Analysis Overview
SHA256
3fd89d02558550ba006d7df7fe1074d3a4118d1fc53c25104a4c581b810adf18
Threat Level: Known bad
The file ra.exe was found to be: Known bad.
Malicious Activity Summary
NetSupport
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Drops startup file
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-12 19:37
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-12 19:37
Reported
2023-07-12 19:40
Platform
win7-20230712-en
Max time kernel
119s
Max time network
133s
Command Line
Signatures
NetSupport
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnk | C:\Users\Admin\AppData\Local\Temp\ra.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2216 wrote to memory of 2104 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ra.exe
"C:\Users\Admin\AppData\Local\Temp\ra.exe"
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
"C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | VeriannavFf1.com | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| GB | 62.172.138.8:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | Quishbyleby2.com | udp |
| US | 8.8.8.8:53 | VeriannavFf1.com | udp |
Files
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.dll
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.DLL
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcichek.dll
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICHEK.DLL
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
\Users\Admin\AppData\Roaming\WinUpdateSupp\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\NSM.LIC
| MD5 | b92efb48cd47f8cd6c4c9c703d70dae0 |
| SHA1 | 4ea210c6684b1899f8249f274b1818f6c08915b1 |
| SHA256 | 72f19a95165798268aff5f8a8f53c0b8e29bd601ee0da70497cca2592d04bea4 |
| SHA512 | 2f082923c8a0a677ff9d9abd2387eeff4101b982932f78bceff988965e9b4faa79e14ee8c3613773235df94211a6f1f2bae0bdd89a6fdb4befc9a677bbdb02fa |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.ini
| MD5 | 4040911cc377753963e4a3d43ec45b6a |
| SHA1 | 2ac9ffb512f0bd0c4f04d6cd66181d0c57a83ab8 |
| SHA256 | ed437b26b0e2ae70cd9b8161d2f111e5e0f81658646b6c548eecfca1997fe64e |
| SHA512 | 93ce25c025c9c2a6e0ce5758c690a30298619159ebb180379edc71272e41ff28f5be00539dac4f9d7f825b48dee9ceb7c1fef2e04c9094951fdfa585859eacaa |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL
| MD5 | 2c88d947a5794cf995d2f465f1cb9d10 |
| SHA1 | c0ff9ea43771d712fe1878dbb6b9d7a201759389 |
| SHA256 | 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e |
| SHA512 | e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542 |
\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL
| MD5 | 2c88d947a5794cf995d2f465f1cb9d10 |
| SHA1 | c0ff9ea43771d712fe1878dbb6b9d7a201759389 |
| SHA256 | 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e |
| SHA512 | e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-12 19:37
Reported
2023-07-12 19:40
Platform
win10v2004-20230703-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
NetSupport
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ra.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\autorunings.ini.lnk | C:\Users\Admin\AppData\Local\Temp\ra.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2636 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2636 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
| PID 2636 wrote to memory of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\ra.exe | C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\ra.exe
"C:\Users\Admin\AppData\Local\Temp\ra.exe"
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
"C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | VeriannavFf1.com | udp |
| US | 8.8.8.8:53 | geo.netsupportsoftware.com | udp |
| GB | 51.142.119.24:80 | geo.netsupportsoftware.com | tcp |
| US | 8.8.8.8:53 | Quishbyleby2.com | udp |
| US | 8.8.8.8:53 | 24.119.142.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | VeriannavFf1.com | udp |
| US | 8.8.8.8:53 | Quishbyleby2.com | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | VeriannavFf1.com | udp |
| US | 8.8.8.8:53 | Quishbyleby2.com | udp |
Files
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.exe
| MD5 | b2b27ccaded1db8ee341d5bd2c373044 |
| SHA1 | 1d0f9ca17c0961eeabffc2ba54e16854a13c8a9d |
| SHA256 | e4985a9739637aad4a409c95da33a1304dc17fd6ef9046159b27c0b137a57911 |
| SHA512 | 0987b11aa110ea6b6f4fe4361e587aff010508251644bdfb681a578fa4726fb56af039d55e0b74682fd7031414f665a98656186b220264c122a47d23751dcee1 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.dll
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICL32.DLL
| MD5 | d3d39180e85700f72aaae25e40c125ff |
| SHA1 | f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15 |
| SHA256 | 38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5 |
| SHA512 | 471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcichek.dll
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\pcicapi.dll
| MD5 | 34dfb87e4200d852d1fb45dc48f93cfc |
| SHA1 | 35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641 |
| SHA256 | 2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703 |
| SHA512 | f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\msvcr100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\MSVCR100.dll
| MD5 | 0e37fbfa79d349d672456923ec5fbbe3 |
| SHA1 | 4e880fc7625ccf8d9ca799d5b94ce2b1e7597335 |
| SHA256 | 8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18 |
| SHA512 | 2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\PCICHEK.DLL
| MD5 | 104b30fef04433a2d2fd1d5f99f179fe |
| SHA1 | ecb08e224a2f2772d1e53675bedc4b2c50485a41 |
| SHA256 | 956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd |
| SHA512 | 5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\NSM.LIC
| MD5 | b92efb48cd47f8cd6c4c9c703d70dae0 |
| SHA1 | 4ea210c6684b1899f8249f274b1818f6c08915b1 |
| SHA256 | 72f19a95165798268aff5f8a8f53c0b8e29bd601ee0da70497cca2592d04bea4 |
| SHA512 | 2f082923c8a0a677ff9d9abd2387eeff4101b982932f78bceff988965e9b4faa79e14ee8c3613773235df94211a6f1f2bae0bdd89a6fdb4befc9a677bbdb02fa |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\client32.ini
| MD5 | 4040911cc377753963e4a3d43ec45b6a |
| SHA1 | 2ac9ffb512f0bd0c4f04d6cd66181d0c57a83ab8 |
| SHA256 | ed437b26b0e2ae70cd9b8161d2f111e5e0f81658646b6c548eecfca1997fe64e |
| SHA512 | 93ce25c025c9c2a6e0ce5758c690a30298619159ebb180379edc71272e41ff28f5be00539dac4f9d7f825b48dee9ceb7c1fef2e04c9094951fdfa585859eacaa |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL
| MD5 | 2c88d947a5794cf995d2f465f1cb9d10 |
| SHA1 | c0ff9ea43771d712fe1878dbb6b9d7a201759389 |
| SHA256 | 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e |
| SHA512 | e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\TCCTL32.DLL
| MD5 | 2c88d947a5794cf995d2f465f1cb9d10 |
| SHA1 | c0ff9ea43771d712fe1878dbb6b9d7a201759389 |
| SHA256 | 2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e |
| SHA512 | e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542 |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |
C:\Users\Admin\AppData\Roaming\WinUpdateSupp\HTCTL32.DLL
| MD5 | c94005d2dcd2a54e40510344e0bb9435 |
| SHA1 | 55b4a1620c5d0113811242c20bd9870a1e31d542 |
| SHA256 | 3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899 |
| SHA512 | 2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a |