cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
Size

446KB
MD5

6a45f5eacb63f3bf5aaf68e4e40ce811
SHA1

fc7d0258725a8e347edf0ab8b6dfe06fb4636a5e
SHA256

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1
SHA512

dda2bc855f498a8206a63642b04e8b26ec4ac745493a912b2769e005b3fc3860424834feee8dcfa8e6fb31f2b74fe723c3b7e6e670920ab6ab1f06d0c886dd8d
SSDEEP

12288:Y681ApzfjYshPUaH05/e/ZE0HkTuPxAPbI0s:Y681AzEshP25/cEOkTwAzA

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1768 installd.exe
916 nethtsrv.exe
1700 netupdsrv.exe
1636 nethtsrv.exe
1976 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

pid	process
1768	installd.exe
916	nethtsrv.exe
1700	netupdsrv.exe
1636	nethtsrv.exe
1976	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
1768	installd.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
916	nethtsrv.exe
916	nethtsrv.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
1636	nethtsrv.exe
1636	nethtsrv.exe
1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
File created	C:\Windows\SysWOW64\installd.exe	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

Drops file in Program Files directory 3 IoCs

Processes:

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1636 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1636	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1048 wrote to memory of 1756	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1756	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1756	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1756	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1756 wrote to memory of 1508	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1508	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1508	1756	net.exe	net1.exe
PID 1756 wrote to memory of 1508	1756	net.exe	net1.exe
PID 1048 wrote to memory of 1760	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1760	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1760	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1760	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1760 wrote to memory of 1212	1760	net.exe	net1.exe
PID 1760 wrote to memory of 1212	1760	net.exe	net1.exe
PID 1760 wrote to memory of 1212	1760	net.exe	net1.exe
PID 1760 wrote to memory of 1212	1760	net.exe	net1.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 1768	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	installd.exe
PID 1048 wrote to memory of 916	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	nethtsrv.exe
PID 1048 wrote to memory of 916	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	nethtsrv.exe
PID 1048 wrote to memory of 916	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	nethtsrv.exe
PID 1048 wrote to memory of 916	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	nethtsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1700	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	netupdsrv.exe
PID 1048 wrote to memory of 1208	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1208	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1208	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1208	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1208 wrote to memory of 472	1208	net.exe	net1.exe
PID 1208 wrote to memory of 472	1208	net.exe	net1.exe
PID 1208 wrote to memory of 472	1208	net.exe	net1.exe
PID 1208 wrote to memory of 472	1208	net.exe	net1.exe
PID 1048 wrote to memory of 1556	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1556	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1556	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1048 wrote to memory of 1556	1048	cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe	net.exe
PID 1556 wrote to memory of 2044	1556	net.exe	net1.exe
PID 1556 wrote to memory of 2044	1556	net.exe	net1.exe
PID 1556 wrote to memory of 2044	1556	net.exe	net1.exe
PID 1556 wrote to memory of 2044	1556	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe
"C:\Users\Admin\AppData\Local\Temp\cdeba9a24b514e18f1dc98a13490c9b38d190de428f96ad24ccd46467da7d4e1.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1048

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1508

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1212

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1700

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:472

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1556

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2044

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1976

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f335865e44b74cb87cc4f85da4c44f22

SHA1
3d8b841e4a037fcc06474d069a15587140ea8a52

SHA256
8315d1691c5f3712952177ce9dbe455eda5842ad585690842e96036bd2c52308

SHA512
dbd499c04d2f7ed81f9e0579fdaa997143c83b67f03b0b287bcaef54545f24a1f8f747f9fe6a0c100a27466dd8be848153f3b08505f2367fd5d33807efced8e3

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
ea3b066c9d027866d37bf048f8dd8c78

SHA1
e7e8659272fa3152982602240158bbbcdace00d6

SHA256
f422297d290532089da4b4408e73b03fc0092ee196ef84549ee91fd149f6a30d

SHA512
383d8df20842cafbbdff3d2ba5a10872dea61929fbf39cac6e49689ac612817d795f70d4ac309a9cbdf68954573fcb6464a0c6d88a00ddd33afb00453eac6311

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
f469872db690231e6a00728505d0067c

SHA1
5b69469edf30d118e098bd46520e1723e4e8429e

SHA256
2609144692ea607fc54e228cd1faa5722200199085669458f6aa58129f9845c1

SHA512
4e43531951fda963df148aa8b4463d3dc270b815e1e36f282c1d4dc83d47e82552f13801b70fdbf89f61bfa25e61267671f252dac40ad5ce092b96b4f0b82730

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3730a20af4230ce515eedd7166990834

SHA1
6f707344b08cf9b968ec22df9d251dec2ca7b5d1

SHA256
4fd404efd552ddec453d605827d6f8214c9a6f2ff97aa67d2fd41773c5008942

SHA512
f1e72eb9a2ce0de4d1f3ae53c4962c1d9c31e2e02e661642a85fbea4b8606ae8eea954c04c0175402751e73f08657fe298170cd879f51cfc65eb083d017c8e51

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3730a20af4230ce515eedd7166990834

SHA1
6f707344b08cf9b968ec22df9d251dec2ca7b5d1

SHA256
4fd404efd552ddec453d605827d6f8214c9a6f2ff97aa67d2fd41773c5008942

SHA512
f1e72eb9a2ce0de4d1f3ae53c4962c1d9c31e2e02e661642a85fbea4b8606ae8eea954c04c0175402751e73f08657fe298170cd879f51cfc65eb083d017c8e51

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
c750116b3b14d04fd57876c59c61048b

SHA1
d8d3634e95b8a6d2baa7c7429892f08d15d3f24c

SHA256
fb6dfd607782141ebbaf5fa2830e7039b11d7ffa90f93f20e20dea3c60398073

SHA512
b6d4abf56a5e22891253e8427379e31d9a0fc8f6c754eb644acb168a74cec8c77961be09f9030d19b01560ba06fdcdf031790423f55633ac3f7ad4672997fd71

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
c750116b3b14d04fd57876c59c61048b

SHA1
d8d3634e95b8a6d2baa7c7429892f08d15d3f24c

SHA256
fb6dfd607782141ebbaf5fa2830e7039b11d7ffa90f93f20e20dea3c60398073

SHA512
b6d4abf56a5e22891253e8427379e31d9a0fc8f6c754eb644acb168a74cec8c77961be09f9030d19b01560ba06fdcdf031790423f55633ac3f7ad4672997fd71

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF77.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsdFF77.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f335865e44b74cb87cc4f85da4c44f22

SHA1
3d8b841e4a037fcc06474d069a15587140ea8a52

SHA256
8315d1691c5f3712952177ce9dbe455eda5842ad585690842e96036bd2c52308

SHA512
dbd499c04d2f7ed81f9e0579fdaa997143c83b67f03b0b287bcaef54545f24a1f8f747f9fe6a0c100a27466dd8be848153f3b08505f2367fd5d33807efced8e3

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f335865e44b74cb87cc4f85da4c44f22

SHA1
3d8b841e4a037fcc06474d069a15587140ea8a52

SHA256
8315d1691c5f3712952177ce9dbe455eda5842ad585690842e96036bd2c52308

SHA512
dbd499c04d2f7ed81f9e0579fdaa997143c83b67f03b0b287bcaef54545f24a1f8f747f9fe6a0c100a27466dd8be848153f3b08505f2367fd5d33807efced8e3

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f335865e44b74cb87cc4f85da4c44f22

SHA1
3d8b841e4a037fcc06474d069a15587140ea8a52

SHA256
8315d1691c5f3712952177ce9dbe455eda5842ad585690842e96036bd2c52308

SHA512
dbd499c04d2f7ed81f9e0579fdaa997143c83b67f03b0b287bcaef54545f24a1f8f747f9fe6a0c100a27466dd8be848153f3b08505f2367fd5d33807efced8e3

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
ea3b066c9d027866d37bf048f8dd8c78

SHA1
e7e8659272fa3152982602240158bbbcdace00d6

SHA256
f422297d290532089da4b4408e73b03fc0092ee196ef84549ee91fd149f6a30d

SHA512
383d8df20842cafbbdff3d2ba5a10872dea61929fbf39cac6e49689ac612817d795f70d4ac309a9cbdf68954573fcb6464a0c6d88a00ddd33afb00453eac6311

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
ea3b066c9d027866d37bf048f8dd8c78

SHA1
e7e8659272fa3152982602240158bbbcdace00d6

SHA256
f422297d290532089da4b4408e73b03fc0092ee196ef84549ee91fd149f6a30d

SHA512
383d8df20842cafbbdff3d2ba5a10872dea61929fbf39cac6e49689ac612817d795f70d4ac309a9cbdf68954573fcb6464a0c6d88a00ddd33afb00453eac6311

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
f469872db690231e6a00728505d0067c

SHA1
5b69469edf30d118e098bd46520e1723e4e8429e

SHA256
2609144692ea607fc54e228cd1faa5722200199085669458f6aa58129f9845c1

SHA512
4e43531951fda963df148aa8b4463d3dc270b815e1e36f282c1d4dc83d47e82552f13801b70fdbf89f61bfa25e61267671f252dac40ad5ce092b96b4f0b82730

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
3730a20af4230ce515eedd7166990834

SHA1
6f707344b08cf9b968ec22df9d251dec2ca7b5d1

SHA256
4fd404efd552ddec453d605827d6f8214c9a6f2ff97aa67d2fd41773c5008942

SHA512
f1e72eb9a2ce0de4d1f3ae53c4962c1d9c31e2e02e661642a85fbea4b8606ae8eea954c04c0175402751e73f08657fe298170cd879f51cfc65eb083d017c8e51

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
c750116b3b14d04fd57876c59c61048b

SHA1
d8d3634e95b8a6d2baa7c7429892f08d15d3f24c

SHA256
fb6dfd607782141ebbaf5fa2830e7039b11d7ffa90f93f20e20dea3c60398073

SHA512
b6d4abf56a5e22891253e8427379e31d9a0fc8f6c754eb644acb168a74cec8c77961be09f9030d19b01560ba06fdcdf031790423f55633ac3f7ad4672997fd71

Download Submit
memory/472-80-0x0000000000000000-mapping.dmp

Download
memory/916-69-0x0000000000000000-mapping.dmp

Download
memory/1048-54-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/1208-79-0x0000000000000000-mapping.dmp

Download
memory/1212-61-0x0000000000000000-mapping.dmp

Download
memory/1508-58-0x0000000000000000-mapping.dmp

Download
memory/1556-85-0x0000000000000000-mapping.dmp

Download
memory/1700-75-0x0000000000000000-mapping.dmp

Download
memory/1756-57-0x0000000000000000-mapping.dmp

Download
memory/1760-60-0x0000000000000000-mapping.dmp

Download
memory/1768-63-0x0000000000000000-mapping.dmp

Download
memory/2044-86-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads