f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7

Analysis

max time kernel
36s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
Size

446KB
MD5

d824efb48b5332003543cb66e9ba5a17
SHA1

d6c5c2007d66873ef49ba4b91b38bf39c8934be8
SHA256

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7
SHA512

cbbd3517dfbc2b6b113e7a7fa959da5a80948011df70d10e74b53240d72485459e903fafa73eddea757ed313a43bbdbab04dc4e5142acd01ee7439c01f774880
SSDEEP

12288:ipFMsNe0LkFIWx+Nppfsj4j1/5yggAat5oq:irRo09WxozsjCRAsatT

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1304 installd.exe
1684 nethtsrv.exe
868 netupdsrv.exe
1696 nethtsrv.exe
1456 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

pid	process
1304	installd.exe
1684	nethtsrv.exe
868	netupdsrv.exe
1696	nethtsrv.exe
1456	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
1304	installd.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
1684	nethtsrv.exe
1684	nethtsrv.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
1696	nethtsrv.exe
1696	nethtsrv.exe
912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
File created	C:\Windows\SysWOW64\installd.exe	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

Drops file in Program Files directory 3 IoCs

Processes:

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1696 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1696	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 912 wrote to memory of 1732	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1732	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1732	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1732	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 1732 wrote to memory of 1744	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1744	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1744	1732	net.exe	net1.exe
PID 1732 wrote to memory of 1744	1732	net.exe	net1.exe
PID 912 wrote to memory of 1532	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1532	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1532	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1532	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1304	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	installd.exe
PID 912 wrote to memory of 1684	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	nethtsrv.exe
PID 912 wrote to memory of 1684	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	nethtsrv.exe
PID 912 wrote to memory of 1684	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	nethtsrv.exe
PID 912 wrote to memory of 1684	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	nethtsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 868	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	netupdsrv.exe
PID 912 wrote to memory of 1056	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1056	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1056	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1056	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 912 wrote to memory of 1400	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1400	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1400	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 912 wrote to memory of 1400	912	f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe	net.exe
PID 1400 wrote to memory of 1136	1400	net.exe	net1.exe
PID 1400 wrote to memory of 1136	1400	net.exe	net1.exe
PID 1400 wrote to memory of 1136	1400	net.exe	net1.exe
PID 1400 wrote to memory of 1136	1400	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe
"C:\Users\Admin\AppData\Local\Temp\f2fb3d76075f9684c27fcb6557bb3f4859d52fad055eb2f6ee9552b1f50498f7.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1744

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1528

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:868

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1124

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1400

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1136

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1456

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7dbfe4119ed3cd6dfba112c25d25b15a

SHA1
d95d88f32f0a11b3360dac760981b2b1c27d5ea0

SHA256
5e1f9d533873dab92a85603ca3a0374848c601ef8fb3031b34fb8d523565ee54

SHA512
012b49fe028c039e411057722ad209477d1193a2a2d5787f54d0235a43cd047f7b6d302fe23952aa7df8dd0ad9fedd6cda18937a7b33b70374bbd979eb05552e

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
18effb582a5e7dc2e8bf007f79c7c088

SHA1
047fe280017b9f2f4e48922f2643143fcc8a03f1

SHA256
b3f50d77921c183fcec4433057ef3aab89f73f4964ce1b25707c4cc891ad0db3

SHA512
4d3ac157059349baad8064a6bbb736e043019ee5706e522b31b77e9effcba3a98cc3624d90519261e53efe6dddefb4acdc3c27c3e1f31697b4e73781e1da8685

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
3a32bce6bc2f106fa9f488d09187d768

SHA1
0327d00c9404d5884fa1f695e706e601a3763ac0

SHA256
d0e887330c0beb82b351e7475fa230010257b1122eaae282251260962a49978d

SHA512
37981f8815d930db34c72a8baedb4a688bcb7746fd97101132835a97f71caf1dd4ebd8efdd6b61829093ee71ba0c50139ee2f564c0d8f3a6fa833f624b0a46a7

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
1f12c85d2531d3ef4f195fcee836f214

SHA1
85fc3b9b49fed7eef843aab864c6d0a3cd8abb69

SHA256
b4e6a9c8b17848fade7d82f0f329c635786f21f603c00732012a6d94e528a7bf

SHA512
10897774997735c9d002c1a94f46a8b428d27945ae83f9225e5f31864597ef31790212277da93876be52b1fe1661bf4ee30f5253ff9dbaae54c080cb7e28c2d7

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
1f12c85d2531d3ef4f195fcee836f214

SHA1
85fc3b9b49fed7eef843aab864c6d0a3cd8abb69

SHA256
b4e6a9c8b17848fade7d82f0f329c635786f21f603c00732012a6d94e528a7bf

SHA512
10897774997735c9d002c1a94f46a8b428d27945ae83f9225e5f31864597ef31790212277da93876be52b1fe1661bf4ee30f5253ff9dbaae54c080cb7e28c2d7

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
aa94c98f00876121c1325458e779a497

SHA1
6571de0d6efb627b2363e38f28b9cfd04344c4fd

SHA256
8c0583fd1d983839058d340e3dfa1e548ba85c24d0ead37d0b59250da6818e7c

SHA512
a9f63dbaa5df58963dd7dd96fa40e909959d7136096b8cda6ee977fe676869fc012bbdb7079f3c65b12dbc1db0408ec8adae9b815394444ac7dc62d7efc74440

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
aa94c98f00876121c1325458e779a497

SHA1
6571de0d6efb627b2363e38f28b9cfd04344c4fd

SHA256
8c0583fd1d983839058d340e3dfa1e548ba85c24d0ead37d0b59250da6818e7c

SHA512
a9f63dbaa5df58963dd7dd96fa40e909959d7136096b8cda6ee977fe676869fc012bbdb7079f3c65b12dbc1db0408ec8adae9b815394444ac7dc62d7efc74440

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1E7.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1E7.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1E7.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1E7.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd1E7.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7dbfe4119ed3cd6dfba112c25d25b15a

SHA1
d95d88f32f0a11b3360dac760981b2b1c27d5ea0

SHA256
5e1f9d533873dab92a85603ca3a0374848c601ef8fb3031b34fb8d523565ee54

SHA512
012b49fe028c039e411057722ad209477d1193a2a2d5787f54d0235a43cd047f7b6d302fe23952aa7df8dd0ad9fedd6cda18937a7b33b70374bbd979eb05552e

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7dbfe4119ed3cd6dfba112c25d25b15a

SHA1
d95d88f32f0a11b3360dac760981b2b1c27d5ea0

SHA256
5e1f9d533873dab92a85603ca3a0374848c601ef8fb3031b34fb8d523565ee54

SHA512
012b49fe028c039e411057722ad209477d1193a2a2d5787f54d0235a43cd047f7b6d302fe23952aa7df8dd0ad9fedd6cda18937a7b33b70374bbd979eb05552e

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
7dbfe4119ed3cd6dfba112c25d25b15a

SHA1
d95d88f32f0a11b3360dac760981b2b1c27d5ea0

SHA256
5e1f9d533873dab92a85603ca3a0374848c601ef8fb3031b34fb8d523565ee54

SHA512
012b49fe028c039e411057722ad209477d1193a2a2d5787f54d0235a43cd047f7b6d302fe23952aa7df8dd0ad9fedd6cda18937a7b33b70374bbd979eb05552e

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
18effb582a5e7dc2e8bf007f79c7c088

SHA1
047fe280017b9f2f4e48922f2643143fcc8a03f1

SHA256
b3f50d77921c183fcec4433057ef3aab89f73f4964ce1b25707c4cc891ad0db3

SHA512
4d3ac157059349baad8064a6bbb736e043019ee5706e522b31b77e9effcba3a98cc3624d90519261e53efe6dddefb4acdc3c27c3e1f31697b4e73781e1da8685

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
18effb582a5e7dc2e8bf007f79c7c088

SHA1
047fe280017b9f2f4e48922f2643143fcc8a03f1

SHA256
b3f50d77921c183fcec4433057ef3aab89f73f4964ce1b25707c4cc891ad0db3

SHA512
4d3ac157059349baad8064a6bbb736e043019ee5706e522b31b77e9effcba3a98cc3624d90519261e53efe6dddefb4acdc3c27c3e1f31697b4e73781e1da8685

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
3a32bce6bc2f106fa9f488d09187d768

SHA1
0327d00c9404d5884fa1f695e706e601a3763ac0

SHA256
d0e887330c0beb82b351e7475fa230010257b1122eaae282251260962a49978d

SHA512
37981f8815d930db34c72a8baedb4a688bcb7746fd97101132835a97f71caf1dd4ebd8efdd6b61829093ee71ba0c50139ee2f564c0d8f3a6fa833f624b0a46a7

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
1f12c85d2531d3ef4f195fcee836f214

SHA1
85fc3b9b49fed7eef843aab864c6d0a3cd8abb69

SHA256
b4e6a9c8b17848fade7d82f0f329c635786f21f603c00732012a6d94e528a7bf

SHA512
10897774997735c9d002c1a94f46a8b428d27945ae83f9225e5f31864597ef31790212277da93876be52b1fe1661bf4ee30f5253ff9dbaae54c080cb7e28c2d7

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
aa94c98f00876121c1325458e779a497

SHA1
6571de0d6efb627b2363e38f28b9cfd04344c4fd

SHA256
8c0583fd1d983839058d340e3dfa1e548ba85c24d0ead37d0b59250da6818e7c

SHA512
a9f63dbaa5df58963dd7dd96fa40e909959d7136096b8cda6ee977fe676869fc012bbdb7079f3c65b12dbc1db0408ec8adae9b815394444ac7dc62d7efc74440

Download Submit
memory/868-75-0x0000000000000000-mapping.dmp

Download
memory/912-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1056-79-0x0000000000000000-mapping.dmp

Download
memory/1124-80-0x0000000000000000-mapping.dmp

Download
memory/1136-86-0x0000000000000000-mapping.dmp

Download
memory/1304-63-0x0000000000000000-mapping.dmp

Download
memory/1400-85-0x0000000000000000-mapping.dmp

Download
memory/1528-61-0x0000000000000000-mapping.dmp

Download
memory/1532-60-0x0000000000000000-mapping.dmp

Download
memory/1684-69-0x0000000000000000-mapping.dmp

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1744-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads