564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585

Analysis

max time kernel
101s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 03:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
Size

339KB
MD5

f85dfa4471fa93861ecbca8e7ebac797
SHA1

7b4cc6e4efd0373b08af482faa9f48d2428df06b
SHA256

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585
SHA512

2762ef23419e21bad73fd8a37d5ded2733318ca0a3d2495acd376b207dbca292ba5d690bf2be8e5726630ef4aa7e926818c2df7e7d516de7aaff86ab143f8f2d
SSDEEP

6144:IDSoItfRZRZOQ17sFSUrJZ2VaF33/JbeIeDRLdcehrIItYa4mLQAWN:VfRZRZOQ14zJCajOlLeSrvuQQAw

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1804 installd.exe
1548 nethtsrv.exe
1940 netupdsrv.exe
1692 nethtsrv.exe
1340 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

pid	process
1804	installd.exe
1548	nethtsrv.exe
1940	netupdsrv.exe
1692	nethtsrv.exe
1340	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1804	installd.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1548	nethtsrv.exe
1548	nethtsrv.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
1692	nethtsrv.exe
1692	nethtsrv.exe
1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
File created	C:\Windows\SysWOW64\installd.exe	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

Drops file in Program Files directory 3 IoCs

Processes:

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1692 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1692	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1004 wrote to memory of 1496	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 1496	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 1496	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 1496	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1496 wrote to memory of 432	1496	net.exe	net1.exe
PID 1496 wrote to memory of 432	1496	net.exe	net1.exe
PID 1496 wrote to memory of 432	1496	net.exe	net1.exe
PID 1496 wrote to memory of 432	1496	net.exe	net1.exe
PID 1004 wrote to memory of 636	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 636	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 636	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 636	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 636 wrote to memory of 1992	636	net.exe	net1.exe
PID 636 wrote to memory of 1992	636	net.exe	net1.exe
PID 636 wrote to memory of 1992	636	net.exe	net1.exe
PID 636 wrote to memory of 1992	636	net.exe	net1.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1804	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	installd.exe
PID 1004 wrote to memory of 1548	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	nethtsrv.exe
PID 1004 wrote to memory of 1548	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	nethtsrv.exe
PID 1004 wrote to memory of 1548	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	nethtsrv.exe
PID 1004 wrote to memory of 1548	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	nethtsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 1940	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	netupdsrv.exe
PID 1004 wrote to memory of 980	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 980	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 980	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 980	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 980 wrote to memory of 1676	980	net.exe	net1.exe
PID 980 wrote to memory of 1676	980	net.exe	net1.exe
PID 980 wrote to memory of 1676	980	net.exe	net1.exe
PID 980 wrote to memory of 1676	980	net.exe	net1.exe
PID 1004 wrote to memory of 1696	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 1696	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 1696	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1004 wrote to memory of 1696	1004	564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe	net.exe
PID 1696 wrote to memory of 1176	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1176	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1176	1696	net.exe	net1.exe
PID 1696 wrote to memory of 1176	1696	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe
"C:\Users\Admin\AppData\Local\Temp\564893369021f79253c8f6cd3a0faf073e07dab2037ec29ea54c4e0ff5477585.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:432

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1992

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1940

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1176

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1340

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f04e83687b63eb21548eb2f7c2ab2ba1

SHA1
cfaa855fd2df25494fe0676e7a447b3b49fc129a

SHA256
3b53dac92479b98d7721d728a575d48d090d9108882a0f05157f1fd0669f77fd

SHA512
dc4b11bbe1e9b5d46cfb85ef995292c8ad5b0542a6f5744d4f338fa3bd102063b76ece4ddc4fad6afb2d96df060229e12b73c98cf73e5abcc3e57f9c74d416b2

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
aa4e7e961ec98ea0ddc1f4cc4242f35c

SHA1
8c15128600d73e0a6ca0c0c60cb52f763027de6c

SHA256
051e656fd0adae6edbd8bedbeaa093270062653ea2b8031957127c7d595019fc

SHA512
414748892a17d16791946ee397b3a349f18863ccfed51babaa1e48df57bdef644662e03a7b554fa249ebf13b35bf71f977db776ed757210d42e1ef66ae8eda53

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
375855d774ad7be923c60b74e7112778

SHA1
fd83b17cdca10090440695153cc085e3c8fc449e

SHA256
fc20c8c993e8081ddd727f494c96b34347436c92d113b6930dad91e41f1690e7

SHA512
e92438ea70239b5e34cd16764718b62f613b4ef1a5f1d8b20b91195f740d30018fb09bb78509fac8f16a7b49848cae9a50b05da70a6821b8470ba0038742bc5f

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2e72c972747c6f802b4e3b38481e861c

SHA1
1061e4369aa94e4a0674ec7142f4bb26a0a6cb46

SHA256
a8eb400e1d46ca878312632f70bc6c0968afb82b5ca2a5c3a4f75c0f77ccaabb

SHA512
f5953a40a76330c191c4e7edfbdbcd0b22582ef28a9281205c0572753b5d3b5d8abf1740a97611c6bcfb83ec3f2f41c00d78b0df17fc0d7f41404c56338c20f9

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2e72c972747c6f802b4e3b38481e861c

SHA1
1061e4369aa94e4a0674ec7142f4bb26a0a6cb46

SHA256
a8eb400e1d46ca878312632f70bc6c0968afb82b5ca2a5c3a4f75c0f77ccaabb

SHA512
f5953a40a76330c191c4e7edfbdbcd0b22582ef28a9281205c0572753b5d3b5d8abf1740a97611c6bcfb83ec3f2f41c00d78b0df17fc0d7f41404c56338c20f9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
9b3956a2d70d9a79c9781754649fb1da

SHA1
a2da22a0dff46ebee1761e501a69d7aa9829c8cd

SHA256
159632c51edf065ecb45ac40abdc99608dcde04b97a6e09dc095fb98e24d53f7

SHA512
6c17b4adc24815fcac7d48fbd83f7507be0b82f7f66ee1f2a7ec910a6aab94b8f89ed336b908efd79e09d92981a3ade0721b92504ae55fa4769d36669b1d14af

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
9b3956a2d70d9a79c9781754649fb1da

SHA1
a2da22a0dff46ebee1761e501a69d7aa9829c8cd

SHA256
159632c51edf065ecb45ac40abdc99608dcde04b97a6e09dc095fb98e24d53f7

SHA512
6c17b4adc24815fcac7d48fbd83f7507be0b82f7f66ee1f2a7ec910a6aab94b8f89ed336b908efd79e09d92981a3ade0721b92504ae55fa4769d36669b1d14af

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4943.tmp\System.dll
Filesize
11KB

MD5
960a5c48e25cf2bca332e74e11d825c9

SHA1
da35c6816ace5daf4c6c1d57b93b09a82ecdc876

SHA256
484f8e9f194ed9016274ef3672b2c52ed5f574fb71d3884edf3c222b758a75a2

SHA512
cc450179e2d0d56aee2ccf8163d3882978c4e9c1aa3d3a95875fe9ba9831e07ddfd377111dc67f801fa53b6f468a418f086f1de7c71e0a5b634e1ae2a67cd3da

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4943.tmp\nsExec.dll
Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4943.tmp\nsExec.dll
Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4943.tmp\nsExec.dll
Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
\Users\Admin\AppData\Local\Temp\nsj4943.tmp\nsExec.dll
Filesize
6KB

MD5
51e63a9c5d6d230ef1c421b2eccd45dc

SHA1
c499cdad5c613d71ed3f7e93360f1bbc5748c45d

SHA256
cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f

SHA512
c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f04e83687b63eb21548eb2f7c2ab2ba1

SHA1
cfaa855fd2df25494fe0676e7a447b3b49fc129a

SHA256
3b53dac92479b98d7721d728a575d48d090d9108882a0f05157f1fd0669f77fd

SHA512
dc4b11bbe1e9b5d46cfb85ef995292c8ad5b0542a6f5744d4f338fa3bd102063b76ece4ddc4fad6afb2d96df060229e12b73c98cf73e5abcc3e57f9c74d416b2

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f04e83687b63eb21548eb2f7c2ab2ba1

SHA1
cfaa855fd2df25494fe0676e7a447b3b49fc129a

SHA256
3b53dac92479b98d7721d728a575d48d090d9108882a0f05157f1fd0669f77fd

SHA512
dc4b11bbe1e9b5d46cfb85ef995292c8ad5b0542a6f5744d4f338fa3bd102063b76ece4ddc4fad6afb2d96df060229e12b73c98cf73e5abcc3e57f9c74d416b2

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
f04e83687b63eb21548eb2f7c2ab2ba1

SHA1
cfaa855fd2df25494fe0676e7a447b3b49fc129a

SHA256
3b53dac92479b98d7721d728a575d48d090d9108882a0f05157f1fd0669f77fd

SHA512
dc4b11bbe1e9b5d46cfb85ef995292c8ad5b0542a6f5744d4f338fa3bd102063b76ece4ddc4fad6afb2d96df060229e12b73c98cf73e5abcc3e57f9c74d416b2

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
aa4e7e961ec98ea0ddc1f4cc4242f35c

SHA1
8c15128600d73e0a6ca0c0c60cb52f763027de6c

SHA256
051e656fd0adae6edbd8bedbeaa093270062653ea2b8031957127c7d595019fc

SHA512
414748892a17d16791946ee397b3a349f18863ccfed51babaa1e48df57bdef644662e03a7b554fa249ebf13b35bf71f977db776ed757210d42e1ef66ae8eda53

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
241KB

MD5
aa4e7e961ec98ea0ddc1f4cc4242f35c

SHA1
8c15128600d73e0a6ca0c0c60cb52f763027de6c

SHA256
051e656fd0adae6edbd8bedbeaa093270062653ea2b8031957127c7d595019fc

SHA512
414748892a17d16791946ee397b3a349f18863ccfed51babaa1e48df57bdef644662e03a7b554fa249ebf13b35bf71f977db776ed757210d42e1ef66ae8eda53

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
108KB

MD5
375855d774ad7be923c60b74e7112778

SHA1
fd83b17cdca10090440695153cc085e3c8fc449e

SHA256
fc20c8c993e8081ddd727f494c96b34347436c92d113b6930dad91e41f1690e7

SHA512
e92438ea70239b5e34cd16764718b62f613b4ef1a5f1d8b20b91195f740d30018fb09bb78509fac8f16a7b49848cae9a50b05da70a6821b8470ba0038742bc5f

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
176KB

MD5
2e72c972747c6f802b4e3b38481e861c

SHA1
1061e4369aa94e4a0674ec7142f4bb26a0a6cb46

SHA256
a8eb400e1d46ca878312632f70bc6c0968afb82b5ca2a5c3a4f75c0f77ccaabb

SHA512
f5953a40a76330c191c4e7edfbdbcd0b22582ef28a9281205c0572753b5d3b5d8abf1740a97611c6bcfb83ec3f2f41c00d78b0df17fc0d7f41404c56338c20f9

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
158KB

MD5
9b3956a2d70d9a79c9781754649fb1da

SHA1
a2da22a0dff46ebee1761e501a69d7aa9829c8cd

SHA256
159632c51edf065ecb45ac40abdc99608dcde04b97a6e09dc095fb98e24d53f7

SHA512
6c17b4adc24815fcac7d48fbd83f7507be0b82f7f66ee1f2a7ec910a6aab94b8f89ed336b908efd79e09d92981a3ade0721b92504ae55fa4769d36669b1d14af

Download Submit
memory/432-58-0x0000000000000000-mapping.dmp

Download
memory/636-60-0x0000000000000000-mapping.dmp

Download
memory/980-79-0x0000000000000000-mapping.dmp

Download
memory/1004-54-0x0000000075881000-0x0000000075883000-memory.dmp

Filesize
8KB

Download
memory/1176-86-0x0000000000000000-mapping.dmp

Download
memory/1496-57-0x0000000000000000-mapping.dmp

Download
memory/1548-69-0x0000000000000000-mapping.dmp

Download
memory/1676-80-0x0000000000000000-mapping.dmp

Download
memory/1696-85-0x0000000000000000-mapping.dmp

Download
memory/1804-63-0x0000000000000000-mapping.dmp

Download
memory/1940-75-0x0000000000000000-mapping.dmp

Download
memory/1992-61-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads