556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662

Analysis

max time kernel
64s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
Size

602KB
MD5

8bf04c351a1c50b2619e03d645ff50c1
SHA1

c00feb93781f5dce2e978273842800bc47df70e4
SHA256

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662
SHA512

fd4fb789b09fceecd863393a95d8144b80191c913e3ea7a465f82dc9b107e3bd59ee594f3463acdfbce4b8d21ac0bb013dc94e792a2f65eedf5a390415433d7e
SSDEEP

12288:8Iny5DYTWDLcBSHyvRISaAaoRksg0iYhYWnDhMsQm3vo0Z9l:aUTWDgeWRIqaGhRGsQvml

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1876 installd.exe
1644 nethtsrv.exe
760 netupdsrv.exe
1692 nethtsrv.exe
1416 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

pid	process
1876	installd.exe
1644	nethtsrv.exe
760	netupdsrv.exe
1692	nethtsrv.exe
1416	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
1876	installd.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
1644	nethtsrv.exe
1644	nethtsrv.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
1692	nethtsrv.exe
1692	nethtsrv.exe
960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
File created	C:\Windows\SysWOW64\installd.exe	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

Drops file in Program Files directory 3 IoCs

Processes:

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

460
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1692 nethtsrv.exe

pid	process
460

description	pid	process
Token: SeDebugPrivilege	1692	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 960 wrote to memory of 1068	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1068	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1068	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1068	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 1068 wrote to memory of 560	1068	net.exe	net1.exe
PID 1068 wrote to memory of 560	1068	net.exe	net1.exe
PID 1068 wrote to memory of 560	1068	net.exe	net1.exe
PID 1068 wrote to memory of 560	1068	net.exe	net1.exe
PID 960 wrote to memory of 1880	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1880	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1880	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1880	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 1880 wrote to memory of 1508	1880	net.exe	net1.exe
PID 1880 wrote to memory of 1508	1880	net.exe	net1.exe
PID 1880 wrote to memory of 1508	1880	net.exe	net1.exe
PID 1880 wrote to memory of 1508	1880	net.exe	net1.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1876	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	installd.exe
PID 960 wrote to memory of 1644	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	nethtsrv.exe
PID 960 wrote to memory of 1644	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	nethtsrv.exe
PID 960 wrote to memory of 1644	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	nethtsrv.exe
PID 960 wrote to memory of 1644	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	nethtsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 760	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	netupdsrv.exe
PID 960 wrote to memory of 1652	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1652	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1652	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1652	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 1652 wrote to memory of 1756	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1756	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1756	1652	net.exe	net1.exe
PID 1652 wrote to memory of 1756	1652	net.exe	net1.exe
PID 960 wrote to memory of 1752	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1752	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1752	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 960 wrote to memory of 1752	960	556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe	net.exe
PID 1752 wrote to memory of 1788	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1788	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1788	1752	net.exe	net1.exe
PID 1752 wrote to memory of 1788	1752	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe
"C:\Users\Admin\AppData\Local\Temp\556b8d48978890116860c49392035cc5a5dc06dd3e603a5e39c20613be3bb662.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:560

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:1508

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:760

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:1756

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1788

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1416

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0d2c9030f29ce93d7df38239200d83c1

SHA1
3789a0a676b775a2e9eb5e56816cd91b565e8bfc

SHA256
1b85eb2a3ab79a22185513467e6c09dc01d585d747ed9ec3d65d02c36269cc98

SHA512
366b5165152e856855b5925078be2a02f4c5188d712615330aa2e489d065f7a226ed615daf497726aa4f1a81ee26e768a2b5a732efb7746caac31659383cd52b

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
fb02e0155a2a56610a194657eec58e47

SHA1
884b1da207b39abe965df492a6546e2551286d08

SHA256
9dbc8eb3c6bc11fd873f5106da57f33b6eb07493c2c1bd179058a05881a06622

SHA512
dbbf8ce507edb305cdc4d8d47cfa51ca031c740fba0fc7821b303bbe6d83fbf76db068399d8d3f3dff8c2951fdb0f556ff0e9519aeadbb1a64401ee86c7d8029

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
d37fbc2debcaaf519a0ece49f02d6bfd

SHA1
676e08b570789b885982d38741a9534ba10f147f

SHA256
a9e0998bbee3b811c8abfbb416440b641851ceca4ca0d82f841a6cd7e2118c21

SHA512
12362313fae3b123a3f46bf0b634132bceb4043777bcb5804f352bbd5c5662455cf56b8f2d9e4f45b133f81787f15324e44a41ba1af9279b1259387bbe36d73b

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
4dd42b07c79598609fd238335c74bf44

SHA1
391e3e44ee1d195b00ca4a95b723cf3c235551bb

SHA256
e7b98ea046d8ef9142a3c3e62089c7c0b725a2df3ab1ac819a3904afca5650fd

SHA512
2998f84d41f8cf148f7219410aa779efdc1ec5cfff3c8211d13065fdeff80676694bc6ca132780cf6f30efbcae6f506e570715340ff6f7daa74230769c7e7a11

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
4dd42b07c79598609fd238335c74bf44

SHA1
391e3e44ee1d195b00ca4a95b723cf3c235551bb

SHA256
e7b98ea046d8ef9142a3c3e62089c7c0b725a2df3ab1ac819a3904afca5650fd

SHA512
2998f84d41f8cf148f7219410aa779efdc1ec5cfff3c8211d13065fdeff80676694bc6ca132780cf6f30efbcae6f506e570715340ff6f7daa74230769c7e7a11

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
f255c83a6e98e12d9105faa001663ce1

SHA1
e58ee9f16f25c8b94d637f00f42cbab1a10b8b77

SHA256
500f6b95a1ec2aa231eb28111bb1f2394a8ab460805b96c714ec1e2ea1f2722c

SHA512
d2361aac60c73abcdbd9f34f0885e70e305d12a3230c92b47f5a14ea9b623f42b5ac827d7e6514cf6f400917806b719818468e0d0a5fd59afae8a2b4bf0ae933

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
f255c83a6e98e12d9105faa001663ce1

SHA1
e58ee9f16f25c8b94d637f00f42cbab1a10b8b77

SHA256
500f6b95a1ec2aa231eb28111bb1f2394a8ab460805b96c714ec1e2ea1f2722c

SHA512
d2361aac60c73abcdbd9f34f0885e70e305d12a3230c92b47f5a14ea9b623f42b5ac827d7e6514cf6f400917806b719818468e0d0a5fd59afae8a2b4bf0ae933

Download Submit
\Users\Admin\AppData\Local\Temp\nseB474.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nseB474.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseB474.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseB474.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nseB474.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0d2c9030f29ce93d7df38239200d83c1

SHA1
3789a0a676b775a2e9eb5e56816cd91b565e8bfc

SHA256
1b85eb2a3ab79a22185513467e6c09dc01d585d747ed9ec3d65d02c36269cc98

SHA512
366b5165152e856855b5925078be2a02f4c5188d712615330aa2e489d065f7a226ed615daf497726aa4f1a81ee26e768a2b5a732efb7746caac31659383cd52b

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0d2c9030f29ce93d7df38239200d83c1

SHA1
3789a0a676b775a2e9eb5e56816cd91b565e8bfc

SHA256
1b85eb2a3ab79a22185513467e6c09dc01d585d747ed9ec3d65d02c36269cc98

SHA512
366b5165152e856855b5925078be2a02f4c5188d712615330aa2e489d065f7a226ed615daf497726aa4f1a81ee26e768a2b5a732efb7746caac31659383cd52b

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
0d2c9030f29ce93d7df38239200d83c1

SHA1
3789a0a676b775a2e9eb5e56816cd91b565e8bfc

SHA256
1b85eb2a3ab79a22185513467e6c09dc01d585d747ed9ec3d65d02c36269cc98

SHA512
366b5165152e856855b5925078be2a02f4c5188d712615330aa2e489d065f7a226ed615daf497726aa4f1a81ee26e768a2b5a732efb7746caac31659383cd52b

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
fb02e0155a2a56610a194657eec58e47

SHA1
884b1da207b39abe965df492a6546e2551286d08

SHA256
9dbc8eb3c6bc11fd873f5106da57f33b6eb07493c2c1bd179058a05881a06622

SHA512
dbbf8ce507edb305cdc4d8d47cfa51ca031c740fba0fc7821b303bbe6d83fbf76db068399d8d3f3dff8c2951fdb0f556ff0e9519aeadbb1a64401ee86c7d8029

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
fb02e0155a2a56610a194657eec58e47

SHA1
884b1da207b39abe965df492a6546e2551286d08

SHA256
9dbc8eb3c6bc11fd873f5106da57f33b6eb07493c2c1bd179058a05881a06622

SHA512
dbbf8ce507edb305cdc4d8d47cfa51ca031c740fba0fc7821b303bbe6d83fbf76db068399d8d3f3dff8c2951fdb0f556ff0e9519aeadbb1a64401ee86c7d8029

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
d37fbc2debcaaf519a0ece49f02d6bfd

SHA1
676e08b570789b885982d38741a9534ba10f147f

SHA256
a9e0998bbee3b811c8abfbb416440b641851ceca4ca0d82f841a6cd7e2118c21

SHA512
12362313fae3b123a3f46bf0b634132bceb4043777bcb5804f352bbd5c5662455cf56b8f2d9e4f45b133f81787f15324e44a41ba1af9279b1259387bbe36d73b

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
4dd42b07c79598609fd238335c74bf44

SHA1
391e3e44ee1d195b00ca4a95b723cf3c235551bb

SHA256
e7b98ea046d8ef9142a3c3e62089c7c0b725a2df3ab1ac819a3904afca5650fd

SHA512
2998f84d41f8cf148f7219410aa779efdc1ec5cfff3c8211d13065fdeff80676694bc6ca132780cf6f30efbcae6f506e570715340ff6f7daa74230769c7e7a11

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
f255c83a6e98e12d9105faa001663ce1

SHA1
e58ee9f16f25c8b94d637f00f42cbab1a10b8b77

SHA256
500f6b95a1ec2aa231eb28111bb1f2394a8ab460805b96c714ec1e2ea1f2722c

SHA512
d2361aac60c73abcdbd9f34f0885e70e305d12a3230c92b47f5a14ea9b623f42b5ac827d7e6514cf6f400917806b719818468e0d0a5fd59afae8a2b4bf0ae933

Download Submit
memory/560-58-0x0000000000000000-mapping.dmp

Download
memory/760-77-0x0000000000000000-mapping.dmp

Download
memory/960-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/960-75-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/960-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/960-54-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/1068-57-0x0000000000000000-mapping.dmp

Download
memory/1508-62-0x0000000000000000-mapping.dmp

Download
memory/1644-70-0x0000000000000000-mapping.dmp

Download
memory/1652-81-0x0000000000000000-mapping.dmp

Download
memory/1752-87-0x0000000000000000-mapping.dmp

Download
memory/1756-82-0x0000000000000000-mapping.dmp

Download
memory/1788-88-0x0000000000000000-mapping.dmp

Download
memory/1876-64-0x0000000000000000-mapping.dmp

Download
memory/1880-61-0x0000000000000000-mapping.dmp

Download