e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2

Analysis

max time kernel
223s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
Size

446KB
MD5

a1c9da10d54500bfbb1fdab3d729c680
SHA1

d73cec752bbec3320f7b7de5d6b147fabef2a382
SHA256

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2
SHA512

ecb37be8c70c2fb84007461725eeab914fc134935bd48392e5adf5ce4daefe8d1ba50824a40cf025b0c47269540e176adbed68f27d22d6f59f0b790f1437891a
SSDEEP

6144:XzfdqcTgGnQsJikcFkFC8OWx/cn/3d8aLz2CmJneQdMx1REzyvEWXIdwd99SE/Kb:Rq9GQsJi9k43fd951QdKQAEWXjVzBXE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

788 installd.exe
1664 nethtsrv.exe
272 netupdsrv.exe
1404 nethtsrv.exe
1032 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

pid	process
788	installd.exe
1664	nethtsrv.exe
272	netupdsrv.exe
1404	nethtsrv.exe
1032	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
788	installd.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
1664	nethtsrv.exe
1664	nethtsrv.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
1404	nethtsrv.exe
1404	nethtsrv.exe
1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

description	ioc	process
File created	C:\Windows\SysWOW64\nethtsrv.exe	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
File created	C:\Windows\SysWOW64\installd.exe	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

Drops file in Program Files directory 3 IoCs

Processes:

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
464

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1580 wrote to memory of 1128	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1128	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1128	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1128	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1128 wrote to memory of 1240	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1240	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1240	1128	net.exe	net1.exe
PID 1128 wrote to memory of 1240	1128	net.exe	net1.exe
PID 1580 wrote to memory of 560	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 560	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 560	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 560	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 560 wrote to memory of 688	560	net.exe	net1.exe
PID 560 wrote to memory of 688	560	net.exe	net1.exe
PID 560 wrote to memory of 688	560	net.exe	net1.exe
PID 560 wrote to memory of 688	560	net.exe	net1.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 788	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	installd.exe
PID 1580 wrote to memory of 1664	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	nethtsrv.exe
PID 1580 wrote to memory of 1664	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	nethtsrv.exe
PID 1580 wrote to memory of 1664	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	nethtsrv.exe
PID 1580 wrote to memory of 1664	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	nethtsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 272	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	netupdsrv.exe
PID 1580 wrote to memory of 1744	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1744	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1744	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1744	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1744 wrote to memory of 548	1744	net.exe	net1.exe
PID 1744 wrote to memory of 548	1744	net.exe	net1.exe
PID 1744 wrote to memory of 548	1744	net.exe	net1.exe
PID 1744 wrote to memory of 548	1744	net.exe	net1.exe
PID 1580 wrote to memory of 1432	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1432	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1432	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1580 wrote to memory of 1432	1580	e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe	net.exe
PID 1432 wrote to memory of 1888	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1888	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1888	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1888	1432	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe
"C:\Users\Admin\AppData\Local\Temp\e111bc995f884673f8bfc63c8013cbb9820d999c8701312f51a373be73c709c2.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1580

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1240

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:688

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:272

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:548

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1888

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1032

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
cb1e0067d0364d81d34f4ec73fd658c2

SHA1
04b3c3a0ba7e198cd2bfc8da251c8d281499a23c

SHA256
e8a057110e81cb452cf679c7f65f35a5b33f34ea8648dd6cd48ae4a42fd6d8e4

SHA512
4808c1f5a1f034de6f795aecc98ec6b612f2381352defcf3b15ae04214c160251a49db6fb3f387f5c0d0b4753e721770e940f424660f98a47535ec682f027f69

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
362a62a3fd05d958fa6a70f57b0cce0e

SHA1
66657f2398d90a830fda9cd152ea287035df2090

SHA256
a6bcbeee56f41e279e467ef9fc1eb0187ff031394d8faabdcdbdb6eb8ad0cdc8

SHA512
f83e3b6b789b36c7d7808e0ea5ff428b4de21308cc9633ff3ff21f31dabb02b10dacd6236237d58ade0c7ffdffd6fea7922c395e35c3f8f3302187a28af727d8

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
38a7bd524189fd2f5cee9e4fa0f0f99a

SHA1
b9e87ac07ddbe20c1eeb3b69d7e3fb0f47e86cdd

SHA256
c2175733dc9f056a4adda4b70508f18158a999bba100f5389a184bc2593b3c47

SHA512
94d353813f5212072b1ba0f68a73de4be05b2c285b1c2c183778e0be61ef2b27339518633597dbda909f133da33abadc7fb1fd5f67810b560a51f5ba6b7a0d38

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9ccf38931a50e7f70599f1a02f33223c

SHA1
d2d5433ef2a97b6f1785a8df32595e6fa93d26c0

SHA256
52048be2b84c02d9931a9456a9fe22eee6f1a3a2c4239a90d3d9f4559a743f03

SHA512
17cf2f681d325d59f6e6691910efed70876a385ff4191f8aa93d5d0846a5ebf9dc2bf50eeab4f9055440cf591021ee8d12fc027b8180f734eb9af63af644ef90

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9ccf38931a50e7f70599f1a02f33223c

SHA1
d2d5433ef2a97b6f1785a8df32595e6fa93d26c0

SHA256
52048be2b84c02d9931a9456a9fe22eee6f1a3a2c4239a90d3d9f4559a743f03

SHA512
17cf2f681d325d59f6e6691910efed70876a385ff4191f8aa93d5d0846a5ebf9dc2bf50eeab4f9055440cf591021ee8d12fc027b8180f734eb9af63af644ef90

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
c7d06371a85a30e7e6d75f5c13932d20

SHA1
373421f0af274908580c6cc90b56994ecf6107f9

SHA256
047e42b93f58a119cd1d9f1ff9e64e6433339d6b00e05e82db95f5aa5049988b

SHA512
2ff03694b5cf62a42f41c131002a82bfd20b4efc66e8156bc75788d417f3f7d7e71f67ac2ecaf2bfcdd5cf88ba1de8af244b3aaa3cf02b19cc07b049304f53d0

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
c7d06371a85a30e7e6d75f5c13932d20

SHA1
373421f0af274908580c6cc90b56994ecf6107f9

SHA256
047e42b93f58a119cd1d9f1ff9e64e6433339d6b00e05e82db95f5aa5049988b

SHA512
2ff03694b5cf62a42f41c131002a82bfd20b4efc66e8156bc75788d417f3f7d7e71f67ac2ecaf2bfcdd5cf88ba1de8af244b3aaa3cf02b19cc07b049304f53d0

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5B9B.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5B9B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5B9B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5B9B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp5B9B.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
cb1e0067d0364d81d34f4ec73fd658c2

SHA1
04b3c3a0ba7e198cd2bfc8da251c8d281499a23c

SHA256
e8a057110e81cb452cf679c7f65f35a5b33f34ea8648dd6cd48ae4a42fd6d8e4

SHA512
4808c1f5a1f034de6f795aecc98ec6b612f2381352defcf3b15ae04214c160251a49db6fb3f387f5c0d0b4753e721770e940f424660f98a47535ec682f027f69

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
cb1e0067d0364d81d34f4ec73fd658c2

SHA1
04b3c3a0ba7e198cd2bfc8da251c8d281499a23c

SHA256
e8a057110e81cb452cf679c7f65f35a5b33f34ea8648dd6cd48ae4a42fd6d8e4

SHA512
4808c1f5a1f034de6f795aecc98ec6b612f2381352defcf3b15ae04214c160251a49db6fb3f387f5c0d0b4753e721770e940f424660f98a47535ec682f027f69

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
cb1e0067d0364d81d34f4ec73fd658c2

SHA1
04b3c3a0ba7e198cd2bfc8da251c8d281499a23c

SHA256
e8a057110e81cb452cf679c7f65f35a5b33f34ea8648dd6cd48ae4a42fd6d8e4

SHA512
4808c1f5a1f034de6f795aecc98ec6b612f2381352defcf3b15ae04214c160251a49db6fb3f387f5c0d0b4753e721770e940f424660f98a47535ec682f027f69

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
362a62a3fd05d958fa6a70f57b0cce0e

SHA1
66657f2398d90a830fda9cd152ea287035df2090

SHA256
a6bcbeee56f41e279e467ef9fc1eb0187ff031394d8faabdcdbdb6eb8ad0cdc8

SHA512
f83e3b6b789b36c7d7808e0ea5ff428b4de21308cc9633ff3ff21f31dabb02b10dacd6236237d58ade0c7ffdffd6fea7922c395e35c3f8f3302187a28af727d8

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
362a62a3fd05d958fa6a70f57b0cce0e

SHA1
66657f2398d90a830fda9cd152ea287035df2090

SHA256
a6bcbeee56f41e279e467ef9fc1eb0187ff031394d8faabdcdbdb6eb8ad0cdc8

SHA512
f83e3b6b789b36c7d7808e0ea5ff428b4de21308cc9633ff3ff21f31dabb02b10dacd6236237d58ade0c7ffdffd6fea7922c395e35c3f8f3302187a28af727d8

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
38a7bd524189fd2f5cee9e4fa0f0f99a

SHA1
b9e87ac07ddbe20c1eeb3b69d7e3fb0f47e86cdd

SHA256
c2175733dc9f056a4adda4b70508f18158a999bba100f5389a184bc2593b3c47

SHA512
94d353813f5212072b1ba0f68a73de4be05b2c285b1c2c183778e0be61ef2b27339518633597dbda909f133da33abadc7fb1fd5f67810b560a51f5ba6b7a0d38

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
9ccf38931a50e7f70599f1a02f33223c

SHA1
d2d5433ef2a97b6f1785a8df32595e6fa93d26c0

SHA256
52048be2b84c02d9931a9456a9fe22eee6f1a3a2c4239a90d3d9f4559a743f03

SHA512
17cf2f681d325d59f6e6691910efed70876a385ff4191f8aa93d5d0846a5ebf9dc2bf50eeab4f9055440cf591021ee8d12fc027b8180f734eb9af63af644ef90

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
159KB

MD5
c7d06371a85a30e7e6d75f5c13932d20

SHA1
373421f0af274908580c6cc90b56994ecf6107f9

SHA256
047e42b93f58a119cd1d9f1ff9e64e6433339d6b00e05e82db95f5aa5049988b

SHA512
2ff03694b5cf62a42f41c131002a82bfd20b4efc66e8156bc75788d417f3f7d7e71f67ac2ecaf2bfcdd5cf88ba1de8af244b3aaa3cf02b19cc07b049304f53d0

Download Submit
memory/272-75-0x0000000000000000-mapping.dmp

Download
memory/548-80-0x0000000000000000-mapping.dmp

Download
memory/560-60-0x0000000000000000-mapping.dmp

Download
memory/688-61-0x0000000000000000-mapping.dmp

Download
memory/788-63-0x0000000000000000-mapping.dmp

Download
memory/1128-57-0x0000000000000000-mapping.dmp

Download
memory/1240-58-0x0000000000000000-mapping.dmp

Download
memory/1432-85-0x0000000000000000-mapping.dmp

Download
memory/1580-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1664-69-0x0000000000000000-mapping.dmp

Download
memory/1744-79-0x0000000000000000-mapping.dmp

Download
memory/1888-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads