4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde

Analysis

max time kernel
45s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
Size

601KB
MD5

ceabdc0c560675303d48e25dda978a6b
SHA1

d99a2ad80a6fecf9cd914f2fb296c953828c2ee7
SHA256

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde
SHA512

03c117900554fdf9f7e5643cb96c6bbf2048df43c5e83f1c881cbbcdbfcf1e06c3fa0f24bb41d0e2f9e98bb285dd5c26fd310b44b7aa66ea98caf0bee54a8152
SSDEEP

12288:TIny5DYTDaCPmcK3dvv2v0CFsj7qteNUf0CpCgirZCbjn:7UTDaC0X2sCejvOf0CpCdr0b

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

description ioc process

File created C:\Windows\system32\drivers\nethfdrv.sys 4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
Executes dropped EXE 5 IoCs

Processes:

installd.exenethtsrv.exenetupdsrv.exenethtsrv.exenetupdsrv.exe

pid process

1920 installd.exe
1012 nethtsrv.exe
1876 netupdsrv.exe
1948 nethtsrv.exe
1800 netupdsrv.exe

description	ioc	process
File created	C:\Windows\system32\drivers\nethfdrv.sys	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

pid	process
1920	installd.exe
1012	nethtsrv.exe
1876	netupdsrv.exe
1948	nethtsrv.exe
1800	netupdsrv.exe

Loads dropped DLL 13 IoCs

Processes:

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exeinstalld.exenethtsrv.exenethtsrv.exe

pid	process
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1920	installd.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1012	nethtsrv.exe
1012	nethtsrv.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
1948	nethtsrv.exe
1948	nethtsrv.exe
1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

Processes:

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

description	ioc	process
File created	C:\Windows\SysWOW64\hfnapi.dll	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
File created	C:\Windows\SysWOW64\hfpapi.dll	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
File created	C:\Windows\SysWOW64\installd.exe	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
File created	C:\Windows\SysWOW64\nethtsrv.exe	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
File created	C:\Windows\SysWOW64\netupdsrv.exe	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

Drops file in Program Files directory 3 IoCs

Processes:

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Config\data.xml	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
File created	C:\Program Files (x86)\Common Files\Config\ver.xml	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
File created	C:\Program Files (x86)\Common Files\config\uninstinethnfd.exe	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

nethtsrv.exe

description pid process

Token: SeDebugPrivilege 1948 nethtsrv.exe

pid	process
464

description	pid	process
Token: SeDebugPrivilege	1948	nethtsrv.exe

Suspicious use of WriteProcessMemory 50 IoCs

Processes:

4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exenet.exenet.exenet.exenet.exe

description	pid	process	target process
PID 1776 wrote to memory of 1188	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1188	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1188	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1188	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1188 wrote to memory of 788	1188	net.exe	net1.exe
PID 1188 wrote to memory of 788	1188	net.exe	net1.exe
PID 1188 wrote to memory of 788	1188	net.exe	net1.exe
PID 1188 wrote to memory of 788	1188	net.exe	net1.exe
PID 1776 wrote to memory of 1924	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1924	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1924	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1924	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1924 wrote to memory of 544	1924	net.exe	net1.exe
PID 1924 wrote to memory of 544	1924	net.exe	net1.exe
PID 1924 wrote to memory of 544	1924	net.exe	net1.exe
PID 1924 wrote to memory of 544	1924	net.exe	net1.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1920	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	installd.exe
PID 1776 wrote to memory of 1012	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	nethtsrv.exe
PID 1776 wrote to memory of 1012	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	nethtsrv.exe
PID 1776 wrote to memory of 1012	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	nethtsrv.exe
PID 1776 wrote to memory of 1012	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	nethtsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1876	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	netupdsrv.exe
PID 1776 wrote to memory of 1296	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1296	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1296	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 1296	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1296 wrote to memory of 940	1296	net.exe	net1.exe
PID 1296 wrote to memory of 940	1296	net.exe	net1.exe
PID 1296 wrote to memory of 940	1296	net.exe	net1.exe
PID 1296 wrote to memory of 940	1296	net.exe	net1.exe
PID 1776 wrote to memory of 2040	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 2040	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 2040	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 1776 wrote to memory of 2040	1776	4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe	net.exe
PID 2040 wrote to memory of 1624	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1624	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1624	2040	net.exe	net1.exe
PID 2040 wrote to memory of 1624	2040	net.exe	net1.exe

C:\Users\Admin\AppData\Local\Temp\4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe
"C:\Users\Admin\AppData\Local\Temp\4d1da9066ebf53e39ed8b6fe8fe6c02e770f499bf97ba8394d74ae6e1f481fde.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\net.exe
net stop nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop nethttpservice
3⤵
PID:788

C:\Windows\SysWOW64\net.exe
net stop serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:1924

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop serviceupdater
3⤵
PID:544

C:\Windows\SysWOW64\installd.exe
"C:\Windows\system32\installd.exe" nethfdrv
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920

C:\Windows\SysWOW64\nethtsrv.exe
"C:\Windows\system32\nethtsrv.exe" -nfdi
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012

C:\Windows\SysWOW64\netupdsrv.exe
"C:\Windows\system32\netupdsrv.exe" -nfdi
2⤵
- Executes dropped EXE
PID:1876

C:\Windows\SysWOW64\net.exe
net start nethttpservice
2⤵
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start nethttpservice
3⤵
PID:940

C:\Windows\SysWOW64\net.exe
net start serviceupdater
2⤵
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start serviceupdater
3⤵
PID:1624

C:\Windows\SysWOW64\nethtsrv.exe
C:\Windows\SysWOW64\nethtsrv.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\SysWOW64\netupdsrv.exe
C:\Windows\SysWOW64\netupdsrv.exe
1⤵
- Executes dropped EXE
PID:1800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
2a82fdf3938bdc396ed135e4493c7a5b

SHA1
3910cdabe51e8b1ff062272cadde243224e446b2

SHA256
1b41794507042f6951084882ba37f7d474851bfa7fc3ac1318e38107813399ec

SHA512
5e07beb5f3a592192d7defc08d04e4f5f2eb4972b6adf81c17282ccc74ab647724276d6eabfc02928816916c4180db355d3beb89d5a8fc01142167af506816b6

Download Submit
C:\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
529ad869800cee93e6972d6e3d5c25c3

SHA1
408e74ead384b0d04ae587a24b8f3bcfa1d285f3

SHA256
5dea6871599a1863cb558fa06770c535f09b4e75d8989fdd13cdd524c5b14ae4

SHA512
2dd14e704dea4dffd4b979c26a19f4ef52a4b9ecc4e7c5a7d7d3a9cd2ecdd16c19804a05c98762235bf28fa3c73f3934481eb873e12db825dc5f0b0b464ef2c0

Download Submit
C:\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
f782d00fd3d08c1804f536385c2886f8

SHA1
2b473a7514a634c2034484d24f1ada78d379a618

SHA256
e2085a04d88c107748a70102ca0253f9d3638a91bbe120022339a65fd0f280ed

SHA512
a51cb818a45a8aa6ac11db6b81e8a72e6bb39a5bc1536e0f235fe930a4dc849a56b6ca4dcc485d9e9974a7ac8b59931da3b76cfd206a7374e1c6af807d18e5a6

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
351126a57beb8fa7443867d5c30fce68

SHA1
dac4363a40b91e5d126964cba8b0a645ae445148

SHA256
95af5e29350481568f61a64ac4251172c905189cfffbe4d6ccddbe1331f8e51e

SHA512
92379e8add2e0ee7df2e81271f8dd8b2d3df6de638bb065ac3a0c481288cc24b592df93ce4d85a881f53a3517cf634ab128c3571547fec80ac21ddaaa308d257

Download Submit
C:\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
351126a57beb8fa7443867d5c30fce68

SHA1
dac4363a40b91e5d126964cba8b0a645ae445148

SHA256
95af5e29350481568f61a64ac4251172c905189cfffbe4d6ccddbe1331f8e51e

SHA512
92379e8add2e0ee7df2e81271f8dd8b2d3df6de638bb065ac3a0c481288cc24b592df93ce4d85a881f53a3517cf634ab128c3571547fec80ac21ddaaa308d257

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
8db3596ed0bea5c2a0415824be45b6f1

SHA1
e6b986ab6d87b7304914e2a5e5b8cda2d2683a43

SHA256
c5b01d3ff19e21520001878fe19d5d2baf01e8f303ceff3f0c587beca05d4b85

SHA512
87aefcbad921ffee99dbe6f697ab0e242591f405860f153247eec49c789537b0fa95b11da0edec5c91f57fb45e684e530a175ebb3fe6f02211353cf94ebb2daa

Download Submit
C:\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
8db3596ed0bea5c2a0415824be45b6f1

SHA1
e6b986ab6d87b7304914e2a5e5b8cda2d2683a43

SHA256
c5b01d3ff19e21520001878fe19d5d2baf01e8f303ceff3f0c587beca05d4b85

SHA512
87aefcbad921ffee99dbe6f697ab0e242591f405860f153247eec49c789537b0fa95b11da0edec5c91f57fb45e684e530a175ebb3fe6f02211353cf94ebb2daa

Download Submit
\Users\Admin\AppData\Local\Temp\nstB3E7.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nstB3E7.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstB3E7.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstB3E7.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Users\Admin\AppData\Local\Temp\nstB3E7.tmp\nsExec.dll

Filesize
6KB

MD5
acc2b699edfea5bf5aae45aba3a41e96

SHA1
d2accf4d494e43ceb2cff69abe4dd17147d29cc2

SHA256
168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e

SHA512
e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
2a82fdf3938bdc396ed135e4493c7a5b

SHA1
3910cdabe51e8b1ff062272cadde243224e446b2

SHA256
1b41794507042f6951084882ba37f7d474851bfa7fc3ac1318e38107813399ec

SHA512
5e07beb5f3a592192d7defc08d04e4f5f2eb4972b6adf81c17282ccc74ab647724276d6eabfc02928816916c4180db355d3beb89d5a8fc01142167af506816b6

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
2a82fdf3938bdc396ed135e4493c7a5b

SHA1
3910cdabe51e8b1ff062272cadde243224e446b2

SHA256
1b41794507042f6951084882ba37f7d474851bfa7fc3ac1318e38107813399ec

SHA512
5e07beb5f3a592192d7defc08d04e4f5f2eb4972b6adf81c17282ccc74ab647724276d6eabfc02928816916c4180db355d3beb89d5a8fc01142167af506816b6

Download Submit
\Windows\SysWOW64\hfnapi.dll

Filesize
106KB

MD5
2a82fdf3938bdc396ed135e4493c7a5b

SHA1
3910cdabe51e8b1ff062272cadde243224e446b2

SHA256
1b41794507042f6951084882ba37f7d474851bfa7fc3ac1318e38107813399ec

SHA512
5e07beb5f3a592192d7defc08d04e4f5f2eb4972b6adf81c17282ccc74ab647724276d6eabfc02928816916c4180db355d3beb89d5a8fc01142167af506816b6

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
529ad869800cee93e6972d6e3d5c25c3

SHA1
408e74ead384b0d04ae587a24b8f3bcfa1d285f3

SHA256
5dea6871599a1863cb558fa06770c535f09b4e75d8989fdd13cdd524c5b14ae4

SHA512
2dd14e704dea4dffd4b979c26a19f4ef52a4b9ecc4e7c5a7d7d3a9cd2ecdd16c19804a05c98762235bf28fa3c73f3934481eb873e12db825dc5f0b0b464ef2c0

Download Submit
\Windows\SysWOW64\hfpapi.dll

Filesize
241KB

MD5
529ad869800cee93e6972d6e3d5c25c3

SHA1
408e74ead384b0d04ae587a24b8f3bcfa1d285f3

SHA256
5dea6871599a1863cb558fa06770c535f09b4e75d8989fdd13cdd524c5b14ae4

SHA512
2dd14e704dea4dffd4b979c26a19f4ef52a4b9ecc4e7c5a7d7d3a9cd2ecdd16c19804a05c98762235bf28fa3c73f3934481eb873e12db825dc5f0b0b464ef2c0

Download Submit
\Windows\SysWOW64\installd.exe

Filesize
108KB

MD5
f782d00fd3d08c1804f536385c2886f8

SHA1
2b473a7514a634c2034484d24f1ada78d379a618

SHA256
e2085a04d88c107748a70102ca0253f9d3638a91bbe120022339a65fd0f280ed

SHA512
a51cb818a45a8aa6ac11db6b81e8a72e6bb39a5bc1536e0f235fe930a4dc849a56b6ca4dcc485d9e9974a7ac8b59931da3b76cfd206a7374e1c6af807d18e5a6

Download Submit
\Windows\SysWOW64\nethtsrv.exe

Filesize
176KB

MD5
351126a57beb8fa7443867d5c30fce68

SHA1
dac4363a40b91e5d126964cba8b0a645ae445148

SHA256
95af5e29350481568f61a64ac4251172c905189cfffbe4d6ccddbe1331f8e51e

SHA512
92379e8add2e0ee7df2e81271f8dd8b2d3df6de638bb065ac3a0c481288cc24b592df93ce4d85a881f53a3517cf634ab128c3571547fec80ac21ddaaa308d257

Download Submit
\Windows\SysWOW64\netupdsrv.exe

Filesize
159KB

MD5
8db3596ed0bea5c2a0415824be45b6f1

SHA1
e6b986ab6d87b7304914e2a5e5b8cda2d2683a43

SHA256
c5b01d3ff19e21520001878fe19d5d2baf01e8f303ceff3f0c587beca05d4b85

SHA512
87aefcbad921ffee99dbe6f697ab0e242591f405860f153247eec49c789537b0fa95b11da0edec5c91f57fb45e684e530a175ebb3fe6f02211353cf94ebb2daa

Download Submit
memory/544-62-0x0000000000000000-mapping.dmp

Download
memory/788-58-0x0000000000000000-mapping.dmp

Download
memory/940-82-0x0000000000000000-mapping.dmp

Download
memory/1012-71-0x0000000000000000-mapping.dmp

Download
memory/1188-57-0x0000000000000000-mapping.dmp

Download
memory/1296-81-0x0000000000000000-mapping.dmp

Download
memory/1624-88-0x0000000000000000-mapping.dmp

Download
memory/1776-54-0x0000000074DA1000-0x0000000074DA3000-memory.dmp

Filesize
8KB

Download
memory/1776-69-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1776-59-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1776-91-0x0000000000360000-0x00000000007BE000-memory.dmp

Filesize
4.4MB

Download
memory/1876-77-0x0000000000000000-mapping.dmp

Download
memory/1920-64-0x0000000000000000-mapping.dmp

Download
memory/1924-61-0x0000000000000000-mapping.dmp

Download
memory/2040-87-0x0000000000000000-mapping.dmp

Download