afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8

Analysis

max time kernel
43s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
Size

602KB
MD5

37901dbc800908e54e09f30e5c3e62b8
SHA1

5bab22b269cf2e0a22a1c3b76572294ef0123ca0
SHA256

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8
SHA512

bb69d9e61c557875841013663c710eae721e4c5ab5926c9a4a7d9e173b41a35b9ec0b46b631077a62fe5899afabb5edcf2b97f38d4e617d5cb5173bc06ddd06f
SSDEEP

12288:dIny5DYT/pW2bmxkwOX+0PaRwzZ2Y54GLXhozVhqTr8lgDG8E:JUT/pW2IOOyaFPGLXhrT0X

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1304 installd.exe
1684 nethtsrv.exe
868 netupdsrv.exe
1696 nethtsrv.exe
1136 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

pid	process
1304	installd.exe
1684	nethtsrv.exe
868	netupdsrv.exe
1696	nethtsrv.exe
1136	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1304	installd.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1684	nethtsrv.exe
1684	nethtsrv.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
1696	nethtsrv.exe
1696	nethtsrv.exe
1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
File created	C:\Windows\SysWOW64\installd.exe	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

Drops file in Program Files directory 3 IoCs

Processes:

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1696 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1696	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1788 wrote to memory of 1628	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1628	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1628	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1628	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1628 wrote to memory of 1092	1628	net.exe	net1.exe
PID 1628 wrote to memory of 1092	1628	net.exe	net1.exe
PID 1628 wrote to memory of 1092	1628	net.exe	net1.exe
PID 1628 wrote to memory of 1092	1628	net.exe	net1.exe
PID 1788 wrote to memory of 1532	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1532	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1532	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1532	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1532 wrote to memory of 1528	1532	net.exe	net1.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1304	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	installd.exe
PID 1788 wrote to memory of 1684	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	nethtsrv.exe
PID 1788 wrote to memory of 1684	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	nethtsrv.exe
PID 1788 wrote to memory of 1684	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	nethtsrv.exe
PID 1788 wrote to memory of 1684	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	nethtsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 868	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	netupdsrv.exe
PID 1788 wrote to memory of 1056	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1056	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1056	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 1056	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1056 wrote to memory of 1124	1056	net.exe	net1.exe
PID 1788 wrote to memory of 584	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 584	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 584	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 1788 wrote to memory of 584	1788	afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe	net.exe
PID 584 wrote to memory of 860	584	net.exe	net1.exe
PID 584 wrote to memory of 860	584	net.exe	net1.exe
PID 584 wrote to memory of 860	584	net.exe	net1.exe
PID 584 wrote to memory of 860	584	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe
"C:\Users\Admin\AppData\Local\Temp\afe69d20b9f256c8638c65777e96d9234639c17fe2b61d522e2c1220038c40c8.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1092

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1532

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1528

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:868

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1124

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:860

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
78f69e815d47d1179aefcf979e4fc117

SHA1
890586177a784434d2c252bed6550107dd93435c

SHA256
8ace89a6b07eb1b6116d16f8f59c1dcb6e974d79a5db440d4b387e9549bbd70e

SHA512
19f67d05a03ecea5c2157d56c465404f16a88c1ecb4ad6c4d8ecc6a805c5a07873a30ef66aad05a016d724e349b995910d7cee419d1f8cccd6cbe8797db86e24

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
184aeaa6e68d4105cf5795ef649d7d9c

SHA1
6a82626db904578a3fc689b9317244d7afe99efc

SHA256
b71a5c05ec4dd90a23881045d6f8a6f9ac0d1313c2067cabd47b761c1d2f6db4

SHA512
aab55402c159566b28e6dd9246af96ace67199efab27325048caf0f2f012625bfc9c4c8605722954279e9f6dabcf28a0777a78d61a2d0cbdac012b9028505b35

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
d6635c04cd20b29c480a7d4c24b0f500

SHA1
a31ab464afe84147f5e37cb8e034c8093423e8e5

SHA256
e43f1576323c3683bcb3e1658d7c1e2ab6a5521239937eea9f4302985da93d51

SHA512
17b6f889d048b5842e616e07d33850514b7484b87adddc3c3097252e266978f0df8870bacadb817aea943b045e7a6863f3bc59736b39c7a256e2fea3e0259909

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
fbc0de50b613d3af7cc0228603212aac

SHA1
dc132aa46dcc83fbbdc5ad493b29e2262740f0b7

SHA256
3491e2516853c1d385e2378f54ed78f99565d268aa86846c3e1aa3aecbc152fa

SHA512
7cc4e5d19503ad24f5d96d5513fccfa30b465c7dda4194c39b25ec8e86617ba34c8bc7be0abad385701f4a85c03da69a1b6c0c462b6abdce6af85d5cc6a4258f

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
fbc0de50b613d3af7cc0228603212aac

SHA1
dc132aa46dcc83fbbdc5ad493b29e2262740f0b7

SHA256
3491e2516853c1d385e2378f54ed78f99565d268aa86846c3e1aa3aecbc152fa

SHA512
7cc4e5d19503ad24f5d96d5513fccfa30b465c7dda4194c39b25ec8e86617ba34c8bc7be0abad385701f4a85c03da69a1b6c0c462b6abdce6af85d5cc6a4258f

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c71c8b0dedabee48237aecdbcbf5633a

SHA1
95d2b73c1e0966eb1b1ec6f8d126e019b92d4352

SHA256
3788b4000b133f3cbe6456700c1dd0c7c816b557d912cde04fa9c012346d6bc2

SHA512
1e3ff706d6dfd2d25d15eda6aa1b791ec3db116465395d76ae4214abfddbcee4302bc9d741f189ed9a035de5317fa384ecc3c027818884c9282ce75c45e90ed1

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c71c8b0dedabee48237aecdbcbf5633a

SHA1
95d2b73c1e0966eb1b1ec6f8d126e019b92d4352

SHA256
3788b4000b133f3cbe6456700c1dd0c7c816b557d912cde04fa9c012346d6bc2

SHA512
1e3ff706d6dfd2d25d15eda6aa1b791ec3db116465395d76ae4214abfddbcee4302bc9d741f189ed9a035de5317fa384ecc3c027818884c9282ce75c45e90ed1

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE36F.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE36F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE36F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE36F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE36F.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
78f69e815d47d1179aefcf979e4fc117

SHA1
890586177a784434d2c252bed6550107dd93435c

SHA256
8ace89a6b07eb1b6116d16f8f59c1dcb6e974d79a5db440d4b387e9549bbd70e

SHA512
19f67d05a03ecea5c2157d56c465404f16a88c1ecb4ad6c4d8ecc6a805c5a07873a30ef66aad05a016d724e349b995910d7cee419d1f8cccd6cbe8797db86e24

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
78f69e815d47d1179aefcf979e4fc117

SHA1
890586177a784434d2c252bed6550107dd93435c

SHA256
8ace89a6b07eb1b6116d16f8f59c1dcb6e974d79a5db440d4b387e9549bbd70e

SHA512
19f67d05a03ecea5c2157d56c465404f16a88c1ecb4ad6c4d8ecc6a805c5a07873a30ef66aad05a016d724e349b995910d7cee419d1f8cccd6cbe8797db86e24

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
78f69e815d47d1179aefcf979e4fc117

SHA1
890586177a784434d2c252bed6550107dd93435c

SHA256
8ace89a6b07eb1b6116d16f8f59c1dcb6e974d79a5db440d4b387e9549bbd70e

SHA512
19f67d05a03ecea5c2157d56c465404f16a88c1ecb4ad6c4d8ecc6a805c5a07873a30ef66aad05a016d724e349b995910d7cee419d1f8cccd6cbe8797db86e24

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
184aeaa6e68d4105cf5795ef649d7d9c

SHA1
6a82626db904578a3fc689b9317244d7afe99efc

SHA256
b71a5c05ec4dd90a23881045d6f8a6f9ac0d1313c2067cabd47b761c1d2f6db4

SHA512
aab55402c159566b28e6dd9246af96ace67199efab27325048caf0f2f012625bfc9c4c8605722954279e9f6dabcf28a0777a78d61a2d0cbdac012b9028505b35

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
184aeaa6e68d4105cf5795ef649d7d9c

SHA1
6a82626db904578a3fc689b9317244d7afe99efc

SHA256
b71a5c05ec4dd90a23881045d6f8a6f9ac0d1313c2067cabd47b761c1d2f6db4

SHA512
aab55402c159566b28e6dd9246af96ace67199efab27325048caf0f2f012625bfc9c4c8605722954279e9f6dabcf28a0777a78d61a2d0cbdac012b9028505b35

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
d6635c04cd20b29c480a7d4c24b0f500

SHA1
a31ab464afe84147f5e37cb8e034c8093423e8e5

SHA256
e43f1576323c3683bcb3e1658d7c1e2ab6a5521239937eea9f4302985da93d51

SHA512
17b6f889d048b5842e616e07d33850514b7484b87adddc3c3097252e266978f0df8870bacadb817aea943b045e7a6863f3bc59736b39c7a256e2fea3e0259909

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
fbc0de50b613d3af7cc0228603212aac

SHA1
dc132aa46dcc83fbbdc5ad493b29e2262740f0b7

SHA256
3491e2516853c1d385e2378f54ed78f99565d268aa86846c3e1aa3aecbc152fa

SHA512
7cc4e5d19503ad24f5d96d5513fccfa30b465c7dda4194c39b25ec8e86617ba34c8bc7be0abad385701f4a85c03da69a1b6c0c462b6abdce6af85d5cc6a4258f

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
c71c8b0dedabee48237aecdbcbf5633a

SHA1
95d2b73c1e0966eb1b1ec6f8d126e019b92d4352

SHA256
3788b4000b133f3cbe6456700c1dd0c7c816b557d912cde04fa9c012346d6bc2

SHA512
1e3ff706d6dfd2d25d15eda6aa1b791ec3db116465395d76ae4214abfddbcee4302bc9d741f189ed9a035de5317fa384ecc3c027818884c9282ce75c45e90ed1

Download Submit
memory/584-86-0x0000000000000000-mapping.dmp

Download
memory/860-87-0x0000000000000000-mapping.dmp

Download
memory/868-76-0x0000000000000000-mapping.dmp

Download
memory/1056-80-0x0000000000000000-mapping.dmp

Download
memory/1092-58-0x0000000000000000-mapping.dmp

Download
memory/1124-81-0x0000000000000000-mapping.dmp

Download
memory/1304-64-0x0000000000000000-mapping.dmp

Download
memory/1528-62-0x0000000000000000-mapping.dmp

Download
memory/1532-61-0x0000000000000000-mapping.dmp

Download
memory/1628-57-0x0000000000000000-mapping.dmp

Download
memory/1684-70-0x0000000000000000-mapping.dmp

Download
memory/1788-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/1788-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1788-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download