Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2024, 17:51
Behavioral task
behavioral1
Sample
29ada151e3522de32e9a00d4fb80c703.exe
Resource
win7-20231215-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
29ada151e3522de32e9a00d4fb80c703.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
29ada151e3522de32e9a00d4fb80c703.exe
-
Size
20.6MB
-
MD5
29ada151e3522de32e9a00d4fb80c703
-
SHA1
dda54ebdacde6dddc16038b1790d49c51b4006cb
-
SHA256
7831c040565e36128d3f589b734338eb5cf216290dc0c2138d8564689991ae62
-
SHA512
684f0bbc8c2c1e7c85822565d0c4a8772648d5c5cbd49a9c6018f5faa2afda27a793cbf05f45a5a256619020e682f6409fc31287fcc984590c1672e13b07d6a6
-
SSDEEP
393216:C0s4AglBegE+a1fkHYrX4FbZevN67zmJteZD4XIqNfRyUuL:CclBnra1fkH+AC+iJteBaNfRp
Score
10/10
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Drops file in Drivers directory 1 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" WINSTALL.EXE -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation 29ada151e3522de32e9a00d4fb80c703.exe -
Executes dropped EXE 8 IoCs
pid Process 4396 MSI8EB1.tmp 1764 MSI8F5E.tmp 2276 checkdvd.exe 3656 WINSTALL.EXE 1544 winst64.exe 968 WINSTALL.EXE 2456 client32.exe 2040 client32.exe -
Loads dropped DLL 43 IoCs
pid Process 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 4040 MsiExec.exe 532 MsiExec.exe 532 MsiExec.exe 4040 MsiExec.exe 3656 WINSTALL.EXE 1544 winst64.exe 3656 WINSTALL.EXE 4040 MsiExec.exe 4040 MsiExec.exe 968 WINSTALL.EXE 2456 client32.exe 2456 client32.exe 2456 client32.exe 2456 client32.exe 2456 client32.exe 2456 client32.exe 2456 client32.exe 2040 client32.exe 2040 client32.exe 2040 client32.exe 2040 client32.exe 2040 client32.exe 4040 MsiExec.exe 2040 client32.exe 2040 client32.exe 4040 MsiExec.exe 4040 MsiExec.exe 2040 client32.exe 2040 client32.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32 winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ = "Client32Provider.dll" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment" winst64.exe -
resource yara_rule behavioral2/memory/3084-0-0x0000000000400000-0x00000000019A1000-memory.dmp upx behavioral2/memory/3084-130-0x0000000000400000-0x00000000019A1000-memory.dmp upx behavioral2/memory/3084-341-0x0000000000400000-0x00000000019A1000-memory.dmp upx -
Blocklisted process makes network request 1 IoCs
flow pid Process 15 4784 msiexec.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: client32.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: client32.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" WINSTALL.EXE -
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 client32.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\NetSupport\NetSupport Manager\IXMQMCCR_HF.bin client32.exe File created C:\Windows\SysWOW64\pcimsg.dll WINSTALL.EXE File created C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 client32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE client32.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\NetSupport\NetSupport Manager\IXMQMCCR_SW.bin client32.exe File opened for modification C:\Windows\SysWOW64\pcimsg.dll WINSTALL.EXE File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\loca[1].htm client32.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\NetSupport\NetSupport Manager\IXMQMCCR_HW.bin client32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Control.kbd msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\nsmexec.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\PCIRES.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\baseboard.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\pscrinst64.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\supporttool.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\NSM.ini msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\injlib.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\PCIHOOKS.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\PCIVDD.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\broken.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\btn_up.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\disk2.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\VolumeControlWXP.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\AudioCapture.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\IsMetro.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\toastMessage.png msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\gdihook5.INF msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\winst64.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\msvcp100.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\PCIIMAGE.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\computer2.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\header.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\WdfCoInstaller01005.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\NSClient32UI.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\bar.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\x64\gdihook5.sys msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\clhook4.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\nspscr.cat msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\product.dat msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\mfc100u.dll msiexec.exe File opened for modification C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.ini WINSTALL.EXE File opened for modification C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.log client32.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\pcictl.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\HTCTL32.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\logo.png msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\NSToast.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\PCIhtmlgen.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\cpu2.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\keyboard2.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\startlogo.bmp msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\remcmdstub.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\btn_up_grey.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\verified.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\checkdvd.exe msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\x64\gdihook5.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\nskbfltr.inf msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\msvcr100.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Client32.upd msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\NSM.LIC msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\_?????? ?????? ???????????.lnk WINSTALL.EXE File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\_??????.lnk WINSTALL.EXE File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\IcoViewer.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\pcisys.sys msiexec.exe File opened for modification C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.log client32.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\PCICL32.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\TCCTL32.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\btn_down_grey.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Inv\greenbar.gif msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\Client32Provider.dll msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\nsm32.chm msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\nskbfltr.sys msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\VolumeControlWVI.DLL msiexec.exe File created C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\toastImageAndText.png msiexec.exe -
Drops file in Windows directory 36 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI84FF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8C0E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D28.tmp msiexec.exe File opened for modification C:\Windows\Installer\{64893459-B4B8-403D-8E2D-8395D2BA3F1F}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\setuperr.log WINSTALL.EXE File opened for modification C:\Windows\Installer\MSI86F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8726.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{64893459-B4B8-403D-8E2D-8395D2BA3F1F} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI9712.tmp msiexec.exe File opened for modification C:\Windows\setupact.log WINSTALL.EXE File opened for modification C:\Windows\Installer\e5780e8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8988.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8BDE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8E24.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9490.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI97BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI987B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD6E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B1F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8D58.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA6B5.tmp msiexec.exe File created C:\Windows\Installer\e5780ec.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8667.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B8F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8EB1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAD8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8697.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B3F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8F5E.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e5780e8.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI90A7.tmp msiexec.exe File created C:\Windows\Installer\{64893459-B4B8-403D-8E2D-8395D2BA3F1F}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIAD4E.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 24 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 client32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 client32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz client32.exe -
Modifies data under HKEY_USERS 21 IoCs
description ioc Process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY\HANDOFFPRIORITIES\MEDIAMODES svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" client32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History client32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion client32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ client32.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix client32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\ = "IconViewer Class" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\pchelper\\Óäàëåííûé ïîìîùíèê\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command WINSTALL.EXE Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0} msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID\ = "IcoViewer.IconViewer" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command WINSTALL.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib\ = "{C58E5039-E78C-441D-AA62-383AD6F38FC8}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C61D9FBB5C49E141B2D086B0653E432 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&???????? ? NetSupport School" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\ = "IcoViewer 1.0 Type Library" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Nde0e7e1b WINSTALL.EXE Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\ProductName = "NetSupport Manager" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\ = "Client32Provider" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\954398468B4BD304E8D238592DABF3F1\Client = "NSM" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID\ = "IcoViewer.IconViewer.1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\1 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\PackageCode = "68265B98271455D4386DAE3412FCCAEF" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\SourceList\PackageName = "ns.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\pchelper\\Óäàëåííûé ïîìîùíèê\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32\ = "C:\\Program Files (x86)\\pchelper\\Óäàëåííûé ïîìîùíèê\\IcoViewer.dll" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32 MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CurVer\ = "IcoViewer.IconViewer.1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\954398468B4BD304E8D238592DABF3F1\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\pchelper\\Óäàëåííûé ïîìîùíèê\\pcinssui.exe\" /ShowVideo \"%L\"" WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\ = "&???????? ? NetSupport School" WINSTALL.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32 winst64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CurVer msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell WINSTALL.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\Version = "1.0" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\ = "IconViewer Class" MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command WINSTALL.EXE Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable msiexec.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 2008 reg.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4784 msiexec.exe 4784 msiexec.exe 3656 WINSTALL.EXE 3656 WINSTALL.EXE 3656 WINSTALL.EXE 3656 WINSTALL.EXE 3656 WINSTALL.EXE 3656 WINSTALL.EXE 2456 client32.exe 2456 client32.exe 2040 client32.exe 2040 client32.exe 2040 client32.exe 2040 client32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3804 msiexec.exe Token: SeIncreaseQuotaPrivilege 3804 msiexec.exe Token: SeSecurityPrivilege 4784 msiexec.exe Token: SeCreateTokenPrivilege 3804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3804 msiexec.exe Token: SeLockMemoryPrivilege 3804 msiexec.exe Token: SeIncreaseQuotaPrivilege 3804 msiexec.exe Token: SeMachineAccountPrivilege 3804 msiexec.exe Token: SeTcbPrivilege 3804 msiexec.exe Token: SeSecurityPrivilege 3804 msiexec.exe Token: SeTakeOwnershipPrivilege 3804 msiexec.exe Token: SeLoadDriverPrivilege 3804 msiexec.exe Token: SeSystemProfilePrivilege 3804 msiexec.exe Token: SeSystemtimePrivilege 3804 msiexec.exe Token: SeProfSingleProcessPrivilege 3804 msiexec.exe Token: SeIncBasePriorityPrivilege 3804 msiexec.exe Token: SeCreatePagefilePrivilege 3804 msiexec.exe Token: SeCreatePermanentPrivilege 3804 msiexec.exe Token: SeBackupPrivilege 3804 msiexec.exe Token: SeRestorePrivilege 3804 msiexec.exe Token: SeShutdownPrivilege 3804 msiexec.exe Token: SeDebugPrivilege 3804 msiexec.exe Token: SeAuditPrivilege 3804 msiexec.exe Token: SeSystemEnvironmentPrivilege 3804 msiexec.exe Token: SeChangeNotifyPrivilege 3804 msiexec.exe Token: SeRemoteShutdownPrivilege 3804 msiexec.exe Token: SeUndockPrivilege 3804 msiexec.exe Token: SeSyncAgentPrivilege 3804 msiexec.exe Token: SeEnableDelegationPrivilege 3804 msiexec.exe Token: SeManageVolumePrivilege 3804 msiexec.exe Token: SeImpersonatePrivilege 3804 msiexec.exe Token: SeCreateGlobalPrivilege 3804 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe Token: SeRestorePrivilege 4784 msiexec.exe Token: SeTakeOwnershipPrivilege 4784 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2040 client32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2040 client32.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 3084 wrote to memory of 2940 3084 29ada151e3522de32e9a00d4fb80c703.exe 84 PID 3084 wrote to memory of 2940 3084 29ada151e3522de32e9a00d4fb80c703.exe 84 PID 3084 wrote to memory of 2940 3084 29ada151e3522de32e9a00d4fb80c703.exe 84 PID 2940 wrote to memory of 3804 2940 cmd.exe 87 PID 2940 wrote to memory of 3804 2940 cmd.exe 87 PID 2940 wrote to memory of 3804 2940 cmd.exe 87 PID 4784 wrote to memory of 4040 4784 msiexec.exe 89 PID 4784 wrote to memory of 4040 4784 msiexec.exe 89 PID 4784 wrote to memory of 4040 4784 msiexec.exe 89 PID 4784 wrote to memory of 2760 4784 msiexec.exe 91 PID 4784 wrote to memory of 2760 4784 msiexec.exe 91 PID 2760 wrote to memory of 4064 2760 cmd.exe 93 PID 2760 wrote to memory of 4064 2760 cmd.exe 93 PID 2760 wrote to memory of 4064 2760 cmd.exe 93 PID 4784 wrote to memory of 4396 4784 msiexec.exe 94 PID 4784 wrote to memory of 4396 4784 msiexec.exe 94 PID 4784 wrote to memory of 4396 4784 msiexec.exe 94 PID 4784 wrote to memory of 1764 4784 msiexec.exe 95 PID 4784 wrote to memory of 1764 4784 msiexec.exe 95 PID 4784 wrote to memory of 1764 4784 msiexec.exe 95 PID 4784 wrote to memory of 532 4784 msiexec.exe 96 PID 4784 wrote to memory of 532 4784 msiexec.exe 96 PID 4784 wrote to memory of 532 4784 msiexec.exe 96 PID 4784 wrote to memory of 2276 4784 msiexec.exe 99 PID 4784 wrote to memory of 2276 4784 msiexec.exe 99 PID 4784 wrote to memory of 2276 4784 msiexec.exe 99 PID 4784 wrote to memory of 3656 4784 msiexec.exe 101 PID 4784 wrote to memory of 3656 4784 msiexec.exe 101 PID 4784 wrote to memory of 3656 4784 msiexec.exe 101 PID 3656 wrote to memory of 1544 3656 WINSTALL.EXE 102 PID 3656 wrote to memory of 1544 3656 WINSTALL.EXE 102 PID 4784 wrote to memory of 1668 4784 msiexec.exe 103 PID 4784 wrote to memory of 1668 4784 msiexec.exe 103 PID 4784 wrote to memory of 1668 4784 msiexec.exe 103 PID 4784 wrote to memory of 968 4784 msiexec.exe 104 PID 4784 wrote to memory of 968 4784 msiexec.exe 104 PID 4784 wrote to memory of 968 4784 msiexec.exe 104 PID 2456 wrote to memory of 2040 2456 client32.exe 107 PID 2456 wrote to memory of 2040 2456 client32.exe 107 PID 2456 wrote to memory of 2040 2456 client32.exe 107 PID 2940 wrote to memory of 2008 2940 cmd.exe 108 PID 2940 wrote to memory of 2008 2940 cmd.exe 108 PID 2940 wrote to memory of 2008 2940 cmd.exe 108 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 4064 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\29ada151e3522de32e9a00d4fb80c703.exe"C:\Users\Admin\AppData\Local\Temp\29ada151e3522de32e9a00d4fb80c703.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7261.tmp\Install.bat" "2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\7261.tmp\ns.msi" /qn /quiet /promptrestart3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3804
-
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\SYSTEM\ControlSet001\services\Client32 /f /v DisplayName /t REG_SZ /d "PCHelper ôñá½Ñ¡¡δ⌐ »«¼«Θ¡¿¬"3⤵
- Modifies registry key
PID:2008
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4784 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4F195369AA7229311D572A2454B62B782⤵
- Loads dropped DLL
- Modifies registry class
PID:4040
-
-
C:\Windows\system32\cmd.execmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{64893459-B4B8-403D-8E2D-8395D2BA3F1F}\\nsm.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\attrib.exeATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{64893459-B4B8-403D-8E2D-8395D2BA3F1F}\\nsm.lic"3⤵
- Views/modifies file attributes
PID:4064
-
-
-
C:\Windows\Installer\MSI8EB1.tmp"C:\Windows\Installer\MSI8EB1.tmp" NSConnSvrUI.exe NSN2⤵
- Executes dropped EXE
PID:4396
-
-
C:\Windows\Installer\MSI8F5E.tmp"C:\Windows\Installer\MSI8F5E.tmp" NewShortcut1_DC174CC2D1F545EBA5FA9A05CD201FFD.exe NSN2⤵
- Executes dropped EXE
PID:1764
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E3BBCF0EDA3229323132C556FB621371 E Global\MSI00002⤵
- Loads dropped DLL
PID:532
-
-
C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\checkdvd.exe"C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\checkdvd.exe"2⤵
- Executes dropped EXE
PID:2276
-
-
C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\WINSTALL.EXE"C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\WINSTALL.EXE" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EA /EX /EC /Q /V /Q /I *2⤵
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\winst64.exewinst64.exe /q /q /i3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Registers COM server for autorun
- Drops file in System32 directory
- Modifies registry class
PID:1544
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1C5A71CA3EF9DC1DE9E9B9DEDDDFFA5F M Global\MSI00002⤵
- Modifies registry class
PID:1668
-
-
C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\WINSTALL.EXE"C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\WINSTALL.EXE" /EI2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968
-
-
C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.exe"C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.exe" /* *1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.exe"C:\Program Files (x86)\pchelper\Óäàëåííûé ïîìîùíèê\client32.exe" * /VistaUI2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv1⤵
- Modifies data under HKEY_USERS
PID:4936
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40KB
MD5fae5c894d36e5032a162c55c327cb725
SHA191dba83c2cd31af01dee76879cc5760c0b73acc8
SHA2560402441fcfcacb7db1a90868ff5942d7095cc45c8c832f5c7b4faace0c1771cd
SHA512e0a62f1bb6628e21297ae8d8cb0788df79537aa8e20b8342e0a5893098abebd61f1920c2f73a7a2d8b9b1f567740d6d1e954f386e0de612ea65c2d6b58496c86
-
Filesize
637KB
MD56f0b5872ee29260195dd0c3c19a012d9
SHA1da946f636e17940244caa06ffe2e4516d542e8a5
SHA25601b4a00bf69b151e4dbedc5273739388fe59697477d5848219a5f54cafe7faf1
SHA5122d7c41b10ee5164a1872de74a24f86f5c9a301f504530ac7b22c67220a241678bed13d08dc492f061dc6314eee1ae28bd395622bf00773afe3a702fbaf670253
-
Filesize
396KB
MD56ea8705ebd8cf36b330b0118ed234c6f
SHA18c980c3fcb2971e9a11a49e925f7039ccf6035a4
SHA256a51fa80689ca5af9ee74995a8e6c6f0b3b63b21b8eea53981836cbda4dcdc736
SHA5124733fa9c643dd2fc1e150c7a6beb6a4756da63c162630e493e00ddbc459bd79ce79e71ccf1664a90b688d79336ca6dfc313826d3ded29419978b7892844921b9
-
Filesize
82KB
MD579fabff1a23fe07a80c5af6bdee7f33d
SHA1d3ff61a416ffd5a38c1eb9d427f8cb09abf56c7d
SHA256ac455c89a8c167cf6552613a7adfc66f62ad15c35f6ebeb5c32fe8565c68d72c
SHA512bde3811b829232e153d19599cd26848d7e8649aee6276819be4aa6e2b07038efdcdf4ff73c9d935087fd974105ec2f679b2fcc2d7d1d47d18c3b8535aae55129
-
Filesize
33KB
MD5fe21de1984a1db19d520f01badae7087
SHA113dee984774e0e3605b8d9e34e73f79efdaab1e3
SHA256e7e628de2ed025ad146328e86fa7ab83a79962972cc847263f984edc567d6e7c
SHA5121c79a62cb6e695a5178d8c28cacc765977981a9fa0e005126d29cb82042f175569c88d51e3003148116f9cbad68412dc597817b2c1c9688e1ea34acf79e56af5
-
Filesize
37KB
MD5dbde3f0dd10731abe626530e9155e586
SHA1266e0b1dd559b86f6446bcc8804bc742edf7ffe7
SHA256cc905356821f51db8e4ee2ec96f44b28cbc1f817cb6f147b0abef41233280d42
SHA5129e2df168da1df3f1671bc9192f19a9da872b40abb18e8e3aa8775ec3e50cb64b5d29a68a07a7f3c6884ac6ccb39278e7e2d339904f8e42f088dbdebeb6d86c9c
-
Filesize
506B
MD5ff7c0d2dbb9195083bbabaff482d5ed6
SHA15c2efbf855c376ce1b93e681c54a367a407495dc
SHA256065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075
SHA512ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9
-
Filesize
28KB
MD5d6a8c31989ca8813817e22088a8dcab8
SHA167e397c256d46c23a13e10e7424a7186b4b4e5d5
SHA2563419e795ff8ae1e2c188a45b9a31c77a7fb15a45684fcbe70c220945c63422c7
SHA5124f3ecdb3fb8b9c431c24cddfab25650eb2dbc22c94ee04a109fd860a7a89a2172b1394f659264b4df3d5aae9f0d7792cf00d879d8805987cd38f8912e397acd6
-
Filesize
69KB
MD5ff2ed5a32ef794923083430668ff673f
SHA1fcf6745578de071d260403c25e5fc40ebce5ec62
SHA2563603f955a5051c70651418ced3a6cb440fa0a6f7a533942eeafdd995bec1b7ff
SHA5125c04fd359680c773000f5f5e863cb9d2f028291dc9a485889f272c0e17ab937e6e1eefe673b9729cf90fd7582fca35d5418caa7c4e8289a9c29ef99f504013a7
-
Filesize
127KB
MD5043f82d7e26beb51b3b06a3848e34450
SHA10d0582ef797d742ab785181718c63da7e6c58435
SHA25615d7d3c8cd9654fc6e52cd77d674bced7b57c9710f4e615fe8630fd2282d3618
SHA512f23f48e27860832baf09d80936b3d775441a355ca3ad1130fc3026e3e5e5c0997b226357fa54e8c8b49daf2662ab841d6e98eaf3f1d371f83c47142d7ef8faf3
-
Filesize
1KB
MD5645a553caf7177f628be8d0fa4bfe8d1
SHA1437ee4364cde5ca39e05e294531022f9d64ef8bd
SHA256153dc072bc02d29f33e826a9116ee13094dc87eb83956aa48bd604a8d9aa3d7c
SHA5122d00c0597d99fd735f8a1c0fa73fcad6c5e36d23ec186a99c19ee5b9e959408d5f85463cc2130fe760e6f2919c51aecef74e384befe48352eefd60f9aa5213a5
-
Filesize
312B
MD554cdc5e174d75c4a35751ba5e3ba794b
SHA143a9fbd70b5613c156f4a1f476616bef652f2b69
SHA256cacd72fe9928925d9e2f08d0e551ce63c2415d31e3987e90a727841f7d8ea791
SHA512b0ed0b72b7fe964683768f9601d27fe5b7016ddb4e6304c64e9a370a45bd2331909b0fede35382b16b1e5667c84c9b96e07cc46def3bbb9551b76e8586813b7b
-
Filesize
69B
MD51f4c78f19faf4fd31dab68a20e54f650
SHA1fd3b793be273db414e40520c5dbb7e14bae1797d
SHA256011c851c57cbec1d827b3d129c6786d60bbf82460254a4a5b2ad292ab83c9b22
SHA512448de405eeb67dd2006f9d0201aeaee09d189d48a51aa0bcff7afe100b29883ad0d476f5b15c143e62c982cd08d391f3cbac274dcd641ec28cf7915f6d370864
-
Filesize
255B
MD5c491d8f5de0a549ce9548ddee48a3c96
SHA177d9e40f026473a147c629050bcaec543e551468
SHA25661cfdefd60d4839a8d38b4e2483f68c26b7e2b8dbbe697e75679b7f03b292b67
SHA5127cd9862cfae88a2b46cd9df27138e71912c8bbf02ed3643cc3b75bb2f6214a454ff22ca1377e5e5e35bb78251159b0a79801e96032930e5d865c1050032de02b
-
Filesize
2.1MB
MD56aea41f4e037aad0f28230f4863c2fca
SHA1ea6e7e88e548888b33d12a53308de423c801162d
SHA2568ef70d0d679ee323847b9defd9e2fe60fc135fde03c6fab94660a38aa4616f56
SHA512f36893edbc456765b19786062882baf9477279987fe0314d17e2adfe21521f10617d24b5f78d40938a8775c254ad4b61150f0365e4768fdd7cedce9e346ca906
-
Filesize
1KB
MD5ea36843beb6779916790e7f5788c6b2a
SHA1556b47071ad3f174acfe0d01bcafccdafdb19af8
SHA256d586a1c41ccccecb07cb489d0255960d729a18d651c3801cc3b1f72841dc73ab
SHA51292241677545cfce88673dd3d50855052308f3390242409f7fbe105982dd0d511a600260a09e90b18e863911baca68b898cc861377214bdf909de8c30fb4c6bbc
-
Filesize
25B
MD5c05c19b006d57dd4c90785cbe5c7877b
SHA134beebb832e53e4a3b9b3349919689fdf1401151
SHA25600e0c629d5645c15df66adcf99e8a0a3e517d7a7876141ae7a752f0585eec047
SHA512bede1e24476a12e9b1f29962254b19b357bfdfbe5c6eec9a2fca6c1b2105f4cec1d5872f6be269ef39d6e5cc542dc587ea9555ef87687bac64b3ff0de16c0f8c
-
Filesize
255B
MD53933788386cb330c32c38aab96568942
SHA125927501ed27ead562f78ed8f330db16b356da69
SHA25664c45c70743b974f63e8d85ffa30cc96d9788e3bad730fd96d9bf8068777eb5c
SHA512107e75af7c33da06dddc02e0fb0d78d8fe3ebb9a33e8258fef0d1c60e17377a168ee2325b20c6d20ed1219d73b266a76d8e47a327f6f826ba81da14906b374b4
-
Filesize
276B
MD581d4c51238eaa15a5d61165fcdb87add
SHA1d248cee41b73526203725203a91d4167e9b6c788
SHA256c1a1bd9038ec4d9da80cbfea6001e4fd82593cac3722b53594c1ea45a21ef8b7
SHA5122086d093bb261e5e73b5e9603ef37a243b88289c873238e2bb99870d82ba3172daa8daf851e347b4ced4deb85ebcadbe9fa5e8d3b8da979f69fc419c34703a8d
-
Filesize
270B
MD5109c5669e4ddaefb5b3eeaac114622a0
SHA175972352e7bb112bf520c655dca9f5fa7cb234c4
SHA256677d68b44aee25f998bbeea952726295c63052742c97efc9eb9ab0172f72ea3c
SHA512011e422fcbfcd803df74d26d1c27516b11f9d7f0a070992c42a891bd81a0b7a4b4e11249834c2acaf6464ad9893717fe7174f9bdf05620affd745bad67099393
-
Filesize
48KB
MD5e1a0645a0cc826a574099e96dfd8e504
SHA16ac085eaa95abef0dabb2623d689f70667be1afc
SHA256cc188b1cac39d8d8a5d1a2195f8e0b9b4fb8d0608fcade43274540f300730cef
SHA5124301960256932aa5ceabb36af5719aa8f7a294e2038a1ae218b77697be1e2a399d64f93db1c4f2d532fd100008785de84d3b157897b873cb651da897b7eedff1
-
Filesize
212KB
MD58db3649a915613aeac2fa7454224a611
SHA1a646cea962ae0ba5e22ff1ebcc4e8fed278fc128
SHA256cff87c98eec91a11f254db00a59c4df32cfad308d74042a2c01eaea079dbd7a2
SHA5121d862dc5f0902f6b2d52aa8c9769516a7944953273926a66e8f2893ec0499c67d2f3c8a59a6647c31e2c183ac35e55b3177c2a5c96341416c4ec8d18ee9b6df0
-
Filesize
224KB
MD501fc057ea0763b01edb0588f5f1acb64
SHA1b308d8f9f06eb6b8f120ae27f016a99c3d1f8af1
SHA256c0b50aab3b865dfbfa28b2ccb05641da06c58fcb8e79cc90ffe8a4dfe5ae2b94
SHA512e09e3d0d48a3c7447441287f5b6b433bf8348e17004affa75818f1b2e9d7def2645460de103bcad001bbb7840595d0ca85e7a7c4c31d4c154e7f7201b4b9658b
-
Filesize
80KB
MD5ee3c6890f15356b39a30a3a13472b25b
SHA15db8d569d3b535608efa5fab89eb197f7bbee26e
SHA2561695cbbfb7add4687249c37f180118d89f5c84739fac6901404f3b80d73fa513
SHA5128d30ef80212e0ae4cb884c1653492fcdbe4bd1326ac12b790c19aadbbd8a14b432ac11cedf587c4dfd3849d685ea0113cf1f3d3b13852e3ec8a4e3ad251d85c4
-
Filesize
106KB
MD5977671ba4886fb3667dcd70ccdcdf615
SHA1db050e33f15d7c20105b90d8cdfbb2516a12592b
SHA256731dfe0007ebafbf110632ee6d9e7f2b36b53f17be5117eab92abbd8b32a9c81
SHA512681a1034806d56aa5ae509cbfc655329c893f1eef5184b34a52dc145e90cdcc781f44a76f1650eb1c02591e994ac342c3f98a80346b33352adc15eeaa51ebeb3
-
Filesize
104KB
MD5ffe48fdd2c532149f0d30f1678235bc8
SHA15cddbc54fbd286793f35b407d4a544e24838f1f0
SHA256072e4d185482beccf7967dcf10649ee1ea863da61c8336c0215d458b0254977f
SHA5121f3ed34c50a3c7d72c37ee411a2d7305e9fbd331a5abfa21ce52d5511d92bff8582e9d82fba3a0e62aaf385033a0b88bc3a4cf49aafb0262cc62a7cdd6e06a4d
-
Filesize
21.6MB
MD5fd20084ba6d4f2a056adb88865d41ccf
SHA18c6fdda1ac98475102df0a0631a48a75fb4f9e67
SHA256bec4d72a6666cabb27ce6cf539e89b06acece1b2b93830af9da17f9b2eb80dea
SHA512a80ea4869f900e0cffc45b5f770e1b72c3f960858bb7aafdb02876c3d96023fe64bd9781cbaeb23af953824c5ad4855dd2df708e10fc62742d224f256f4618ef