cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1

Analysis

max time kernel
211s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
Size

446KB
MD5

7d327794224ad654733d5dcd273ef822
SHA1

109f0e73f740cbcbfabcfddb6a6b727ce7c9795a
SHA256

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1
SHA512

9a42ec58505717a2432d2bb09ab6aae0c14c45011618233c85cea25863a066e50f6d7e43c3e3cdaa45ff147997e34434d25b70b919981e308ca85f5dc8a9e511
SSDEEP

12288:BcBUJpkdyYM6CdFC4lUeKTY3p+7/NKIleNfxDLnB:BcBUfkgN6Cv9lUe6Y3p+TNR4TLnB

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1576 installd.exe
816 nethtsrv.exe
1228 netupdsrv.exe
1972 nethtsrv.exe
1516 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

pid	process
1576	installd.exe
816	nethtsrv.exe
1228	netupdsrv.exe
1972	nethtsrv.exe
1516	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
1576	installd.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
816	nethtsrv.exe
816	nethtsrv.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
1972	nethtsrv.exe
1972	nethtsrv.exe
1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
File created	C:\Windows\SysWOW64\installd.exe	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

Drops file in Program Files directory 3 IoCs

Processes:

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468

pid	process
468

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1324 wrote to memory of 656	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 656	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 656	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 656	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 656 wrote to memory of 1116	656	net.exe	net1.exe
PID 656 wrote to memory of 1116	656	net.exe	net1.exe
PID 656 wrote to memory of 1116	656	net.exe	net1.exe
PID 656 wrote to memory of 1116	656	net.exe	net1.exe
PID 1324 wrote to memory of 2040	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 2040	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 2040	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 2040	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 2040 wrote to memory of 1772	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1772	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1772	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1772	2040	net.exe	net1.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 1576	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	installd.exe
PID 1324 wrote to memory of 816	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	nethtsrv.exe
PID 1324 wrote to memory of 816	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	nethtsrv.exe
PID 1324 wrote to memory of 816	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	nethtsrv.exe
PID 1324 wrote to memory of 816	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	nethtsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1228	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	netupdsrv.exe
PID 1324 wrote to memory of 1988	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 1988	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 1988	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 1988	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1988 wrote to memory of 1048	1988	net.exe	net1.exe
PID 1988 wrote to memory of 1048	1988	net.exe	net1.exe
PID 1988 wrote to memory of 1048	1988	net.exe	net1.exe
PID 1988 wrote to memory of 1048	1988	net.exe	net1.exe
PID 1324 wrote to memory of 1564	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 1564	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 1564	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1324 wrote to memory of 1564	1324	cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe	net.exe
PID 1564 wrote to memory of 576	1564	net.exe	net1.exe
PID 1564 wrote to memory of 576	1564	net.exe	net1.exe
PID 1564 wrote to memory of 576	1564	net.exe	net1.exe
PID 1564 wrote to memory of 576	1564	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe
"C:\Users\Admin\AppData\Local\Temp\cd5af30e7b7f9c729d999ac638a8ca40ca106214c8b9ec5d4005b1403a21f5c1.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1324

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:656

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1116

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1772

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1228

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1048

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:576

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1516

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9b7f7e1b16b2d12d28e949ff88a18480

SHA1
27c6ddd7d12a2164e46b44aed2c1d4441c984139

SHA256
d8c89e5c54c3e86a4d8b7a9ae82c8ad4af9d5b6354743bc8bf63ceef33db55fc

SHA512
f52d680cdc1e9be571947247359401d2db50de993cf2b4d1900f212592453927801e813e2730a3e68f312eaaecd9d3230afae557acecb431ac1f1fdf742797ae

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ea6fa48fe4563fc202f5ce80f78973c6

SHA1
d8985cd4bb906fa05fa68473a4966f574503c7e0

SHA256
55baefbeea469a644c6af910fc9312bdcbddd411adc9c59c4741743b4e203d72

SHA512
d3857188605166fcbec62b4e892792f5af794aebf760cd5d32dbd8178e3b6c2419a881c0dcc08d5aa1de2d021884c82422d2288e1fc5f62ff4a8368171f2cc52

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a15b931ea55f763450774c805747ea82

SHA1
38934d5f4c9aad50cdb3f6e5d0a3cf56f3f2647f

SHA256
03f6000197c91fd7c2d7e2f0bc56cc21c7df5eb0a6d729c7a87a5c0c6d012fd9

SHA512
55e05aea9b36cfe0e0e37473a2120298ab1ef5af7dafffd1768f67fc5736d7ca1e497d8b317737c0bbbbef559e218691275458efa426cfeef40c27d79900881c

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
d31378ca5069b50fe5d7756ee96eb9db

SHA1
ad394bc6f20da61c7c8e768abcb595330c527eca

SHA256
2cbdbd7fbc8e59bdbf2bfdd4ec6bb8ff0216cda979a62b3fbaacb18de720dba0

SHA512
fdfc8f39e0aaabcba9b5221715eadcd2ae269873f9086e13313f6abfcce880d167756b119ccfcecda2726612197b7ab2037e87cc018054f8978fef3146d7e2e4

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
d31378ca5069b50fe5d7756ee96eb9db

SHA1
ad394bc6f20da61c7c8e768abcb595330c527eca

SHA256
2cbdbd7fbc8e59bdbf2bfdd4ec6bb8ff0216cda979a62b3fbaacb18de720dba0

SHA512
fdfc8f39e0aaabcba9b5221715eadcd2ae269873f9086e13313f6abfcce880d167756b119ccfcecda2726612197b7ab2037e87cc018054f8978fef3146d7e2e4

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
8b2198171cc94ab7c4e7dcc83725ac03

SHA1
737933f64da038aa453ebf42434a73b80f2fee72

SHA256
376fd1124f7facbaa05baf760258220bcff6b342869b5ca24feda07ebf3a4a1f

SHA512
bb52cce817c56c34f0a611e52ea1cbc5db93d83fea67b1955daec3eeea09025a101d6edb4189bff3010c23394c49b86a08aeb382dab535d237a00673bfad5ca3

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
8b2198171cc94ab7c4e7dcc83725ac03

SHA1
737933f64da038aa453ebf42434a73b80f2fee72

SHA256
376fd1124f7facbaa05baf760258220bcff6b342869b5ca24feda07ebf3a4a1f

SHA512
bb52cce817c56c34f0a611e52ea1cbc5db93d83fea67b1955daec3eeea09025a101d6edb4189bff3010c23394c49b86a08aeb382dab535d237a00673bfad5ca3

Download Submit
\Users\Admin\AppData\Local\Temp\nsp1401.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsp1401.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp1401.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp1401.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsp1401.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9b7f7e1b16b2d12d28e949ff88a18480

SHA1
27c6ddd7d12a2164e46b44aed2c1d4441c984139

SHA256
d8c89e5c54c3e86a4d8b7a9ae82c8ad4af9d5b6354743bc8bf63ceef33db55fc

SHA512
f52d680cdc1e9be571947247359401d2db50de993cf2b4d1900f212592453927801e813e2730a3e68f312eaaecd9d3230afae557acecb431ac1f1fdf742797ae

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9b7f7e1b16b2d12d28e949ff88a18480

SHA1
27c6ddd7d12a2164e46b44aed2c1d4441c984139

SHA256
d8c89e5c54c3e86a4d8b7a9ae82c8ad4af9d5b6354743bc8bf63ceef33db55fc

SHA512
f52d680cdc1e9be571947247359401d2db50de993cf2b4d1900f212592453927801e813e2730a3e68f312eaaecd9d3230afae557acecb431ac1f1fdf742797ae

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9b7f7e1b16b2d12d28e949ff88a18480

SHA1
27c6ddd7d12a2164e46b44aed2c1d4441c984139

SHA256
d8c89e5c54c3e86a4d8b7a9ae82c8ad4af9d5b6354743bc8bf63ceef33db55fc

SHA512
f52d680cdc1e9be571947247359401d2db50de993cf2b4d1900f212592453927801e813e2730a3e68f312eaaecd9d3230afae557acecb431ac1f1fdf742797ae

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ea6fa48fe4563fc202f5ce80f78973c6

SHA1
d8985cd4bb906fa05fa68473a4966f574503c7e0

SHA256
55baefbeea469a644c6af910fc9312bdcbddd411adc9c59c4741743b4e203d72

SHA512
d3857188605166fcbec62b4e892792f5af794aebf760cd5d32dbd8178e3b6c2419a881c0dcc08d5aa1de2d021884c82422d2288e1fc5f62ff4a8368171f2cc52

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
244KB

MD5
ea6fa48fe4563fc202f5ce80f78973c6

SHA1
d8985cd4bb906fa05fa68473a4966f574503c7e0

SHA256
55baefbeea469a644c6af910fc9312bdcbddd411adc9c59c4741743b4e203d72

SHA512
d3857188605166fcbec62b4e892792f5af794aebf760cd5d32dbd8178e3b6c2419a881c0dcc08d5aa1de2d021884c82422d2288e1fc5f62ff4a8368171f2cc52

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
a15b931ea55f763450774c805747ea82

SHA1
38934d5f4c9aad50cdb3f6e5d0a3cf56f3f2647f

SHA256
03f6000197c91fd7c2d7e2f0bc56cc21c7df5eb0a6d729c7a87a5c0c6d012fd9

SHA512
55e05aea9b36cfe0e0e37473a2120298ab1ef5af7dafffd1768f67fc5736d7ca1e497d8b317737c0bbbbef559e218691275458efa426cfeef40c27d79900881c

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
d31378ca5069b50fe5d7756ee96eb9db

SHA1
ad394bc6f20da61c7c8e768abcb595330c527eca

SHA256
2cbdbd7fbc8e59bdbf2bfdd4ec6bb8ff0216cda979a62b3fbaacb18de720dba0

SHA512
fdfc8f39e0aaabcba9b5221715eadcd2ae269873f9086e13313f6abfcce880d167756b119ccfcecda2726612197b7ab2037e87cc018054f8978fef3146d7e2e4

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
8b2198171cc94ab7c4e7dcc83725ac03

SHA1
737933f64da038aa453ebf42434a73b80f2fee72

SHA256
376fd1124f7facbaa05baf760258220bcff6b342869b5ca24feda07ebf3a4a1f

SHA512
bb52cce817c56c34f0a611e52ea1cbc5db93d83fea67b1955daec3eeea09025a101d6edb4189bff3010c23394c49b86a08aeb382dab535d237a00673bfad5ca3

Download Submit
memory/576-86-0x0000000000000000-mapping.dmp

Download
memory/656-57-0x0000000000000000-mapping.dmp

Download
memory/816-69-0x0000000000000000-mapping.dmp

Download
memory/1048-80-0x0000000000000000-mapping.dmp

Download
memory/1116-58-0x0000000000000000-mapping.dmp

Download
memory/1228-75-0x0000000000000000-mapping.dmp

Download
memory/1324-54-0x0000000076931000-0x0000000076933000-memory.dmp

Filesize
8KB

Download
memory/1564-85-0x0000000000000000-mapping.dmp

Download
memory/1576-63-0x0000000000000000-mapping.dmp

Download
memory/1772-61-0x0000000000000000-mapping.dmp

Download
memory/1988-79-0x0000000000000000-mapping.dmp

Download
memory/2040-60-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads