Malware Analysis Report

2025-04-13 09:52

Sample ID 230712-ybzhkaee52
Target ra.exe
SHA256 3fd89d02558550ba006d7df7fe1074d3a4118d1fc53c25104a4c581b810adf18
Tags
netsupport rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3fd89d02558550ba006d7df7fe1074d3a4118d1fc53c25104a4c581b810adf18

Threat Level: Known bad

The file ra.exe was found to be: Known bad.

Malicious Activity Summary

netsupport rat

NetSupport

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Drops startup file

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-12 19:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-12 19:37

Reported

2023-07-12 19:40

Platform

win7-20230712-en

Max time kernel

119s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ra.exe"

Signatures

NetSupport

rat netsupport

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnk C:\Users\Admin\AppData\Local\Temp\ra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ra.exe

"C:\Users\Admin\AppData\Local\Temp\ra.exe"

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

"C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 VeriannavFf1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
GB 62.172.138.8:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 Quishbyleby2.com udp
US 8.8.8.8:53 VeriannavFf1.com udp

Files

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.DLL

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

\Users\Admin\AppData\Roaming\WinUpdateSupp\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\NSM.LIC

MD5 b92efb48cd47f8cd6c4c9c703d70dae0
SHA1 4ea210c6684b1899f8249f274b1818f6c08915b1
SHA256 72f19a95165798268aff5f8a8f53c0b8e29bd601ee0da70497cca2592d04bea4
SHA512 2f082923c8a0a677ff9d9abd2387eeff4101b982932f78bceff988965e9b4faa79e14ee8c3613773235df94211a6f1f2bae0bdd89a6fdb4befc9a677bbdb02fa

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.ini

MD5 4040911cc377753963e4a3d43ec45b6a
SHA1 2ac9ffb512f0bd0c4f04d6cd66181d0c57a83ab8
SHA256 ed437b26b0e2ae70cd9b8161d2f111e5e0f81658646b6c548eecfca1997fe64e
SHA512 93ce25c025c9c2a6e0ce5758c690a30298619159ebb180379edc71272e41ff28f5be00539dac4f9d7f825b48dee9ceb7c1fef2e04c9094951fdfa585859eacaa

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-12 19:37

Reported

2023-07-12 19:40

Platform

win10v2004-20230703-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ra.exe"

Signatures

NetSupport

rat netsupport

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ra.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnk C:\Users\Admin\AppData\Local\Temp\ra.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ra.exe

"C:\Users\Admin\AppData\Local\Temp\ra.exe"

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

"C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 254.177.238.8.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 VeriannavFf1.com udp
US 8.8.8.8:53 geo.netsupportsoftware.com udp
GB 51.142.119.24:80 geo.netsupportsoftware.com tcp
US 8.8.8.8:53 Quishbyleby2.com udp
US 8.8.8.8:53 24.119.142.51.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 76.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 VeriannavFf1.com udp
US 8.8.8.8:53 Quishbyleby2.com udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 VeriannavFf1.com udp
US 8.8.8.8:53 Quishbyleby2.com udp

Files

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe

MD5 b2b27ccaded1db8ee341d5bd2c373044
SHA1 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d
SHA256 e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911
SHA512 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.dll

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.DLL

MD5 d3d39180e85700f72aaae25e40c125ff
SHA1 f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15
SHA256 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5
SHA512 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcichek.dll

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll

MD5 34dfb87e4200d852d1fb45dc48f93cfc
SHA1 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641
SHA256 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703
SHA512 f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\msvcr100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\MSVCR100.dll

MD5 0e37fbfa79d349d672456923ec5fbbe3
SHA1 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335
SHA256 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18
SHA512 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICHEK.DLL

MD5 104b30fef04433a2d2fd1d5f99f179fe
SHA1 ecb08e224a2f2772d1e53675bedc4b2c50485a41
SHA256 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd
SHA512 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\NSM.LIC

MD5 b92efb48cd47f8cd6c4c9c703d70dae0
SHA1 4ea210c6684b1899f8249f274b1818f6c08915b1
SHA256 72f19a95165798268aff5f8a8f53c0b8e29bd601ee0da70497cca2592d04bea4
SHA512 2f082923c8a0a677ff9d9abd2387eeff4101b982932f78bceff988965e9b4faa79e14ee8c3613773235df94211a6f1f2bae0bdd89a6fdb4befc9a677bbdb02fa

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.ini

MD5 4040911cc377753963e4a3d43ec45b6a
SHA1 2ac9ffb512f0bd0c4f04d6cd66181d0c57a83ab8
SHA256 ed437b26b0e2ae70cd9b8161d2f111e5e0f81658646b6c548eecfca1997fe64e
SHA512 93ce25c025c9c2a6e0ce5758c690a30298619159ebb180379edc71272e41ff28f5be00539dac4f9d7f825b48dee9ceb7c1fef2e04c9094951fdfa585859eacaa

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL

MD5 2c88d947a5794cf995d2f465f1cb9d10
SHA1 c0ff9ea43771d712fe1878dbb6b9d7a201759389
SHA256 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e
SHA512 e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

C:\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL

MD5 c94005d2dcd2a54e40510344e0bb9435
SHA1 55b4a1620c5d0113811242c20bd9870a1e31d542
SHA256 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899
SHA512 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a