382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798

Analysis

max time kernel
47s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 03:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
Size

829KB
MD5

9a52caecf8b5b6595509a25edfc3dd8e
SHA1

f69423db807072900ec61bbf6210bc2fe63a0f1d
SHA256

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798
SHA512

f469cb5a5441706e729ee6cfea972333fae7d004b07eb0c7ad9ef4a6b1be676290fb158fa1fd33caa1ca9027f510164647ff724316c61fcbdf2c2bd5f9229c5e
SSDEEP

24576:TrfGR2wDeRMTjmGsbk+bAEb6PJ1SJk+o+rB:TYYRMTfQk+Tb7pr

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1220 installd.exe
1652 nethtsrv.exe
1604 netupdsrv.exe
2008 nethtsrv.exe
360 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

pid	process
1220	installd.exe
1652	nethtsrv.exe
1604	netupdsrv.exe
2008	nethtsrv.exe
360	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
1220	installd.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
1652	nethtsrv.exe
1652	nethtsrv.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
2008	nethtsrv.exe
2008	nethtsrv.exe
1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

description	ioc	process
File created	C:\Windows\SysWOW64\installd.exe	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
File created	C:\Windows\SysWOW64\hfnapi.dll	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

Drops file in Program Files directory 3 IoCs

Processes:

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
File created	C:\Program Files (x86)\Common Files\Config\data.xml	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 2008 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	2008	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1364 wrote to memory of 1932	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1932	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1932	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1932	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1932 wrote to memory of 1216	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1216	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1216	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1216	1932	net.exe	net1.exe
PID 1364 wrote to memory of 1248	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1248	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1248	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1248	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1248 wrote to memory of 472	1248	net.exe	net1.exe
PID 1248 wrote to memory of 472	1248	net.exe	net1.exe
PID 1248 wrote to memory of 472	1248	net.exe	net1.exe
PID 1248 wrote to memory of 472	1248	net.exe	net1.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1220	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	installd.exe
PID 1364 wrote to memory of 1652	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	nethtsrv.exe
PID 1364 wrote to memory of 1652	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	nethtsrv.exe
PID 1364 wrote to memory of 1652	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	nethtsrv.exe
PID 1364 wrote to memory of 1652	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	nethtsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1604	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	netupdsrv.exe
PID 1364 wrote to memory of 1640	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1640	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1640	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1640	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1640 wrote to memory of 2028	1640	net.exe	net1.exe
PID 1640 wrote to memory of 2028	1640	net.exe	net1.exe
PID 1640 wrote to memory of 2028	1640	net.exe	net1.exe
PID 1640 wrote to memory of 2028	1640	net.exe	net1.exe
PID 1364 wrote to memory of 1944	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1944	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1944	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1364 wrote to memory of 1944	1364	382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe	net.exe
PID 1944 wrote to memory of 1628	1944	net.exe	net1.exe
PID 1944 wrote to memory of 1628	1944	net.exe	net1.exe
PID 1944 wrote to memory of 1628	1944	net.exe	net1.exe
PID 1944 wrote to memory of 1628	1944	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe
"C:\Users\Admin\AppData\Local\Temp\382b2c3ccebb98d053bbc11be555de302625334c18893c6d9e52d2f6db087798.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1216

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:472

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1604

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1640

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:2028

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1628

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:360

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9c857382466033ecb8609859095853fa

SHA1
9038d2e0491137c00ab4b626fa57b2793b937881

SHA256
581056df2c34d47e49e0ca0ba415fdc28184b8fb5c28c4c5f440115a4be58442

SHA512
0d714c4c43470d93806fd15f00c213e04d3dbe82db0be4a5dbda63b1c8dfe409130211e588e1448439f58c336f76c7c2b75ce53d2b80e025b6643f4f0ffdd4f0

Download Submit
C:\Windows\SysWOW64\hfpapi.dll
Filesize
427KB

MD5
1bc28d59b7727a4404ad71fa91e769c0

SHA1
80eaf5c539771efa4c5fd7cc0c9fc6156afc5103

SHA256
5322732659d5a5409e74f480b85a7608966d6bb75e56644748b41477217ea969

SHA512
38b18e2837198853e2ca34fc4e1ab0453c4c9b77ec411c8e66ca646eadf8639c0840b7599a9f54ce423df9f2e4307b9ace734e69667156158ff1eb76ce71bc39

Download Submit
C:\Windows\SysWOW64\installd.exe
Filesize
137KB

MD5
d0963d0c1c04a7311b16af70236a9334

SHA1
d8747ac339dc41016c04c15f134dbbc9f82089c9

SHA256
456ad99bf1177ad138597343cc6e9fa3dbe13e4c633a294e7d9d4b8efc0ce6a6

SHA512
fa17ca38f7ec9d8786775c45af67874d04334d1a4a23cc1cd043d364f5ffd92204264bd528736f73b7e4836bbd5a934602f76ac258b005b16f27a83a3ca7919c

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
330KB

MD5
7f8f502d2ca8adfc0b63a4b91ac4de62

SHA1
a6f821457d2fd814784e3b9c566b878fe030eae1

SHA256
29737a08e64116eca9da52f2a0edcfdf8b74ceeff96ada3037fa9ad7f267eda2

SHA512
5e23dc964885ecb004ecbe90083e6bae9f546be2fe2ea5adf5d2d73d3556bca56017c3d8a2b8ee3711c1e62d89db64db1ccdc5903d87e4447c208d7d4eedbf61

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe
Filesize
330KB

MD5
7f8f502d2ca8adfc0b63a4b91ac4de62

SHA1
a6f821457d2fd814784e3b9c566b878fe030eae1

SHA256
29737a08e64116eca9da52f2a0edcfdf8b74ceeff96ada3037fa9ad7f267eda2

SHA512
5e23dc964885ecb004ecbe90083e6bae9f546be2fe2ea5adf5d2d73d3556bca56017c3d8a2b8ee3711c1e62d89db64db1ccdc5903d87e4447c208d7d4eedbf61

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
186KB

MD5
a734f2e628996226cc351598a5678b20

SHA1
027ceb4fc72bf808de06d91810a057633f4b9994

SHA256
3cb63c423b5e270533d6677102dec25ff719fb6db645826fb4a3811456be7efd

SHA512
3bad0c478d34d44cb2247625404f74562f2b94e88b9711b68d49c6b84d836b31bfef6a7e2eb6284b38b841351e65a2bea1304433a997b20f8b9fdc352481a0a9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe
Filesize
186KB

MD5
a734f2e628996226cc351598a5678b20

SHA1
027ceb4fc72bf808de06d91810a057633f4b9994

SHA256
3cb63c423b5e270533d6677102dec25ff719fb6db645826fb4a3811456be7efd

SHA512
3bad0c478d34d44cb2247625404f74562f2b94e88b9711b68d49c6b84d836b31bfef6a7e2eb6284b38b841351e65a2bea1304433a997b20f8b9fdc352481a0a9

Download Submit
\Users\Admin\AppData\Local\Temp\nst3611.tmp\System.dll
Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nst3611.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst3611.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst3611.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nst3611.tmp\nsExec.dll
Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9c857382466033ecb8609859095853fa

SHA1
9038d2e0491137c00ab4b626fa57b2793b937881

SHA256
581056df2c34d47e49e0ca0ba415fdc28184b8fb5c28c4c5f440115a4be58442

SHA512
0d714c4c43470d93806fd15f00c213e04d3dbe82db0be4a5dbda63b1c8dfe409130211e588e1448439f58c336f76c7c2b75ce53d2b80e025b6643f4f0ffdd4f0

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9c857382466033ecb8609859095853fa

SHA1
9038d2e0491137c00ab4b626fa57b2793b937881

SHA256
581056df2c34d47e49e0ca0ba415fdc28184b8fb5c28c4c5f440115a4be58442

SHA512
0d714c4c43470d93806fd15f00c213e04d3dbe82db0be4a5dbda63b1c8dfe409130211e588e1448439f58c336f76c7c2b75ce53d2b80e025b6643f4f0ffdd4f0

Download Submit
\Windows\SysWOW64\hfnapi.dll
Filesize
106KB

MD5
9c857382466033ecb8609859095853fa

SHA1
9038d2e0491137c00ab4b626fa57b2793b937881

SHA256
581056df2c34d47e49e0ca0ba415fdc28184b8fb5c28c4c5f440115a4be58442

SHA512
0d714c4c43470d93806fd15f00c213e04d3dbe82db0be4a5dbda63b1c8dfe409130211e588e1448439f58c336f76c7c2b75ce53d2b80e025b6643f4f0ffdd4f0

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
427KB

MD5
1bc28d59b7727a4404ad71fa91e769c0

SHA1
80eaf5c539771efa4c5fd7cc0c9fc6156afc5103

SHA256
5322732659d5a5409e74f480b85a7608966d6bb75e56644748b41477217ea969

SHA512
38b18e2837198853e2ca34fc4e1ab0453c4c9b77ec411c8e66ca646eadf8639c0840b7599a9f54ce423df9f2e4307b9ace734e69667156158ff1eb76ce71bc39

Download Submit
\Windows\SysWOW64\hfpapi.dll
Filesize
427KB

MD5
1bc28d59b7727a4404ad71fa91e769c0

SHA1
80eaf5c539771efa4c5fd7cc0c9fc6156afc5103

SHA256
5322732659d5a5409e74f480b85a7608966d6bb75e56644748b41477217ea969

SHA512
38b18e2837198853e2ca34fc4e1ab0453c4c9b77ec411c8e66ca646eadf8639c0840b7599a9f54ce423df9f2e4307b9ace734e69667156158ff1eb76ce71bc39

Download Submit
\Windows\SysWOW64\installd.exe
Filesize
137KB

MD5
d0963d0c1c04a7311b16af70236a9334

SHA1
d8747ac339dc41016c04c15f134dbbc9f82089c9

SHA256
456ad99bf1177ad138597343cc6e9fa3dbe13e4c633a294e7d9d4b8efc0ce6a6

SHA512
fa17ca38f7ec9d8786775c45af67874d04334d1a4a23cc1cd043d364f5ffd92204264bd528736f73b7e4836bbd5a934602f76ac258b005b16f27a83a3ca7919c

Download Submit
\Windows\SysWOW64\nethtsrv.exe
Filesize
330KB

MD5
7f8f502d2ca8adfc0b63a4b91ac4de62

SHA1
a6f821457d2fd814784e3b9c566b878fe030eae1

SHA256
29737a08e64116eca9da52f2a0edcfdf8b74ceeff96ada3037fa9ad7f267eda2

SHA512
5e23dc964885ecb004ecbe90083e6bae9f546be2fe2ea5adf5d2d73d3556bca56017c3d8a2b8ee3711c1e62d89db64db1ccdc5903d87e4447c208d7d4eedbf61

Download Submit
\Windows\SysWOW64\netupdsrv.exe
Filesize
186KB

MD5
a734f2e628996226cc351598a5678b20

SHA1
027ceb4fc72bf808de06d91810a057633f4b9994

SHA256
3cb63c423b5e270533d6677102dec25ff719fb6db645826fb4a3811456be7efd

SHA512
3bad0c478d34d44cb2247625404f74562f2b94e88b9711b68d49c6b84d836b31bfef6a7e2eb6284b38b841351e65a2bea1304433a997b20f8b9fdc352481a0a9

Download Submit
memory/472-62-0x0000000000000000-mapping.dmp

Download
memory/1216-58-0x0000000000000000-mapping.dmp

Download
memory/1220-64-0x0000000000000000-mapping.dmp

Download
memory/1248-61-0x0000000000000000-mapping.dmp

Download
memory/1364-90-0x0000000000320000-0x00000000007BE000-memory.dmp

Filesize
4.6MB

Download
memory/1364-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1364-59-0x0000000000320000-0x00000000007BE000-memory.dmp

Filesize
4.6MB

Download
memory/1604-76-0x0000000000000000-mapping.dmp

Download
memory/1628-87-0x0000000000000000-mapping.dmp

Download
memory/1640-80-0x0000000000000000-mapping.dmp

Download
memory/1652-70-0x0000000000000000-mapping.dmp

Download
memory/1932-57-0x0000000000000000-mapping.dmp

Download
memory/1944-86-0x0000000000000000-mapping.dmp

Download
memory/2028-81-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads