80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941

Analysis

max time kernel
47s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
Size

603KB
MD5

b94ad7fc35925c54254738078b70e1d1
SHA1

e53b0fd33377baf55cd797b2670638c621350295
SHA256

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941
SHA512

410e732aea60455eb3f6095e81a9fae88700737e262aa462b3b513881a4bfc4728479fcb4d328d3d9266154f312e93a4019f99701df731e56e0a8ebb36717d25
SSDEEP

12288:rIny5DYTEN02fg8dbnweVJtGaU+LqmNawxAM0DxgW4Jv:TUTEbfXRXVJkaLP0M0DxQ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

820 installd.exe
1608 nethtsrv.exe
1596 netupdsrv.exe
1620 nethtsrv.exe
912 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

pid	process
820	installd.exe
1608	nethtsrv.exe
1596	netupdsrv.exe
1620	nethtsrv.exe
912	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
820	installd.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
1608	nethtsrv.exe
1608	nethtsrv.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
1620	nethtsrv.exe
1620	nethtsrv.exe
932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
File created	C:\Windows\SysWOW64\installd.exe	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

Drops file in Program Files directory 3 IoCs

Processes:

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1620 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1620	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 932 wrote to memory of 1972	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1972	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1972	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1972	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 1972 wrote to memory of 1760	1972	net.exe	net1.exe
PID 1972 wrote to memory of 1760	1972	net.exe	net1.exe
PID 1972 wrote to memory of 1760	1972	net.exe	net1.exe
PID 1972 wrote to memory of 1760	1972	net.exe	net1.exe
PID 932 wrote to memory of 1264	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1264	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1264	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1264	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 1264 wrote to memory of 1744	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1744	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1744	1264	net.exe	net1.exe
PID 1264 wrote to memory of 1744	1264	net.exe	net1.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 820	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	installd.exe
PID 932 wrote to memory of 1608	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	nethtsrv.exe
PID 932 wrote to memory of 1608	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	nethtsrv.exe
PID 932 wrote to memory of 1608	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	nethtsrv.exe
PID 932 wrote to memory of 1608	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	nethtsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1596	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	netupdsrv.exe
PID 932 wrote to memory of 1944	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1944	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1944	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 1944	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 1944 wrote to memory of 580	1944	net.exe	net1.exe
PID 1944 wrote to memory of 580	1944	net.exe	net1.exe
PID 1944 wrote to memory of 580	1944	net.exe	net1.exe
PID 1944 wrote to memory of 580	1944	net.exe	net1.exe
PID 932 wrote to memory of 836	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 836	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 836	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 932 wrote to memory of 836	932	80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe	net.exe
PID 836 wrote to memory of 2032	836	net.exe	net1.exe
PID 836 wrote to memory of 2032	836	net.exe	net1.exe
PID 836 wrote to memory of 2032	836	net.exe	net1.exe
PID 836 wrote to memory of 2032	836	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe
"C:\Users\Admin\AppData\Local\Temp\80927e2b95de20b93b38cc22cee34a7edc8ea5d424e27196eb656d272812d941.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:1760

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1744

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:820

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1596

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1944

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:580

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:836

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:2032

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
e5fce21c5c05e5f625fc697548eb2d15

SHA1
a0ee8a00a77dd476d2557f225ce4f0c5b0d9bd27

SHA256
7a729b262dc6d4c33264d3d77c8bc27a3733dc276e0bc054d4b05be5b0287c4f

SHA512
83ab5a5493c03735450a057213693213d2417bd527c996c5603613f83e95723400d937b9494c51d68f9544d970fcd3806ee282cbf820f06d3fac4cced84aa09f

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
a5777b9eeecb27c7632311cf673b1f7c

SHA1
46e0ec5c5b51e8aa42f4296836445452535e116d

SHA256
ae9032e7ad6fa040f9be1b757118f35f15f7380ec29639be4047e3da92b29ca4

SHA512
d29e8089130eafa14af08acb85f95c32da95c617abeed7aebab5d9b20db247709b546d17888f2f2646e3a3a27d21de2b0258a197e57a1f374e9e18b27b80b2e5

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
d9bfd079b28653382ad61f75d8e9f8db

SHA1
bf0946605b463ba51a0a25a85a048b0d07ef7f2e

SHA256
2922c620e7212a7fa09c69313ca7f0efc51c45c21c429268bbf0c08a1923fc1f

SHA512
5f10667b390293c520cd9c35c94f205dbb01fa1d4f07ec488f16d809bbc7e5655898ba8e5efa8a4fdb460f21d27c185bfb1e141f03e166d3f93d64b9e4891335

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
85a24522b92e2295ec81c74998974017

SHA1
ccf1d94bfcfa8ac2eb8ff1045efb6a223f972e52

SHA256
555e3903bb368a88758550f6517b80ca1fe34755120aad8018dff7c25faef0b3

SHA512
66a9affebcaf131313a96afe286f2f8bc6a2a55ba71c5a264bcedd8edc01540b2aca9a9186ad77aea0b2a150515e20874819408295ec3e61dc6fe39378047d0d

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
85a24522b92e2295ec81c74998974017

SHA1
ccf1d94bfcfa8ac2eb8ff1045efb6a223f972e52

SHA256
555e3903bb368a88758550f6517b80ca1fe34755120aad8018dff7c25faef0b3

SHA512
66a9affebcaf131313a96afe286f2f8bc6a2a55ba71c5a264bcedd8edc01540b2aca9a9186ad77aea0b2a150515e20874819408295ec3e61dc6fe39378047d0d

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
82f903ab6463ac7c26f94423ffd3b422

SHA1
09841ac8806b1bdb53c14698f861fcb17cc134e0

SHA256
3d0fba1dad08740155062589ee37cf2069bb39ecbfad86d3cbca0d5782689dbe

SHA512
05c7052e90e8ca058206a689fb5467ba1edd9916c143375944269f72e077de68733bca24ac452112bd26c0df5fea8ddddd2da4fcdc8431362f100e07af81d6d9

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
82f903ab6463ac7c26f94423ffd3b422

SHA1
09841ac8806b1bdb53c14698f861fcb17cc134e0

SHA256
3d0fba1dad08740155062589ee37cf2069bb39ecbfad86d3cbca0d5782689dbe

SHA512
05c7052e90e8ca058206a689fb5467ba1edd9916c143375944269f72e077de68733bca24ac452112bd26c0df5fea8ddddd2da4fcdc8431362f100e07af81d6d9

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAD3.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAD3.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAD3.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAD3.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nsjAAD3.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
e5fce21c5c05e5f625fc697548eb2d15

SHA1
a0ee8a00a77dd476d2557f225ce4f0c5b0d9bd27

SHA256
7a729b262dc6d4c33264d3d77c8bc27a3733dc276e0bc054d4b05be5b0287c4f

SHA512
83ab5a5493c03735450a057213693213d2417bd527c996c5603613f83e95723400d937b9494c51d68f9544d970fcd3806ee282cbf820f06d3fac4cced84aa09f

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
e5fce21c5c05e5f625fc697548eb2d15

SHA1
a0ee8a00a77dd476d2557f225ce4f0c5b0d9bd27

SHA256
7a729b262dc6d4c33264d3d77c8bc27a3733dc276e0bc054d4b05be5b0287c4f

SHA512
83ab5a5493c03735450a057213693213d2417bd527c996c5603613f83e95723400d937b9494c51d68f9544d970fcd3806ee282cbf820f06d3fac4cced84aa09f

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
e5fce21c5c05e5f625fc697548eb2d15

SHA1
a0ee8a00a77dd476d2557f225ce4f0c5b0d9bd27

SHA256
7a729b262dc6d4c33264d3d77c8bc27a3733dc276e0bc054d4b05be5b0287c4f

SHA512
83ab5a5493c03735450a057213693213d2417bd527c996c5603613f83e95723400d937b9494c51d68f9544d970fcd3806ee282cbf820f06d3fac4cced84aa09f

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
a5777b9eeecb27c7632311cf673b1f7c

SHA1
46e0ec5c5b51e8aa42f4296836445452535e116d

SHA256
ae9032e7ad6fa040f9be1b757118f35f15f7380ec29639be4047e3da92b29ca4

SHA512
d29e8089130eafa14af08acb85f95c32da95c617abeed7aebab5d9b20db247709b546d17888f2f2646e3a3a27d21de2b0258a197e57a1f374e9e18b27b80b2e5

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
244KB

MD5
a5777b9eeecb27c7632311cf673b1f7c

SHA1
46e0ec5c5b51e8aa42f4296836445452535e116d

SHA256
ae9032e7ad6fa040f9be1b757118f35f15f7380ec29639be4047e3da92b29ca4

SHA512
d29e8089130eafa14af08acb85f95c32da95c617abeed7aebab5d9b20db247709b546d17888f2f2646e3a3a27d21de2b0258a197e57a1f374e9e18b27b80b2e5

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
d9bfd079b28653382ad61f75d8e9f8db

SHA1
bf0946605b463ba51a0a25a85a048b0d07ef7f2e

SHA256
2922c620e7212a7fa09c69313ca7f0efc51c45c21c429268bbf0c08a1923fc1f

SHA512
5f10667b390293c520cd9c35c94f205dbb01fa1d4f07ec488f16d809bbc7e5655898ba8e5efa8a4fdb460f21d27c185bfb1e141f03e166d3f93d64b9e4891335

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
85a24522b92e2295ec81c74998974017

SHA1
ccf1d94bfcfa8ac2eb8ff1045efb6a223f972e52

SHA256
555e3903bb368a88758550f6517b80ca1fe34755120aad8018dff7c25faef0b3

SHA512
66a9affebcaf131313a96afe286f2f8bc6a2a55ba71c5a264bcedd8edc01540b2aca9a9186ad77aea0b2a150515e20874819408295ec3e61dc6fe39378047d0d

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
158KB

MD5
82f903ab6463ac7c26f94423ffd3b422

SHA1
09841ac8806b1bdb53c14698f861fcb17cc134e0

SHA256
3d0fba1dad08740155062589ee37cf2069bb39ecbfad86d3cbca0d5782689dbe

SHA512
05c7052e90e8ca058206a689fb5467ba1edd9916c143375944269f72e077de68733bca24ac452112bd26c0df5fea8ddddd2da4fcdc8431362f100e07af81d6d9

Download Submit
memory/580-81-0x0000000000000000-mapping.dmp

Download
memory/820-64-0x0000000000000000-mapping.dmp

Download
memory/836-86-0x0000000000000000-mapping.dmp

Download
memory/932-62-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/932-54-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/932-90-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1264-60-0x0000000000000000-mapping.dmp

Download
memory/1596-76-0x0000000000000000-mapping.dmp

Download
memory/1608-70-0x0000000000000000-mapping.dmp

Download
memory/1744-61-0x0000000000000000-mapping.dmp

Download
memory/1760-58-0x0000000000000000-mapping.dmp

Download
memory/1944-80-0x0000000000000000-mapping.dmp

Download
memory/1972-57-0x0000000000000000-mapping.dmp

Download
memory/2032-87-0x0000000000000000-mapping.dmp

Download