a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
Size

603KB
MD5

0c4306475d5ea09d399ff82cb551cf81
SHA1

a407c7e92036f0f32c0788e5e7f15babd5ec37c1
SHA256

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012
SHA512

7c4ee7e5751a2b7dadf9c6bdf9c69090857cfecfec405ec0ede23cdcbb2bd5f8a378cd03396444bf6dba56562e32ec0fb0405fef13a9d03a626aae7fa5a12242
SSDEEP

12288:8Iny5DYTerRFGYx0B0r4AxT9qLLVe3QnNp11uIvcwWoEZp:aUTeVhxZr4OQeKNxuIE

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1732 installd.exe
1444 nethtsrv.exe
1568 netupdsrv.exe
632 nethtsrv.exe
852 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

pid	process
1732	installd.exe
1444	nethtsrv.exe
1568	netupdsrv.exe
632	nethtsrv.exe
852	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
1732	installd.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
1444	nethtsrv.exe
1444	nethtsrv.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
632	nethtsrv.exe
632	nethtsrv.exe
2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
File created	C:\Windows\SysWOW64\installd.exe	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

Drops file in Program Files directory 3 IoCs

Processes:

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 632 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	632	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 2032 wrote to memory of 1892	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1892	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1892	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1892	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 1892 wrote to memory of 940	1892	net.exe	net1.exe
PID 1892 wrote to memory of 940	1892	net.exe	net1.exe
PID 1892 wrote to memory of 940	1892	net.exe	net1.exe
PID 1892 wrote to memory of 940	1892	net.exe	net1.exe
PID 2032 wrote to memory of 764	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 764	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 764	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 764	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 764 wrote to memory of 1736	764	net.exe	net1.exe
PID 764 wrote to memory of 1736	764	net.exe	net1.exe
PID 764 wrote to memory of 1736	764	net.exe	net1.exe
PID 764 wrote to memory of 1736	764	net.exe	net1.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1732	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	installd.exe
PID 2032 wrote to memory of 1444	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	nethtsrv.exe
PID 2032 wrote to memory of 1444	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	nethtsrv.exe
PID 2032 wrote to memory of 1444	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	nethtsrv.exe
PID 2032 wrote to memory of 1444	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	nethtsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1568	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	netupdsrv.exe
PID 2032 wrote to memory of 1932	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1932	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1932	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1932	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 1932 wrote to memory of 1916	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1916	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1916	1932	net.exe	net1.exe
PID 1932 wrote to memory of 1916	1932	net.exe	net1.exe
PID 2032 wrote to memory of 1544	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1544	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1544	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 2032 wrote to memory of 1544	2032	a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe	net.exe
PID 1544 wrote to memory of 2036	1544	net.exe	net1.exe
PID 1544 wrote to memory of 2036	1544	net.exe	net1.exe
PID 1544 wrote to memory of 2036	1544	net.exe	net1.exe
PID 1544 wrote to memory of 2036	1544	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe
"C:\Users\Admin\AppData\Local\Temp\a1227370e740a147ba3dd9c0ff1aa393d360bfef712f15da8a48b29d43fd1012.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2032

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:940

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1736

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1444

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1916

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1544

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2036

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a8c907c0089efda053fca4930a5cb253

SHA1
8a9ffe504efbafeea5919a801d02db4a98ac9d52

SHA256
aea80523b2130ebb1faa9db3b65c81756e1eb50edb6e3ac76a3f7a63c0fe4a2d

SHA512
34322b42e9cc069b4b1adff71ad25c06f660cb11d0cb122ae88946d46a1ee712dd70a8b09df41d6318218c86da634f25968cd40e169fe5634a079f0a436a6213

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
520ebe90b10d1721117c9ea3c5520929

SHA1
b442445a7507a1fbb3cdfc61aaffe1bd3b41f4ca

SHA256
ae48e82c28bccc4a2a52100f4bba863f80b16a9dfa011a81c2df2309fdc9234b

SHA512
5178e3668fdda164b1ea010193c98836e95b76f94e4c4d80053f5c196d8257f3287407168f4bd3358cc8268a5ca80891891122e1a23ef48d56e9e44df941b656

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
c4a3a52693bc7d3bfcc537c1bdc770df

SHA1
a9b81e65e21a0cbbc484780882a7dad19edb6754

SHA256
0e5ccf657145801bb40b9e96ace4390ded3e11dfb6c668836f10919fb6090c7e

SHA512
d93639d703c7fcfbcc3288f8322b6282dbe10a90106c3262651333063271322a3e4756ed8bccf627e78064bd0ce96a6832703edc7317d66d3d80b47f9b096da1

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
a4035f33f8d915d28ceb43210f19b983

SHA1
ea8f217d625017ea3f394d412cd1c2db4107395d

SHA256
d5e39a2f3b18c5ec262f5cb0f612dca9544104bec59828575d35814809e630ac

SHA512
120c683604c2256027753391ed5fc780b88d06576aff7296c4bb81e74c2d5cf0d05c2642ad3eb8704471911759093e7c48b9a0b8ad56fda4d392401b03e1c24d

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
a4035f33f8d915d28ceb43210f19b983

SHA1
ea8f217d625017ea3f394d412cd1c2db4107395d

SHA256
d5e39a2f3b18c5ec262f5cb0f612dca9544104bec59828575d35814809e630ac

SHA512
120c683604c2256027753391ed5fc780b88d06576aff7296c4bb81e74c2d5cf0d05c2642ad3eb8704471911759093e7c48b9a0b8ad56fda4d392401b03e1c24d

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
3874d8baad958529293125bcf337f761

SHA1
c7627b2f389f4ca7817e46da148c8be55979ac8b

SHA256
8aeb52f7877e18a8db9a9eee371a3e00c75ccc923de803567a6fd5541ed89d01

SHA512
ca9904048f09bb8d0a794f0b08afa0752007d164871041aa033c5a1816934fe0629d841a8d15dede0a42ad0dc15cff1830a88eac6c4ca7cb14892e366b8efa5d

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
3874d8baad958529293125bcf337f761

SHA1
c7627b2f389f4ca7817e46da148c8be55979ac8b

SHA256
8aeb52f7877e18a8db9a9eee371a3e00c75ccc923de803567a6fd5541ed89d01

SHA512
ca9904048f09bb8d0a794f0b08afa0752007d164871041aa033c5a1816934fe0629d841a8d15dede0a42ad0dc15cff1830a88eac6c4ca7cb14892e366b8efa5d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EC1.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EC1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EC1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EC1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2EC1.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a8c907c0089efda053fca4930a5cb253

SHA1
8a9ffe504efbafeea5919a801d02db4a98ac9d52

SHA256
aea80523b2130ebb1faa9db3b65c81756e1eb50edb6e3ac76a3f7a63c0fe4a2d

SHA512
34322b42e9cc069b4b1adff71ad25c06f660cb11d0cb122ae88946d46a1ee712dd70a8b09df41d6318218c86da634f25968cd40e169fe5634a079f0a436a6213

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a8c907c0089efda053fca4930a5cb253

SHA1
8a9ffe504efbafeea5919a801d02db4a98ac9d52

SHA256
aea80523b2130ebb1faa9db3b65c81756e1eb50edb6e3ac76a3f7a63c0fe4a2d

SHA512
34322b42e9cc069b4b1adff71ad25c06f660cb11d0cb122ae88946d46a1ee712dd70a8b09df41d6318218c86da634f25968cd40e169fe5634a079f0a436a6213

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
a8c907c0089efda053fca4930a5cb253

SHA1
8a9ffe504efbafeea5919a801d02db4a98ac9d52

SHA256
aea80523b2130ebb1faa9db3b65c81756e1eb50edb6e3ac76a3f7a63c0fe4a2d

SHA512
34322b42e9cc069b4b1adff71ad25c06f660cb11d0cb122ae88946d46a1ee712dd70a8b09df41d6318218c86da634f25968cd40e169fe5634a079f0a436a6213

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
520ebe90b10d1721117c9ea3c5520929

SHA1
b442445a7507a1fbb3cdfc61aaffe1bd3b41f4ca

SHA256
ae48e82c28bccc4a2a52100f4bba863f80b16a9dfa011a81c2df2309fdc9234b

SHA512
5178e3668fdda164b1ea010193c98836e95b76f94e4c4d80053f5c196d8257f3287407168f4bd3358cc8268a5ca80891891122e1a23ef48d56e9e44df941b656

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
520ebe90b10d1721117c9ea3c5520929

SHA1
b442445a7507a1fbb3cdfc61aaffe1bd3b41f4ca

SHA256
ae48e82c28bccc4a2a52100f4bba863f80b16a9dfa011a81c2df2309fdc9234b

SHA512
5178e3668fdda164b1ea010193c98836e95b76f94e4c4d80053f5c196d8257f3287407168f4bd3358cc8268a5ca80891891122e1a23ef48d56e9e44df941b656

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
c4a3a52693bc7d3bfcc537c1bdc770df

SHA1
a9b81e65e21a0cbbc484780882a7dad19edb6754

SHA256
0e5ccf657145801bb40b9e96ace4390ded3e11dfb6c668836f10919fb6090c7e

SHA512
d93639d703c7fcfbcc3288f8322b6282dbe10a90106c3262651333063271322a3e4756ed8bccf627e78064bd0ce96a6832703edc7317d66d3d80b47f9b096da1

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
a4035f33f8d915d28ceb43210f19b983

SHA1
ea8f217d625017ea3f394d412cd1c2db4107395d

SHA256
d5e39a2f3b18c5ec262f5cb0f612dca9544104bec59828575d35814809e630ac

SHA512
120c683604c2256027753391ed5fc780b88d06576aff7296c4bb81e74c2d5cf0d05c2642ad3eb8704471911759093e7c48b9a0b8ad56fda4d392401b03e1c24d

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
3874d8baad958529293125bcf337f761

SHA1
c7627b2f389f4ca7817e46da148c8be55979ac8b

SHA256
8aeb52f7877e18a8db9a9eee371a3e00c75ccc923de803567a6fd5541ed89d01

SHA512
ca9904048f09bb8d0a794f0b08afa0752007d164871041aa033c5a1816934fe0629d841a8d15dede0a42ad0dc15cff1830a88eac6c4ca7cb14892e366b8efa5d

Download Submit
memory/764-61-0x0000000000000000-mapping.dmp

Download
memory/940-58-0x0000000000000000-mapping.dmp

Download
memory/1444-70-0x0000000000000000-mapping.dmp

Download
memory/1544-86-0x0000000000000000-mapping.dmp

Download
memory/1568-76-0x0000000000000000-mapping.dmp

Download
memory/1732-64-0x0000000000000000-mapping.dmp

Download
memory/1736-62-0x0000000000000000-mapping.dmp

Download
memory/1892-57-0x0000000000000000-mapping.dmp

Download
memory/1916-81-0x0000000000000000-mapping.dmp

Download
memory/1932-80-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x0000000075A71000-0x0000000075A73000-memory.dmp

Filesize
8KB

Download
memory/2032-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2032-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/2036-87-0x0000000000000000-mapping.dmp

Download