e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f

Analysis

max time kernel
62s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
Size

446KB
MD5

16fc3fbc68b98cd8440006d0200deddd
SHA1

081c1b0d13d48d3f51bf0526d4a3cae41cf34e2f
SHA256

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f
SHA512

09925775cd87f47f1243e6058b9be31d008e0f319d6fec927d0f9d197103d3c053cab6c3abc9fbe57b319e3f5440b6933242e47d8dd43ab34cf572bfb1a6d6d7
SSDEEP

12288:6jdbm1suOGzg0p7ieCkvwLOPIFFkwRa+bKDn:6CPOG77ieCfCA3kX+GDn

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

860 installd.exe
1672 nethtsrv.exe
1136 netupdsrv.exe
1712 nethtsrv.exe
1724 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

pid	process
860	installd.exe
1672	nethtsrv.exe
1136	netupdsrv.exe
1712	nethtsrv.exe
1724	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
860	installd.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
1672	nethtsrv.exe
1672	nethtsrv.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
1712	nethtsrv.exe
1712	nethtsrv.exe
2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
File created	C:\Windows\SysWOW64\installd.exe	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

Drops file in Program Files directory 3 IoCs

Processes:

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1712 nethtsrv.exe

pid	process
468

description	pid	process
Token: SeDebugPrivilege	1712	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2044 wrote to memory of 1988	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 1988	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 1988	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 1988	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 1988 wrote to memory of 956	1988	net.exe	net1.exe
PID 1988 wrote to memory of 956	1988	net.exe	net1.exe
PID 1988 wrote to memory of 956	1988	net.exe	net1.exe
PID 1988 wrote to memory of 956	1988	net.exe	net1.exe
PID 2044 wrote to memory of 556	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 556	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 556	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 556	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 556 wrote to memory of 884	556	net.exe	net1.exe
PID 556 wrote to memory of 884	556	net.exe	net1.exe
PID 556 wrote to memory of 884	556	net.exe	net1.exe
PID 556 wrote to memory of 884	556	net.exe	net1.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 860	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	installd.exe
PID 2044 wrote to memory of 1672	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	nethtsrv.exe
PID 2044 wrote to memory of 1672	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	nethtsrv.exe
PID 2044 wrote to memory of 1672	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	nethtsrv.exe
PID 2044 wrote to memory of 1672	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	nethtsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 1136	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	netupdsrv.exe
PID 2044 wrote to memory of 924	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 924	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 924	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 924	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 924 wrote to memory of 1556	924	net.exe	net1.exe
PID 924 wrote to memory of 1556	924	net.exe	net1.exe
PID 924 wrote to memory of 1556	924	net.exe	net1.exe
PID 924 wrote to memory of 1556	924	net.exe	net1.exe
PID 2044 wrote to memory of 1804	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 1804	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 1804	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 2044 wrote to memory of 1804	2044	e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe	net.exe
PID 1804 wrote to memory of 584	1804	net.exe	net1.exe
PID 1804 wrote to memory of 584	1804	net.exe	net1.exe
PID 1804 wrote to memory of 584	1804	net.exe	net1.exe
PID 1804 wrote to memory of 584	1804	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe
"C:\Users\Admin\AppData\Local\Temp\e60ab2f7afbb786a6e054502ebf06511c77ff661afd8179714055fa77878ed8f.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:956

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:884

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1136

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1556

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:584

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1724

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e9291123a6c946ac0cdd75cd240f6646

SHA1
b0848a0246199a3a6103ea594458fb2546fb63e2

SHA256
27abd6dd904f6d4f3e454843519400300bf9989bbd00b854462333beec117912

SHA512
1e3a4ffd5a903f0bbda2049bf28682a02437476740727243354aedb8eb83b66bd1006b10f21e771edcd85132b2ad51fef8c02885de5713d10a98600352191e75

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
68a5d9edb6acb52bc2f04b29c5289fd3

SHA1
8fccae720434473b005286a198be9a7ac004db8c

SHA256
e8943434a8cc177a54795ab58df3f669dffdbb286cc2c68ad6e63d2c4e27439a

SHA512
c79fd89a8aeaf98c208d012b0a1482e1c2b053dc196fa6d46eb5085b696e8ba820ecd4ac54193e32d19a3e1ff3683aa9db0e01219e7b7a1327b9caeb72e76178

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a8e2a9cc900aca3c3449b55a047cd2bc

SHA1
3e3f634218ac9de3b57da6eb3c86ab7dc13e6499

SHA256
9bada8a6a2eb56366dbb7e0055f21063f75c2d066190af657f8208c5282e2047

SHA512
2a71434ce465a43f86e318d353209b4f75baf72f912e14e5733e63c2bf39bc2cf876bc86ef7a09663b2abfb87fccb243b9421d0b3f687dbaf9a2cd1edb9c9b68

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
6e173997b0868f9ab62c8f401c292de8

SHA1
84452bf503243036cf343e73219ea7fb23193213

SHA256
072887ff6ee0181f0c650edb33868f8e8750342ddb94ceafe5b8ce0c1f78d776

SHA512
f2592fd9c3571b83ae63262f6917beca795cce2d2451c64638b2c6d82bac58638cc57c13ffb8536b4793c8423920b11defbb3a9fa982982264e2d05342065b82

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
6e173997b0868f9ab62c8f401c292de8

SHA1
84452bf503243036cf343e73219ea7fb23193213

SHA256
072887ff6ee0181f0c650edb33868f8e8750342ddb94ceafe5b8ce0c1f78d776

SHA512
f2592fd9c3571b83ae63262f6917beca795cce2d2451c64638b2c6d82bac58638cc57c13ffb8536b4793c8423920b11defbb3a9fa982982264e2d05342065b82

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
26de7a2877d79b281274c5c11aa97e91

SHA1
4404a575f987118a00a2e525e327eda1f8e9d86f

SHA256
fba16d1090dece0527843427a93340000d537e023f141286e358c968d73e8dcd

SHA512
d3cce716cc0fbc6f0ee5de01ee64cc7e32d87b0ce6e9fdb6b1e1e7549836b21d33f3a89f698d29a8d524b39bf2de59897cb70c98cd1a1f6ef93afe5cb7c9aa19

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
26de7a2877d79b281274c5c11aa97e91

SHA1
4404a575f987118a00a2e525e327eda1f8e9d86f

SHA256
fba16d1090dece0527843427a93340000d537e023f141286e358c968d73e8dcd

SHA512
d3cce716cc0fbc6f0ee5de01ee64cc7e32d87b0ce6e9fdb6b1e1e7549836b21d33f3a89f698d29a8d524b39bf2de59897cb70c98cd1a1f6ef93afe5cb7c9aa19

Download Submit
\Users\Admin\AppData\Local\Temp\nseBC60.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseBC60.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseBC60.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseBC60.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseBC60.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e9291123a6c946ac0cdd75cd240f6646

SHA1
b0848a0246199a3a6103ea594458fb2546fb63e2

SHA256
27abd6dd904f6d4f3e454843519400300bf9989bbd00b854462333beec117912

SHA512
1e3a4ffd5a903f0bbda2049bf28682a02437476740727243354aedb8eb83b66bd1006b10f21e771edcd85132b2ad51fef8c02885de5713d10a98600352191e75

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e9291123a6c946ac0cdd75cd240f6646

SHA1
b0848a0246199a3a6103ea594458fb2546fb63e2

SHA256
27abd6dd904f6d4f3e454843519400300bf9989bbd00b854462333beec117912

SHA512
1e3a4ffd5a903f0bbda2049bf28682a02437476740727243354aedb8eb83b66bd1006b10f21e771edcd85132b2ad51fef8c02885de5713d10a98600352191e75

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
e9291123a6c946ac0cdd75cd240f6646

SHA1
b0848a0246199a3a6103ea594458fb2546fb63e2

SHA256
27abd6dd904f6d4f3e454843519400300bf9989bbd00b854462333beec117912

SHA512
1e3a4ffd5a903f0bbda2049bf28682a02437476740727243354aedb8eb83b66bd1006b10f21e771edcd85132b2ad51fef8c02885de5713d10a98600352191e75

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
68a5d9edb6acb52bc2f04b29c5289fd3

SHA1
8fccae720434473b005286a198be9a7ac004db8c

SHA256
e8943434a8cc177a54795ab58df3f669dffdbb286cc2c68ad6e63d2c4e27439a

SHA512
c79fd89a8aeaf98c208d012b0a1482e1c2b053dc196fa6d46eb5085b696e8ba820ecd4ac54193e32d19a3e1ff3683aa9db0e01219e7b7a1327b9caeb72e76178

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
68a5d9edb6acb52bc2f04b29c5289fd3

SHA1
8fccae720434473b005286a198be9a7ac004db8c

SHA256
e8943434a8cc177a54795ab58df3f669dffdbb286cc2c68ad6e63d2c4e27439a

SHA512
c79fd89a8aeaf98c208d012b0a1482e1c2b053dc196fa6d46eb5085b696e8ba820ecd4ac54193e32d19a3e1ff3683aa9db0e01219e7b7a1327b9caeb72e76178

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a8e2a9cc900aca3c3449b55a047cd2bc

SHA1
3e3f634218ac9de3b57da6eb3c86ab7dc13e6499

SHA256
9bada8a6a2eb56366dbb7e0055f21063f75c2d066190af657f8208c5282e2047

SHA512
2a71434ce465a43f86e318d353209b4f75baf72f912e14e5733e63c2bf39bc2cf876bc86ef7a09663b2abfb87fccb243b9421d0b3f687dbaf9a2cd1edb9c9b68

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
6e173997b0868f9ab62c8f401c292de8

SHA1
84452bf503243036cf343e73219ea7fb23193213

SHA256
072887ff6ee0181f0c650edb33868f8e8750342ddb94ceafe5b8ce0c1f78d776

SHA512
f2592fd9c3571b83ae63262f6917beca795cce2d2451c64638b2c6d82bac58638cc57c13ffb8536b4793c8423920b11defbb3a9fa982982264e2d05342065b82

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
26de7a2877d79b281274c5c11aa97e91

SHA1
4404a575f987118a00a2e525e327eda1f8e9d86f

SHA256
fba16d1090dece0527843427a93340000d537e023f141286e358c968d73e8dcd

SHA512
d3cce716cc0fbc6f0ee5de01ee64cc7e32d87b0ce6e9fdb6b1e1e7549836b21d33f3a89f698d29a8d524b39bf2de59897cb70c98cd1a1f6ef93afe5cb7c9aa19

Download Submit
memory/556-60-0x0000000000000000-mapping.dmp

Download
memory/584-86-0x0000000000000000-mapping.dmp

Download
memory/860-63-0x0000000000000000-mapping.dmp

Download
memory/884-61-0x0000000000000000-mapping.dmp

Download
memory/924-79-0x0000000000000000-mapping.dmp

Download
memory/956-58-0x0000000000000000-mapping.dmp

Download
memory/1136-75-0x0000000000000000-mapping.dmp

Download
memory/1556-80-0x0000000000000000-mapping.dmp

Download
memory/1672-69-0x0000000000000000-mapping.dmp

Download
memory/1804-85-0x0000000000000000-mapping.dmp

Download
memory/1988-57-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads