wrote to memory of 1488	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	nethtsrv.exe
PID 2020 wrote to memory of 1488	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	nethtsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 540	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	netupdsrv.exe
PID 2020 wrote to memory of 676	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 676	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 676	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 676	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 676 wrote to memory of 1712	676	net.exe	net1.exe
PID 676 wrote to memory of 1712	676	net.exe	net1.exe
PID 676 wrote to memory of 1712	676	net.exe	net1.exe
PID 676 wrote to memory of 1712	676	net.exe	net1.exe
PID 2020 wrote to memory of 1196	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 1196	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 1196	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 2020 wrote to memory of 1196	2020	f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe	net.exe
PID 1196 wrote to memory of 1616	1196	net.exe	net1.exe
PID 1196 wrote to memory of 1616	1196	net.exe	net1.exe
PID 1196 wrote to memory of 1616	1196	net.exe	net1.exe
PID 1196 wrote to memory of 1616	1196	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe
"C:\Users\Admin\AppData\Local\Temp\f32c69192d273a265e8b284fac7f01759ea9f54832c061e44e8eff326df8522c.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1396

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1080

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1452

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:540

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1712

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1616

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1936

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
2d200fd8b38ee04011393430d7910376

SHA1
02a1b1b89daec2e5fd16e5e5a4e601e5bfd9b9f0

SHA256
e598ba0744acbeff4c415abae1e800c4ed5f1c1b0ba1c49e71c2017e2b6f355f

SHA512
6c6f597ce783ca889574a9131be23ec2bd944a21e6df2734201d021dde03fadbd00cd447d47f2d078e46f616509050a54936d60ba924e6cf354f0a6db9f414aa

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
ee1837c2278d9b30c0f2612189370bd0

SHA1
2594b1596a8163de93210455499ce1f163df3a33

SHA256
fb02dced05b728d891ff5e8120a2320c32ed7689edf121bc6efe363bdfa9f9ad

SHA512
a23725f75c6ad82ee00cf76f6230e6be99278d54b831f36c5c944b1fba43dcbcae59a0acf0f0b32a19c5b92ef641bb12de16b551dea217e236cd58454e7bd81e

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
023bf533af0d1a6e33a2f6e4015d04fd

SHA1
e96d9303ed26a619b68e1b50200b86cf8fff07a3

SHA256
93ff1cc47e780d340a9468cb59ac8b65df6a5bfaa64a0dc698bea022c0f0ab2b

SHA512
7efd25e9b6b8f7e5b3408490bb065164a277e303a681c432096607b9e8d59adafec66ec5245f520bcb6e4ad7981a0c746ed805b162596b77d1e7a2264884f48a

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3bdeb0617e171203d057cc08caf9c98c

SHA1
7e899c3382377c9f5b183361023e3c665cfd5442

SHA256
47a39cff9c0bee7f692de30e82687eb15838e2d84e15b46ebc267a279f3ea901

SHA512
123d3012856ea1cb6f1dedf05f3a6310f2033a2ea0667a3ab63fe10025aa8470c7be4058fc0c43c7aab254bae373763ffcc922893dfbf3666fca5431e17fd413

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3bdeb0617e171203d057cc08caf9c98c

SHA1
7e899c3382377c9f5b183361023e3c665cfd5442

SHA256
47a39cff9c0bee7f692de30e82687eb15838e2d84e15b46ebc267a279f3ea901

SHA512
123d3012856ea1cb6f1dedf05f3a6310f2033a2ea0667a3ab63fe10025aa8470c7be4058fc0c43c7aab254bae373763ffcc922893dfbf3666fca5431e17fd413

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
85f1d2d9008eca60c5e07b1ec2bf4d67

SHA1
4a1b2acc34ad9f1af87c7551d1c3d30556a9f322

SHA256
872f6a25e56c19eea1a138c2c13c8d1621abb3885c1457abfad075c3e82097cb

SHA512
32e4ac8659995e9724af9fe4f7980c4193de1298a5eedc34a7631e9974e23d7ae634169cd7ffa7f47190fb8b87d421b2a6f5c352b5ad9751c8d067660915dc77

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
85f1d2d9008eca60c5e07b1ec2bf4d67

SHA1
4a1b2acc34ad9f1af87c7551d1c3d30556a9f322

SHA256
872f6a25e56c19eea1a138c2c13c8d1621abb3885c1457abfad075c3e82097cb

SHA512
32e4ac8659995e9724af9fe4f7980c4193de1298a5eedc34a7631e9974e23d7ae634169cd7ffa7f47190fb8b87d421b2a6f5c352b5ad9751c8d067660915dc77

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE582.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE582.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE582.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE582.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE582.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
2d200fd8b38ee04011393430d7910376

SHA1
02a1b1b89daec2e5fd16e5e5a4e601e5bfd9b9f0

SHA256
e598ba0744acbeff4c415abae1e800c4ed5f1c1b0ba1c49e71c2017e2b6f355f

SHA512
6c6f597ce783ca889574a9131be23ec2bd944a21e6df2734201d021dde03fadbd00cd447d47f2d078e46f616509050a54936d60ba924e6cf354f0a6db9f414aa

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
2d200fd8b38ee04011393430d7910376

SHA1
02a1b1b89daec2e5fd16e5e5a4e601e5bfd9b9f0

SHA256
e598ba0744acbeff4c415abae1e800c4ed5f1c1b0ba1c49e71c2017e2b6f355f

SHA512
6c6f597ce783ca889574a9131be23ec2bd944a21e6df2734201d021dde03fadbd00cd447d47f2d078e46f616509050a54936d60ba924e6cf354f0a6db9f414aa

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
2d200fd8b38ee04011393430d7910376

SHA1
02a1b1b89daec2e5fd16e5e5a4e601e5bfd9b9f0

SHA256
e598ba0744acbeff4c415abae1e800c4ed5f1c1b0ba1c49e71c2017e2b6f355f

SHA512
6c6f597ce783ca889574a9131be23ec2bd944a21e6df2734201d021dde03fadbd00cd447d47f2d078e46f616509050a54936d60ba924e6cf354f0a6db9f414aa

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
ee1837c2278d9b30c0f2612189370bd0

SHA1
2594b1596a8163de93210455499ce1f163df3a33

SHA256
fb02dced05b728d891ff5e8120a2320c32ed7689edf121bc6efe363bdfa9f9ad

SHA512
a23725f75c6ad82ee00cf76f6230e6be99278d54b831f36c5c944b1fba43dcbcae59a0acf0f0b32a19c5b92ef641bb12de16b551dea217e236cd58454e7bd81e

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
ee1837c2278d9b30c0f2612189370bd0

SHA1
2594b1596a8163de93210455499ce1f163df3a33

SHA256
fb02dced05b728d891ff5e8120a2320c32ed7689edf121bc6efe363bdfa9f9ad

SHA512
a23725f75c6ad82ee00cf76f6230e6be99278d54b831f36c5c944b1fba43dcbcae59a0acf0f0b32a19c5b92ef641bb12de16b551dea217e236cd58454e7bd81e

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
023bf533af0d1a6e33a2f6e4015d04fd

SHA1
e96d9303ed26a619b68e1b50200b86cf8fff07a3

SHA256
93ff1cc47e780d340a9468cb59ac8b65df6a5bfaa64a0dc698bea022c0f0ab2b

SHA512
7efd25e9b6b8f7e5b3408490bb065164a277e303a681c432096607b9e8d59adafec66ec5245f520bcb6e4ad7981a0c746ed805b162596b77d1e7a2264884f48a

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3bdeb0617e171203d057cc08caf9c98c

SHA1
7e899c3382377c9f5b183361023e3c665cfd5442

SHA256
47a39cff9c0bee7f692de30e82687eb15838e2d84e15b46ebc267a279f3ea901

SHA512
123d3012856ea1cb6f1dedf05f3a6310f2033a2ea0667a3ab63fe10025aa8470c7be4058fc0c43c7aab254bae373763ffcc922893dfbf3666fca5431e17fd413

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
85f1d2d9008eca60c5e07b1ec2bf4d67

SHA1
4a1b2acc34ad9f1af87c7551d1c3d30556a9f322

SHA256
872f6a25e56c19eea1a138c2c13c8d1621abb3885c1457abfad075c3e82097cb

SHA512
32e4ac8659995e9724af9fe4f7980c4193de1298a5eedc34a7631e9974e23d7ae634169cd7ffa7f47190fb8b87d421b2a6f5c352b5ad9751c8d067660915dc77

Download Submit
memory/540-75-0x0000000000000000-mapping.dmp

Download
memory/676-79-0x0000000000000000-mapping.dmp

Download
memory/936-57-0x0000000000000000-mapping.dmp

Download
memory/1080-61-0x0000000000000000-mapping.dmp

Download
memory/1196-85-0x0000000000000000-mapping.dmp

Download
memory/1396-58-0x0000000000000000-mapping.dmp

Download
memory/1452-63-0x0000000000000000-mapping.dmp

Download
memory/1488-69-0x0000000000000000-mapping.dmp

Download
memory/1616-86-0x0000000000000000-mapping.dmp

Download
memory/1696-60-0x0000000000000000-mapping.dmp

Download
memory/1712-80-0x0000000000000000-mapping.dmp

Download
memory/2020-54-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads