a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54

Analysis

max time kernel
36s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
Size

603KB
MD5

46bbc7c8413ba091d9e35c03323af613
SHA1

3f57ad0673968894b31cd1da04622ad8369fad1b
SHA256

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54
SHA512

4bb051d856dcb6c064e7ce533814e98fedde651d75f8c53f1383af1cfcbf2d2a7d68f962b813b58e86f6c7ef0e066ed4bc144751f7424f02fbcbe644436650dd
SSDEEP

12288:5Iny5DYTfIi05r+40T63Qq9/mMdcyKSK2VVXVF:1UTfV53tK/52yKLUj

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1416 installd.exe
1800 nethtsrv.exe
1856 netupdsrv.exe
1984 nethtsrv.exe
1608 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

pid	process
1416	installd.exe
1800	nethtsrv.exe
1856	netupdsrv.exe
1984	nethtsrv.exe
1608	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1416	installd.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1800	nethtsrv.exe
1800	nethtsrv.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
1984	nethtsrv.exe
1984	nethtsrv.exe
1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
File created	C:\Windows\SysWOW64\installd.exe	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

Drops file in Program Files directory 3 IoCs

Processes:

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

468
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1984 nethtsrv.exe

pid	process
468

description	pid	process
Token: SeDebugPrivilege	1984	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1612 wrote to memory of 1948	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1948	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1948	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1948	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1948 wrote to memory of 912	1948	net.exe	net1.exe
PID 1948 wrote to memory of 912	1948	net.exe	net1.exe
PID 1948 wrote to memory of 912	1948	net.exe	net1.exe
PID 1948 wrote to memory of 912	1948	net.exe	net1.exe
PID 1612 wrote to memory of 1288	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1288	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1288	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1288	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1288 wrote to memory of 240	1288	net.exe	net1.exe
PID 1288 wrote to memory of 240	1288	net.exe	net1.exe
PID 1288 wrote to memory of 240	1288	net.exe	net1.exe
PID 1288 wrote to memory of 240	1288	net.exe	net1.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1416	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	installd.exe
PID 1612 wrote to memory of 1800	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	nethtsrv.exe
PID 1612 wrote to memory of 1800	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	nethtsrv.exe
PID 1612 wrote to memory of 1800	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	nethtsrv.exe
PID 1612 wrote to memory of 1800	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	nethtsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1856	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	netupdsrv.exe
PID 1612 wrote to memory of 1616	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1616	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1616	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1616	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1616 wrote to memory of 1992	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1992	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1992	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1992	1616	net.exe	net1.exe
PID 1612 wrote to memory of 1064	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1064	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1064	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1612 wrote to memory of 1064	1612	a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe	net.exe
PID 1064 wrote to memory of 820	1064	net.exe	net1.exe
PID 1064 wrote to memory of 820	1064	net.exe	net1.exe
PID 1064 wrote to memory of 820	1064	net.exe	net1.exe
PID 1064 wrote to memory of 820	1064	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe
"C:\Users\Admin\AppData\Local\Temp\a312bb209b64b1d15fc1b65107a2ea57670651150d427fb9624b853ccbab4d54.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:912

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1288

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:240

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1856

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1992

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:820

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
646f2796b5358f1467cd9b3ec94428c3

SHA1
6a723b278a2939bc63780043fd58a11b479e649a

SHA256
c616d7f2796765df712ec4429b74fb885e43d10bf085d50a3b57dfa7fd73999d

SHA512
a9c989ba6b010f5bf1bfe6a83ffbb0895b66c4ed709026352341d0c9424586b85a8c5264a411171572452e06622aafb6413d2a011c27dfd40f9bb5566b5d561c

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
846223c1a5d8f6d1e272f8f4e3f75d27

SHA1
f563ab29d5d7b34efc6424ff3ce97c179cb6de36

SHA256
f9a7768585e0d0b68f5fd71513de810c023f4039e4574c9e0bea8834e0392ca8

SHA512
19e61a19419a6c8080e31a40dc27c7c282384d4d5a9ab6164ab33ac694d9649b92d8b0c0f8a08ce09f92ae1b85001a23c2e7270234a171a5f047bfaf05e78faa

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
0886537da763210c784961dca2f39582

SHA1
9241ffdf88740b5ea49dd8f4aee651441f68c0a1

SHA256
f05b8c44964485f9ad33488ff0d6505b514b70a0c2d42a23b1667d877ce7ce38

SHA512
c51f9ee47afca2d9b863e37f8060997e76443afe562dd73c1e4bfd8b871f3c93735e418c2ddb1d4953f742953825a5b61431b6830d1650363c5776e7e2549a38

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2dac04d2acfbbc19ca3e27bb48901bc8

SHA1
81d8a4152ae8878884f05b74d216aa472573cc12

SHA256
7303280260f8a94a37aca165f9ba7f293572a42c7e4eacef71d496aff09807ff

SHA512
ca5205da5548851afe7accea26fec0110e034eddbe7c33f9394ee5675daaa2addb9c1dab07ef0c1fa168333c9e65654923cb4bc331b86130e8288938042efdd5

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2dac04d2acfbbc19ca3e27bb48901bc8

SHA1
81d8a4152ae8878884f05b74d216aa472573cc12

SHA256
7303280260f8a94a37aca165f9ba7f293572a42c7e4eacef71d496aff09807ff

SHA512
ca5205da5548851afe7accea26fec0110e034eddbe7c33f9394ee5675daaa2addb9c1dab07ef0c1fa168333c9e65654923cb4bc331b86130e8288938042efdd5

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
a25a19c6f7918a5eeccaf0ace416305b

SHA1
38698526a79b5493e5f73efbb6427f542c9cdaf1

SHA256
c046de8b5e0ad06a59358b672b5414da7c6d2937c60115323cc8e436f929f448

SHA512
53d599f87fa3422e42d23280298ccb719b822a2e18eb895ee6da4cb1dbdce55795babd8fb0739b027c6b1c170ed527fbd25d14b5f8c8a80c25ed931e8f0d672d

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
a25a19c6f7918a5eeccaf0ace416305b

SHA1
38698526a79b5493e5f73efbb6427f542c9cdaf1

SHA256
c046de8b5e0ad06a59358b672b5414da7c6d2937c60115323cc8e436f929f448

SHA512
53d599f87fa3422e42d23280298ccb719b822a2e18eb895ee6da4cb1dbdce55795babd8fb0739b027c6b1c170ed527fbd25d14b5f8c8a80c25ed931e8f0d672d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd75AF.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd75AF.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd75AF.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd75AF.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd75AF.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
646f2796b5358f1467cd9b3ec94428c3

SHA1
6a723b278a2939bc63780043fd58a11b479e649a

SHA256
c616d7f2796765df712ec4429b74fb885e43d10bf085d50a3b57dfa7fd73999d

SHA512
a9c989ba6b010f5bf1bfe6a83ffbb0895b66c4ed709026352341d0c9424586b85a8c5264a411171572452e06622aafb6413d2a011c27dfd40f9bb5566b5d561c

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
646f2796b5358f1467cd9b3ec94428c3

SHA1
6a723b278a2939bc63780043fd58a11b479e649a

SHA256
c616d7f2796765df712ec4429b74fb885e43d10bf085d50a3b57dfa7fd73999d

SHA512
a9c989ba6b010f5bf1bfe6a83ffbb0895b66c4ed709026352341d0c9424586b85a8c5264a411171572452e06622aafb6413d2a011c27dfd40f9bb5566b5d561c

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
646f2796b5358f1467cd9b3ec94428c3

SHA1
6a723b278a2939bc63780043fd58a11b479e649a

SHA256
c616d7f2796765df712ec4429b74fb885e43d10bf085d50a3b57dfa7fd73999d

SHA512
a9c989ba6b010f5bf1bfe6a83ffbb0895b66c4ed709026352341d0c9424586b85a8c5264a411171572452e06622aafb6413d2a011c27dfd40f9bb5566b5d561c

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
846223c1a5d8f6d1e272f8f4e3f75d27

SHA1
f563ab29d5d7b34efc6424ff3ce97c179cb6de36

SHA256
f9a7768585e0d0b68f5fd71513de810c023f4039e4574c9e0bea8834e0392ca8

SHA512
19e61a19419a6c8080e31a40dc27c7c282384d4d5a9ab6164ab33ac694d9649b92d8b0c0f8a08ce09f92ae1b85001a23c2e7270234a171a5f047bfaf05e78faa

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
846223c1a5d8f6d1e272f8f4e3f75d27

SHA1
f563ab29d5d7b34efc6424ff3ce97c179cb6de36

SHA256
f9a7768585e0d0b68f5fd71513de810c023f4039e4574c9e0bea8834e0392ca8

SHA512
19e61a19419a6c8080e31a40dc27c7c282384d4d5a9ab6164ab33ac694d9649b92d8b0c0f8a08ce09f92ae1b85001a23c2e7270234a171a5f047bfaf05e78faa

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
0886537da763210c784961dca2f39582

SHA1
9241ffdf88740b5ea49dd8f4aee651441f68c0a1

SHA256
f05b8c44964485f9ad33488ff0d6505b514b70a0c2d42a23b1667d877ce7ce38

SHA512
c51f9ee47afca2d9b863e37f8060997e76443afe562dd73c1e4bfd8b871f3c93735e418c2ddb1d4953f742953825a5b61431b6830d1650363c5776e7e2549a38

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
2dac04d2acfbbc19ca3e27bb48901bc8

SHA1
81d8a4152ae8878884f05b74d216aa472573cc12

SHA256
7303280260f8a94a37aca165f9ba7f293572a42c7e4eacef71d496aff09807ff

SHA512
ca5205da5548851afe7accea26fec0110e034eddbe7c33f9394ee5675daaa2addb9c1dab07ef0c1fa168333c9e65654923cb4bc331b86130e8288938042efdd5

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
a25a19c6f7918a5eeccaf0ace416305b

SHA1
38698526a79b5493e5f73efbb6427f542c9cdaf1

SHA256
c046de8b5e0ad06a59358b672b5414da7c6d2937c60115323cc8e436f929f448

SHA512
53d599f87fa3422e42d23280298ccb719b822a2e18eb895ee6da4cb1dbdce55795babd8fb0739b027c6b1c170ed527fbd25d14b5f8c8a80c25ed931e8f0d672d

Download Submit
memory/240-62-0x0000000000000000-mapping.dmp

Download
memory/820-87-0x0000000000000000-mapping.dmp

Download
memory/912-59-0x0000000000000000-mapping.dmp

Download
memory/1064-86-0x0000000000000000-mapping.dmp

Download
memory/1288-61-0x0000000000000000-mapping.dmp

Download
memory/1416-64-0x0000000000000000-mapping.dmp

Download
memory/1612-54-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1612-55-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1612-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1616-80-0x0000000000000000-mapping.dmp

Download
memory/1800-70-0x0000000000000000-mapping.dmp

Download
memory/1856-76-0x0000000000000000-mapping.dmp

Download
memory/1948-58-0x0000000000000000-mapping.dmp

Download
memory/1992-81-0x0000000000000000-mapping.dmp

Download