dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e

Analysis

max time kernel
63s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
Size

603KB
MD5

284d32896bc0d5bedb05e88ad1450071
SHA1

51379446e8e2bd75a82b068ba9e6fac18e15dcb3
SHA256

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e
SHA512

3bb176e46c70e8fd7ca5dfc92b27c6660271af4fca645e43eba8d8884b81711d7cfd6175bcb3d0332df8f6e1333a61080ff4d9a902992aacf2799e7e052117fd
SSDEEP

12288:1Iny5DYTS9CvFvShyP35UCWRdt+Z8kC7C69Nrl8Y6sQ4LQ:BUTS9CFvJncag991ltEoQ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1088 installd.exe
1040 nethtsrv.exe
1748 netupdsrv.exe
1548 nethtsrv.exe
1324 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

pid	process
1088	installd.exe
1040	nethtsrv.exe
1748	netupdsrv.exe
1548	nethtsrv.exe
1324	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
1088	installd.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
1040	nethtsrv.exe
1040	nethtsrv.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
1548	nethtsrv.exe
1548	nethtsrv.exe
2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
File created	C:\Windows\SysWOW64\installd.exe	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

Drops file in Program Files directory 3 IoCs

Processes:

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1548 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1548	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2040 wrote to memory of 1972	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1972	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1972	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1972	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 1972 wrote to memory of 568	1972	net.exe	net1.exe
PID 1972 wrote to memory of 568	1972	net.exe	net1.exe
PID 1972 wrote to memory of 568	1972	net.exe	net1.exe
PID 1972 wrote to memory of 568	1972	net.exe	net1.exe
PID 2040 wrote to memory of 1160	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1160	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1160	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1160	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 1160 wrote to memory of 520	1160	net.exe	net1.exe
PID 1160 wrote to memory of 520	1160	net.exe	net1.exe
PID 1160 wrote to memory of 520	1160	net.exe	net1.exe
PID 1160 wrote to memory of 520	1160	net.exe	net1.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1088	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	installd.exe
PID 2040 wrote to memory of 1040	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	nethtsrv.exe
PID 2040 wrote to memory of 1040	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	nethtsrv.exe
PID 2040 wrote to memory of 1040	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	nethtsrv.exe
PID 2040 wrote to memory of 1040	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	nethtsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1748	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	netupdsrv.exe
PID 2040 wrote to memory of 1764	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1764	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1764	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1764	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 1764 wrote to memory of 1676	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1676	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1676	1764	net.exe	net1.exe
PID 1764 wrote to memory of 1676	1764	net.exe	net1.exe
PID 2040 wrote to memory of 1432	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1432	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1432	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 2040 wrote to memory of 1432	2040	dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe	net.exe
PID 1432 wrote to memory of 1376	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1376	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1376	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1376	1432	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe
"C:\Users\Admin\AppData\Local\Temp\dd94b479133e590935b79b26820bb116b33ba3bbce05129c37002a88a286d33e.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:568

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:520

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1676

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1376

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
665c8cff7ea1970bc39edd26aee99a87

SHA1
0c6c3b674d71097c4241750346d8c5930d8b87cd

SHA256
ff2acf9d6e9afa41a4ee0fa9b57d21bc911636364d06c61abea08f2a13d7eefc

SHA512
e886cdd95512f85b09ff33db4633d0865c48967b2378ffa9852e4f6d20308b27d4f376dc829124a9d4b127b58a758ae2406d3809240f0a353a2f18fe8869781b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
b3e7d8b865b2cf29b416a9d297bffc8d

SHA1
849564c628120cd8fab22503e98809c795c7d3ba

SHA256
6de55faaf666137238474499fa3aa9400c80e330cfba93da4f8582f8e6425c2a

SHA512
f2971204ef8469d73109bfa5b46286a5fb496925b4bcae06e8fecd05dea5e4d934f0a3e4e0b68f0fabe29eb1642937662d46e7c1d7fea273fefbbc730fb96bb1

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
b429cc3ec1510e5e787be865e3a9329c

SHA1
387b67446269ab54d32a8bcf04990f4e6347f106

SHA256
5644e5b273f4cb7551b532e6eedfcd167417146d3dcd63d92d25b3482c54c5d0

SHA512
99d894d091b1e3cfe0557105cf3dcfc3bc5b2e221d43aa62c3bd20b6a72bea0432befbab1f74c69c9a60204d10125f3745c4fdf29f8a54ff674362a67411ce10

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
aa339a356a8e0c80bb148972f5507fa1

SHA1
c417038dece0e05f19fc0212654a24787b974cd5

SHA256
3df14599adc17bebf2eb984202394319dac7155b715c8d9f8dc1554c4d99d90b

SHA512
816854ef1982b7521122a3e25a033efbad3f0e7b1e8fc7263f7325dc3280865e38c7a1d360b95dc0cc2e1bfe6b346c22c117e23cf27e3bd91b70b137866ce30c

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
aa339a356a8e0c80bb148972f5507fa1

SHA1
c417038dece0e05f19fc0212654a24787b974cd5

SHA256
3df14599adc17bebf2eb984202394319dac7155b715c8d9f8dc1554c4d99d90b

SHA512
816854ef1982b7521122a3e25a033efbad3f0e7b1e8fc7263f7325dc3280865e38c7a1d360b95dc0cc2e1bfe6b346c22c117e23cf27e3bd91b70b137866ce30c

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
0d14d85be66e4ada9c300418b193e5e0

SHA1
52118268018f3b43a8302f1de8fecb2724256213

SHA256
3358c3eee97922c91e892ba3583c0f0ae81264fc21e0932e3af6f8f5ea926e40

SHA512
5fd91eef9bc7ffbad5f0acfa7bddd4c112d43ab2d8812c72e00530cd64b241b2ce488ff1912a1985761f1604202899418f57235ca955c4d462364f742701bc52

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
0d14d85be66e4ada9c300418b193e5e0

SHA1
52118268018f3b43a8302f1de8fecb2724256213

SHA256
3358c3eee97922c91e892ba3583c0f0ae81264fc21e0932e3af6f8f5ea926e40

SHA512
5fd91eef9bc7ffbad5f0acfa7bddd4c112d43ab2d8812c72e00530cd64b241b2ce488ff1912a1985761f1604202899418f57235ca955c4d462364f742701bc52

Download Submit
\Users\Admin\AppData\Local\Temp\nso604C.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso604C.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso604C.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso604C.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nso604C.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
665c8cff7ea1970bc39edd26aee99a87

SHA1
0c6c3b674d71097c4241750346d8c5930d8b87cd

SHA256
ff2acf9d6e9afa41a4ee0fa9b57d21bc911636364d06c61abea08f2a13d7eefc

SHA512
e886cdd95512f85b09ff33db4633d0865c48967b2378ffa9852e4f6d20308b27d4f376dc829124a9d4b127b58a758ae2406d3809240f0a353a2f18fe8869781b

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
665c8cff7ea1970bc39edd26aee99a87

SHA1
0c6c3b674d71097c4241750346d8c5930d8b87cd

SHA256
ff2acf9d6e9afa41a4ee0fa9b57d21bc911636364d06c61abea08f2a13d7eefc

SHA512
e886cdd95512f85b09ff33db4633d0865c48967b2378ffa9852e4f6d20308b27d4f376dc829124a9d4b127b58a758ae2406d3809240f0a353a2f18fe8869781b

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
665c8cff7ea1970bc39edd26aee99a87

SHA1
0c6c3b674d71097c4241750346d8c5930d8b87cd

SHA256
ff2acf9d6e9afa41a4ee0fa9b57d21bc911636364d06c61abea08f2a13d7eefc

SHA512
e886cdd95512f85b09ff33db4633d0865c48967b2378ffa9852e4f6d20308b27d4f376dc829124a9d4b127b58a758ae2406d3809240f0a353a2f18fe8869781b

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
b3e7d8b865b2cf29b416a9d297bffc8d

SHA1
849564c628120cd8fab22503e98809c795c7d3ba

SHA256
6de55faaf666137238474499fa3aa9400c80e330cfba93da4f8582f8e6425c2a

SHA512
f2971204ef8469d73109bfa5b46286a5fb496925b4bcae06e8fecd05dea5e4d934f0a3e4e0b68f0fabe29eb1642937662d46e7c1d7fea273fefbbc730fb96bb1

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
b3e7d8b865b2cf29b416a9d297bffc8d

SHA1
849564c628120cd8fab22503e98809c795c7d3ba

SHA256
6de55faaf666137238474499fa3aa9400c80e330cfba93da4f8582f8e6425c2a

SHA512
f2971204ef8469d73109bfa5b46286a5fb496925b4bcae06e8fecd05dea5e4d934f0a3e4e0b68f0fabe29eb1642937662d46e7c1d7fea273fefbbc730fb96bb1

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
b429cc3ec1510e5e787be865e3a9329c

SHA1
387b67446269ab54d32a8bcf04990f4e6347f106

SHA256
5644e5b273f4cb7551b532e6eedfcd167417146d3dcd63d92d25b3482c54c5d0

SHA512
99d894d091b1e3cfe0557105cf3dcfc3bc5b2e221d43aa62c3bd20b6a72bea0432befbab1f74c69c9a60204d10125f3745c4fdf29f8a54ff674362a67411ce10

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
aa339a356a8e0c80bb148972f5507fa1

SHA1
c417038dece0e05f19fc0212654a24787b974cd5

SHA256
3df14599adc17bebf2eb984202394319dac7155b715c8d9f8dc1554c4d99d90b

SHA512
816854ef1982b7521122a3e25a033efbad3f0e7b1e8fc7263f7325dc3280865e38c7a1d360b95dc0cc2e1bfe6b346c22c117e23cf27e3bd91b70b137866ce30c

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
0d14d85be66e4ada9c300418b193e5e0

SHA1
52118268018f3b43a8302f1de8fecb2724256213

SHA256
3358c3eee97922c91e892ba3583c0f0ae81264fc21e0932e3af6f8f5ea926e40

SHA512
5fd91eef9bc7ffbad5f0acfa7bddd4c112d43ab2d8812c72e00530cd64b241b2ce488ff1912a1985761f1604202899418f57235ca955c4d462364f742701bc52

Download Submit
memory/520-62-0x0000000000000000-mapping.dmp

Download
memory/568-58-0x0000000000000000-mapping.dmp

Download
memory/1040-71-0x0000000000000000-mapping.dmp

Download
memory/1088-64-0x0000000000000000-mapping.dmp

Download
memory/1160-61-0x0000000000000000-mapping.dmp

Download
memory/1376-88-0x0000000000000000-mapping.dmp

Download
memory/1432-87-0x0000000000000000-mapping.dmp

Download
memory/1676-82-0x0000000000000000-mapping.dmp

Download
memory/1748-77-0x0000000000000000-mapping.dmp

Download
memory/1764-81-0x0000000000000000-mapping.dmp

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download
memory/2040-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2040-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/2040-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2040-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download