netsupport | c38f9d7b02cb20690aae34a7b85ca91c95be43813ca609694d79a13111357bf4

Resubmissions

Analysis

max time kernel
357s
max time network
317s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-06-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TestFKRT.exe
Size

375KB
MD5

7167b97b30f2650bc2fe30ea6aea8c60
SHA1

1df3d35a76b75545a092db90ad74a5732a52be00
SHA256

c38f9d7b02cb20690aae34a7b85ca91c95be43813ca609694d79a13111357bf4
SHA512

183fbe184aae509f5e7728316dc6e31e1505476dce42c17e433d0c3b1c6865bef55ff806ad359bd0dfb0e7d945d4ba11a7565067b88fec3f514ee3e3d4128b0c
SSDEEP

6144:MOGkB/vhyOc10KgGwHqwOOELha+sm2D2+UhngNQK4t6DqeLUEEiRgc5uJV/qb:vhzc10KgGXFhazmdVg+K4t6DqbEBuJV

Score

10^/10

netsupport rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Executes dropped EXE 4 IoCs

pid	Process
1004	client.exe
2692	client32.exe
5028	client.exe
4360	client32.exe

Loads dropped DLL 9 IoCs

pid	Process
2692	client32.exe
2692	client32.exe
2692	client32.exe
2692	client32.exe
2692	client32.exe
4360	client32.exe
4360	client32.exe
4360	client32.exe
4360	client32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	bitbucket.org
2	bitbucket.org

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3104	schtasks.exe

Opens file in notepad (likely ransom note) 3 IoCs

ransomware

pid	Process
3828	NOTEPAD.EXE
3060	NOTEPAD.EXE
3568	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2644	PING.EXE

Runs regedit.exe 1 IoCs

pid	Process
1264	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	TestFKRT.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1264	regedit.exe
4464	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	TestFKRT.exe
Token: SeDebugPrivilege	1004	client.exe
Token: SeSecurityPrivilege	2692	client32.exe
Token: SeDebugPrivilege	4464	taskmgr.exe
Token: SeSystemProfilePrivilege	4464	taskmgr.exe
Token: SeCreateGlobalPrivilege	4464	taskmgr.exe
Token: SeDebugPrivilege	5028	client.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2692	client32.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe
4464	taskmgr.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 1004	4412	TestFKRT.exe	73
PID 4412 wrote to memory of 1004	4412	TestFKRT.exe	73
PID 1004 wrote to memory of 5116	1004	client.exe	74
PID 1004 wrote to memory of 5116	1004	client.exe	74
PID 5116 wrote to memory of 5008	5116	cmd.exe	76
PID 5116 wrote to memory of 5008	5116	cmd.exe	76
PID 1004 wrote to memory of 1716	1004	client.exe	77
PID 1004 wrote to memory of 1716	1004	client.exe	77
PID 1716 wrote to memory of 3104	1716	cmd.exe	79
PID 1716 wrote to memory of 3104	1716	cmd.exe	79
PID 1004 wrote to memory of 3868	1004	client.exe	80
PID 1004 wrote to memory of 3868	1004	client.exe	80
PID 3868 wrote to memory of 2692	3868	cmd.exe	82
PID 3868 wrote to memory of 2692	3868	cmd.exe	82
PID 3868 wrote to memory of 2692	3868	cmd.exe	82
PID 4412 wrote to memory of 3568	4412	TestFKRT.exe	83
PID 4412 wrote to memory of 3568	4412	TestFKRT.exe	83
PID 3568 wrote to memory of 2644	3568	cmd.exe	85
PID 3568 wrote to memory of 2644	3568	cmd.exe	85
PID 5028 wrote to memory of 4196	5028	client.exe	96
PID 5028 wrote to memory of 4196	5028	client.exe	96
PID 4196 wrote to memory of 3188	4196	cmd.exe	98
PID 4196 wrote to memory of 3188	4196	cmd.exe	98
PID 5028 wrote to memory of 5040	5028	client.exe	99
PID 5028 wrote to memory of 5040	5028	client.exe	99
PID 5040 wrote to memory of 4360	5040	cmd.exe	101
PID 5040 wrote to memory of 4360	5040	cmd.exe	101
PID 5040 wrote to memory of 4360	5040	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\TestFKRT.exe
"C:\Users\Admin\AppData\Local\Temp\TestFKRT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe
  "C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /query /tn "Adobe Acrobat Update Task 2.0"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /tn "Adobe Acrobat Update Task 2.0"
      4⤵
      PID:5008
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c schtasks /create /tn "Adobe Acrobat Update Task 2.0" /tr "C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe" /sc onlogon
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /tn "Adobe Acrobat Update Task 2.0" /tr "C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe" /sc onlogon
      4⤵
      Creates scheduled task(s)
      PID:3104
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd" /c C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe
      C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:2692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 3001 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\TestFKRT.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\system32\PING.EXE
    ping 1.1.1.1 -n 1 -w 3001
    3⤵
    - Runs ping.exe
    PID:2644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5084

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4464

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
1⤵
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:1264

C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe
"C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c schtasks /query /tn "Adobe Acrobat Update Task 2.0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\system32\schtasks.exe
    schtasks /query /tn "Adobe Acrobat Update Task 2.0"
    3⤵
    PID:3188
- C:\Windows\SYSTEM32\cmd.exe
  "cmd" /c C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5040
- - C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe
    C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4360

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\NSM.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:3828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\nsm_vpro.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:3060

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\nskbfltr.inf
1⤵
- Opens file in notepad (likely ransom note)
PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\HTCTL32.DLL

Filesize
316KB

MD5
051cdb6ac8e168d178e35489b6da4c74

SHA1
38c171457d160f8a6f26baa668f5c302f6c29cd1

SHA256
6562585009f15155eea9a489e474cebc4dd2a01a26d846fdd1b93fdc24b0c269

SHA512
602ab9999f7164a2d1704f712d8a622d69148eefe9a380c30bc8b310eadedf846ce6ae7940317437d5da59404d141dc2d1e0c3f954ca4ac7ae3497e56fcb4e36

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\NSM.LIC

Filesize
261B

MD5
886e4bb84e1ecc4a04ae599d76fcce1d

SHA1
3f0493bb2088af50bcc8223462db0b207354e946

SHA256
5eeb014e3b390e0c85ce72988d422dcd9de1520566b11755c70bdd9bb7376060

SHA512
f4db9038a113c4b1e2462b3e0becef2500c9532a79c8187f51d011d690bc68c6d1a99585e43136cb082bd6a232136546db50265f226ff19e67d8430306a8761f

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\NSM.ini

Filesize
5KB

MD5
99f493dce7fab330dc47f0cab8fe6172

SHA1
16906fb5988303bb462b65ff4ece23539a12f4b5

SHA256
e0ed36c897eaa5352fab181c20020b60df4c58986193d6aaf5bf3e3ecdc4c05d

SHA512
2c58171c30aec8ae131a7c32162856fce551b55f861d0d9fb0e27a91bd7084388df5860392f80cdbc6df6e64e97d8bf2cae587c3d6b7c142ce711ae8e240bb01

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\PCICAPI.dll

Filesize
106KB

MD5
67c53a770390e8c038060a1921c20da9

SHA1
49e63af91169c8ce7ef7de3d6a6fb9f8f739fa3a

SHA256
2dfdc169dfc27462adc98dde39306de8d0526dcf4577a1a486c2eef447300689

SHA512
201e07dbccd83480d6c4d8562e6d0a9e4c52ed12895f0b91d875c2bbcc50b3b1802e11e5e829c948be302bf98ebde7fb2a99476065d1709b3bdbcd5d59a1612d

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\PCICL32.dll

Filesize
3.3MB

MD5
e7b92529ea10176fe35ba73fa4edef74

SHA1
fc5b325d433cde797f6ad0d8b1305d6fb16d4e34

SHA256
b6d4ad0231941e0637485ac5833e0fdc75db35289b54e70f3858b70d36d04c80

SHA512
fb3a70e87772c1fb386ad8def6c7bdf325b8d525355d4386102649eb2d61f09ce101fce37ccc1f44d5878e604e2e426d96618e836367ab460cae01f627833517

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client.exe

Filesize
96KB

MD5
fe20ebcd69e728d57ff058b5f9830a4a

SHA1
6304cddd5023683db90c0148629ff07b6fd1710d

SHA256
eda423d23645a1c7ad5597636fb5a69c612423777751eb6c29ef93ac9e450ca5

SHA512
5a8a38cad9b38e86a6a9e8f79a6b08125184afad02d9183a96c0c54cd6d1800a06308747a5cc8178ac9d865c4a40f5aea4a36bf557ad2f37c563a09fdbb694bc

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\client32.ini

Filesize
712B

MD5
14f8e0f5b04cf17366770cdaed40f420

SHA1
7362897e7d48934971dead1f0ae70f9db328017d

SHA256
248a22716a2b9555cd21cbe12506887db59f2a30441a1eae8781a31febbe710b

SHA512
6284b884a9c8892d50f161d9ffb80a51e26f71db90ff1c386d75a60b38d38e9e1151f864c45f8248f3e3acee666765c0b63a035ab9c19d884e00176f4e12f5ab

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\nskbfltr.inf

Filesize
328B

MD5
26e28c01461f7e65c402bdf09923d435

SHA1
1d9b5cfcc30436112a7e31d5e4624f52e845c573

SHA256
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

SHA512
c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

Download Submit
C:\Users\Admin\AppData\Roaming\wnsp_92027\winsup\nsm_vpro.ini

Filesize
46B

MD5
3be27483fdcdbf9ebae93234785235e3

SHA1
360b61fe19cdc1afb2b34d8c25d8b88a4c843a82

SHA256
4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b

SHA512
edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

Download Submit
\Users\Admin\AppData\Roaming\wnsp_92027\winsup\PCICHEK.DLL

Filesize
14KB

MD5
3aabcd7c81425b3b9327a2bf643251c6

SHA1
ea841199baa7307280fc9e4688ac75e5624f2181

SHA256
0cff893b1e7716d09fb74b7a0313b78a09f3f48c586d31fc5f830bd72ce8331f

SHA512
97605b07be34948541462000345f1e8f9a9134d139448d4f331cefeeca6dad51c025fcab09d182b86e5a4a8e2f9412b3745ec86b514b0523497c821cb6b8c592

Download Submit
memory/1004-57-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-38-0x000001B49E3A0000-0x000001B49E3BC000-memory.dmp

Filesize
112KB

Download
memory/1004-40-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/1004-39-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-5-0x000002628BEF0000-0x000002628BF02000-memory.dmp

Filesize
72KB

Download
memory/4412-0-0x000002628A150000-0x000002628A1B2000-memory.dmp

Filesize
392KB

Download
memory/4412-4-0x000002628BEC0000-0x000002628BECA000-memory.dmp

Filesize
40KB

Download
memory/4412-2-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-56-0x00007FFAA0040000-0x00007FFAA0A2C000-memory.dmp

Filesize
9.9MB

Download
memory/4412-1-0x00007FFAA0043000-0x00007FFAA0044000-memory.dmp

Filesize
4KB

Download