netsupport | f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b

Analysis

max time kernel
103s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetSupport School 15.10.0003.exe
Size

146.9MB
MD5

50c6a195ea8b2cac825a3bd2b2e5d5f7
SHA1

7704b7bc735066139657919cc589fef8fdfd76a1
SHA256

f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b
SHA512

838332cb950b70aef47ffbff2dbb1503b26ee0fcb702376fbf6633e00bd33aa2b8add3432b28ce79ce0b44d51a7812dbb9c749782d4efc21c5df7c7a78a53088
SSDEEP

3145728:7ghv5tQmlmVPMfix3deHWzomfJ4dbOO+2iX3gvB159GRiYDNAC77:7gF7QmlmVPguPRfy62KwvO/BAe

Score

10^/10

netsupport persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe
File created	C:\Windows\system32\drivers\nskbfltr2.sys	winst64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	MSIF67D.tmp

Blocklisted process makes network request 2 IoCs

flow	pid	Process
25	2328	MSIEXEC.EXE
27	2328	MSIEXEC.EXE

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	runplugin64.exe
File opened (read-only)	\??\H:	runplugin64.exe
File opened (read-only)	\??\W:	runplugin64.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	runplugin.exe
File opened (read-only)	\??\M:	runplugin64.exe
File opened (read-only)	\??\Q:	runplugin64.exe
File opened (read-only)	\??\T:	runplugin64.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	runplugin.exe
File opened (read-only)	\??\F:	runplugin.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\P:	runplugin.exe
File opened (read-only)	\??\Z:	runplugin.exe
File opened (read-only)	\??\E:	runplugin64.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	runplugin.exe
File opened (read-only)	\??\Z:	runplugin64.exe
File opened (read-only)	\??\J:	runplugin64.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	runplugin.exe
File opened (read-only)	\??\G:	runplugin.exe
File opened (read-only)	\??\R:	runplugin.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	runplugin.exe
File opened (read-only)	\??\V:	runplugin64.exe
File opened (read-only)	\??\L:	runplugin64.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\B:	runplugin64.exe
File opened (read-only)	\??\I:	runplugin64.exe
File opened (read-only)	\??\F:	runplugin64.exe
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	runplugin.exe
File opened (read-only)	\??\N:	runplugin.exe
File opened (read-only)	\??\S:	runplugin64.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	runplugin.exe
File opened (read-only)	\??\O:	runplugin.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	runplugin.exe
File opened (read-only)	\??\U:	runplugin.exe
File opened (read-only)	\??\Y:	runplugin64.exe
File opened (read-only)	\??\Y:	runplugin.exe
File opened (read-only)	\??\R:	runplugin64.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	MSIF67D.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\client32provider.dll	winst64.exe
File created	C:\Windows\SysWOW64\pcimsg.dll	MSIF67D.tmp
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	MSIF67D.tmp
File created	C:\Windows\system32\client32provider.dll	winst64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1488	pcicfgui_setup.exe
1488	pcicfgui_setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\weblock.htm	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\libcrypto-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentCorrect.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\StoreSoftwareCtl64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\LoopbackUnblocker.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nspowershell.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nssres_250.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\vccorlib140.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\wxpdfdoc.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\gdihook5.cat	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcivideovi.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentSelected.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\toastImageAndText.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\icuuc51.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Dummy.Lic	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\keyshowhook.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PciHooks64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nskbfltr.sys	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\gdihook5.INF	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini	pcicfgui_setup.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\mfc100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIHOOKS.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\schplayer.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Client32.upd	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSS32.chm	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcicapi.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIMSG.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcisys.sys	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\concrt140.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\TCCTL32.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\libssl-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\StoreSoftwareCtl.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\wxpdf.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\shfolder.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentPicked.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Control.kbd	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCICL32.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSToast.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PciHooksApp64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\_Data.lnk	MSIF524.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\mfc100u.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\ReportDb.htf	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PluginDevicesModule.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSM.LIC	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport School\_Data.lnk	MSIF67D.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\product.dat	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-console-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\BCGCBPRO3350u141.dll	msiexec.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE119.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE1D.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1B6.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F021B863-9473-4467-93B2-6FC48C30E42F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE569.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEACF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF67D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE00.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1B7.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\e57dd91.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE625.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE994.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	MSIF67D.tmp
File opened for modification	C:\Windows\Installer\MSIE4C8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE3F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAD0.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE879.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEBF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe	msiexec.exe
File opened for modification	C:\Windows\setupact.log	MSIF67D.tmp
File created	C:\Windows\Installer\e57dd8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE548.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE868.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE1C9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dd8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE916.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF524.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE44A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4EA.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4D9.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe	msiexec.exe

Executes dropped EXE 19 IoCs

pid	Process
3640	NetSupport School 15.10.0003.exe
4760	MSIE569.tmp
3888	MSIE625.tmp
2280	MSIEBF9.tmp
1540	checkdvd.exe
3756	MSIF524.tmp
5092	MSIF67D.tmp
4932	winst64.exe
1488	pcicfgui_setup.exe
2348	pcicfgui_setup.exe
2724	MSI8D6.tmp
876	client32.exe
4424	client32.exe
4032	winst64.exe
4628	runplugin.exe
2500	runplugin64.exe
1204	runplugin.exe
984	runplugin64.exe
2768	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
4028	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
3244	MsiExec.exe
4932	winst64.exe
5092	MSIF67D.tmp
3244	MsiExec.exe
4028	MsiExec.exe
1488	pcicfgui_setup.exe
1488	pcicfgui_setup.exe
1488	pcicfgui_setup.exe
1488	pcicfgui_setup.exe
1488	pcicfgui_setup.exe
4028	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
4584	MsiExec.exe
876	client32.exe
876	client32.exe
876	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000048edd825328814480000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000048edd8250000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048edd825000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48edd825000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000048edd82500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	client32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM"	client32.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	client32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\currentver = "1500"	client32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\expiryyear = "2024"	MSIF524.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile	MSIF67D.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\InstalledBySetup = "Common"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\DesktopTCShortcut = "\x06TechConsole"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\expiryday = "25"	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\ = "Client32Provider"	winst64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\Nfbd657e3	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Common = "NSS"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3	client32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\Nfbd657e3\expirymonth = "7"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\startmonth = "6"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\expiryday = "25"	MSIF524.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Student = "NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\ProductIcon = "C:\\Windows\\Installer\\{F021B863-9473-4467-93B2-6FC48C30E42F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\PackageName = "NetSupport School.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\DefaultIcon\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport School\\PCIVideo.exe,1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\UseOnlineHelpYes = "Common"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment"	winst64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\""	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\""	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\startday = "24"	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\authcode = "0x5ce54402"	client32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\a = "S"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\a = "S"	MSIF524.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ = "Client32Provider.dll"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\ConfiguratorShortcut = "Configurator"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show	MSIF67D.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\DesktopShortcutFeature = "\x06Tutor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\NetSupport_Tutor_Templates = "\x06Tutor"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\authcode = "0x5ce54402"	client32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\expiryyear = "2024"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "NetSupport School Replay File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with NetSupport School"	MSIF67D.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	MSIF67D.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\expirymonth = "7"	MSIF67D.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\startyear = "2024"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\Nfbd657e3\startyear = "2024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Tutor = "\x06NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\NameServer = "\x06NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\RemoteDeploy2 = "\x06TechConsole"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfbd657e3\Nfbd657e3	MSIF524.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell	MSIF67D.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}	winst64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4424	client32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4584	MsiExec.exe
4584	MsiExec.exe
2176	msiexec.exe
2176	msiexec.exe
5092	MSIF67D.tmp
5092	MSIF67D.tmp
5092	MSIF67D.tmp
5092	MSIF67D.tmp
876	client32.exe
876	client32.exe
4424	client32.exe
4424	client32.exe
2500	runplugin64.exe
2500	runplugin64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4628	runplugin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2328	MSIEXEC.EXE
Token: SeSecurityPrivilege	2176	msiexec.exe
Token: SeCreateTokenPrivilege	2328	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2328	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2328	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2328	MSIEXEC.EXE
Token: SeTcbPrivilege	2328	MSIEXEC.EXE
Token: SeSecurityPrivilege	2328	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2328	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2328	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2328	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2328	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2328	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2328	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2328	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2328	MSIEXEC.EXE
Token: SeBackupPrivilege	2328	MSIEXEC.EXE
Token: SeRestorePrivilege	2328	MSIEXEC.EXE
Token: SeShutdownPrivilege	2328	MSIEXEC.EXE
Token: SeDebugPrivilege	2328	MSIEXEC.EXE
Token: SeAuditPrivilege	2328	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2328	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2328	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2328	MSIEXEC.EXE
Token: SeUndockPrivilege	2328	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2328	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2328	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2328	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2328	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2328	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2328	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2328	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2328	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2328	MSIEXEC.EXE
Token: SeTcbPrivilege	2328	MSIEXEC.EXE
Token: SeSecurityPrivilege	2328	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2328	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2328	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2328	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2328	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2328	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2328	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2328	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2328	MSIEXEC.EXE
Token: SeBackupPrivilege	2328	MSIEXEC.EXE
Token: SeRestorePrivilege	2328	MSIEXEC.EXE
Token: SeShutdownPrivilege	2328	MSIEXEC.EXE
Token: SeDebugPrivilege	2328	MSIEXEC.EXE
Token: SeAuditPrivilege	2328	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2328	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2328	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2328	MSIEXEC.EXE
Token: SeUndockPrivilege	2328	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2328	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2328	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2328	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2328	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2328	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2328	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2328	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2328	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2328	MSIEXEC.EXE
2328	MSIEXEC.EXE
4424	client32.exe
4424	client32.exe
4424	client32.exe
4424	client32.exe
4424	client32.exe
4424	client32.exe
4424	client32.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4424	client32.exe
4424	client32.exe
4424	client32.exe
4424	client32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4032	winst64.exe
4628	runplugin.exe
2500	runplugin64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 3640	1720	NetSupport School 15.10.0003.exe	87
PID 1720 wrote to memory of 3640	1720	NetSupport School 15.10.0003.exe	87
PID 1720 wrote to memory of 3640	1720	NetSupport School 15.10.0003.exe	87
PID 3640 wrote to memory of 2328	3640	NetSupport School 15.10.0003.exe	93
PID 3640 wrote to memory of 2328	3640	NetSupport School 15.10.0003.exe	93
PID 3640 wrote to memory of 2328	3640	NetSupport School 15.10.0003.exe	93
PID 2176 wrote to memory of 4584	2176	msiexec.exe	96
PID 2176 wrote to memory of 4584	2176	msiexec.exe	96
PID 2176 wrote to memory of 4584	2176	msiexec.exe	96
PID 2328 wrote to memory of 4276	2328	MSIEXEC.EXE	97
PID 2328 wrote to memory of 4276	2328	MSIEXEC.EXE	97
PID 2328 wrote to memory of 4276	2328	MSIEXEC.EXE	97
PID 4276 wrote to memory of 1720	4276	cmd.exe	100
PID 4276 wrote to memory of 1720	4276	cmd.exe	100
PID 4276 wrote to memory of 1720	4276	cmd.exe	100
PID 2328 wrote to memory of 4520	2328	MSIEXEC.EXE	101
PID 2328 wrote to memory of 4520	2328	MSIEXEC.EXE	101
PID 2328 wrote to memory of 4520	2328	MSIEXEC.EXE	101
PID 4520 wrote to memory of 1084	4520	cmd.exe	104
PID 4520 wrote to memory of 1084	4520	cmd.exe	104
PID 4520 wrote to memory of 1084	4520	cmd.exe	104
PID 2176 wrote to memory of 1584	2176	msiexec.exe	112
PID 2176 wrote to memory of 1584	2176	msiexec.exe	112
PID 2176 wrote to memory of 4028	2176	msiexec.exe	114
PID 2176 wrote to memory of 4028	2176	msiexec.exe	114
PID 2176 wrote to memory of 4028	2176	msiexec.exe	114
PID 2176 wrote to memory of 4760	2176	msiexec.exe	115
PID 2176 wrote to memory of 4760	2176	msiexec.exe	115
PID 2176 wrote to memory of 3888	2176	msiexec.exe	117
PID 2176 wrote to memory of 3888	2176	msiexec.exe	117
PID 2176 wrote to memory of 3888	2176	msiexec.exe	117
PID 2176 wrote to memory of 3244	2176	msiexec.exe	118
PID 2176 wrote to memory of 3244	2176	msiexec.exe	118
PID 2176 wrote to memory of 3244	2176	msiexec.exe	118
PID 2176 wrote to memory of 2280	2176	msiexec.exe	119
PID 2176 wrote to memory of 2280	2176	msiexec.exe	119
PID 2176 wrote to memory of 2280	2176	msiexec.exe	119
PID 2176 wrote to memory of 1540	2176	msiexec.exe	120
PID 2176 wrote to memory of 1540	2176	msiexec.exe	120
PID 2176 wrote to memory of 1540	2176	msiexec.exe	120
PID 2176 wrote to memory of 3756	2176	msiexec.exe	121
PID 2176 wrote to memory of 3756	2176	msiexec.exe	121
PID 2176 wrote to memory of 3756	2176	msiexec.exe	121
PID 2176 wrote to memory of 5092	2176	msiexec.exe	122
PID 2176 wrote to memory of 5092	2176	msiexec.exe	122
PID 2176 wrote to memory of 5092	2176	msiexec.exe	122
PID 5092 wrote to memory of 4932	5092	MSIF67D.tmp	123
PID 5092 wrote to memory of 4932	5092	MSIF67D.tmp	123
PID 2176 wrote to memory of 3172	2176	msiexec.exe	124
PID 2176 wrote to memory of 3172	2176	msiexec.exe	124
PID 3172 wrote to memory of 3740	3172	cmd.exe	126
PID 3172 wrote to memory of 3740	3172	cmd.exe	126
PID 3172 wrote to memory of 3740	3172	cmd.exe	126
PID 2176 wrote to memory of 1488	2176	msiexec.exe	127
PID 2176 wrote to memory of 1488	2176	msiexec.exe	127
PID 2176 wrote to memory of 1488	2176	msiexec.exe	127
PID 1488 wrote to memory of 2348	1488	pcicfgui_setup.exe	128
PID 1488 wrote to memory of 2348	1488	pcicfgui_setup.exe	128
PID 1488 wrote to memory of 2348	1488	pcicfgui_setup.exe	128
PID 2328 wrote to memory of 2724	2328	MSIEXEC.EXE	130
PID 2328 wrote to memory of 2724	2328	MSIEXEC.EXE	130
PID 2328 wrote to memory of 2724	2328	MSIEXEC.EXE	130
PID 876 wrote to memory of 4424	876	client32.exe	132
PID 876 wrote to memory of 4424	876	client32.exe	132

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1720	attrib.exe
1084	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe
"C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\NetSupport School 15.10.0003.exe
  "C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\NetSupport School 15.10.0003.exe" /q"C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\NetSupport School.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NetSupport School 15.10.0003.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4276
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
        5⤵
        Views/modifies file attributes
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
        5⤵
        Views/modifies file attributes
        
        PID:1084
  - - C:\Users\Admin\AppData\Local\Temp\MSI8D6.tmp
      "C:\Users\Admin\AppData\Local\Temp\MSI8D6.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EI
      4⤵
      Executes dropped EXE
      PID:2724
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\system32\explorer.exe
    3⤵
    PID:448

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3326F9EA1CB3227AB359F9A31B83A422 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4584
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7552A7C4F5C68DB1FC051E8AEB4FC8A9
  2⤵
  - Loads dropped DLL
  PID:4028
- C:\Windows\Installer\MSIE569.tmp
  "C:\Windows\Installer\MSIE569.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\Detect64LSP.txt"
  2⤵
  - Executes dropped EXE
  PID:4760
- C:\Windows\Installer\MSIE625.tmp
  "C:\Windows\Installer\MSIE625.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 63C67D3381CA94DA220F102443E2038B E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies data under HKEY_USERS
  PID:3244
- C:\Windows\Installer\MSIEBF9.tmp
  "C:\Windows\Installer\MSIEBF9.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
  2⤵
  - Executes dropped EXE
  PID:2280
- C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\Installer\MSIF524.tmp
  "C:\Windows\Installer\MSIF524.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EC /Q /Q /C
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  PID:3756
- C:\Windows\Installer\MSIF67D.tmp
  "C:\Windows\Installer\MSIF67D.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EV"NetSupport School" /EC /Q /Q /I *
  2⤵
  - Sets service image path in registry
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5092
- - C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
    winst64.exe /q /q /i
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:4932
- C:\Windows\system32\cmd.exe
  cmd.exe /c secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\SysWOW64\SecEdit.exe
    secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
    3⤵
    PID:3740
- C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2348

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3140

C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
"C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" /* *
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:876
- C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" * /VistaUI
  2⤵
  - Executes dropped EXE
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4424
- - C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe" /Q /Q /EB70206,0
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4032
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4628
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2500
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"
    3⤵
    - Executes dropped EXE
    PID:1204
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"
    3⤵
    - Executes dropped EXE
    PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57dd90.rbs

Filesize
65KB

MD5
7551d354b63bf78656457bcce481cfad

SHA1
30456964c3ea98fc61dd2fa31cc579c41a543851

SHA256
f0446038d404719f93f9d05804226107929bb12627eef1a1644283544660a0e7

SHA512
07baf2b5f397a5e8ec5866e4124c80aa1904d522ef94528e43a432b003d1bc1f2ece7626fb647d6770567a3bfb3018e270418b0a85603e8be43a2c7836cdc20d

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE

Filesize
745KB

MD5
0228cb02aa58ef2876713130990c8ccf

SHA1
f6766273a186b6911a6127fbb5af90125e267bbe

SHA256
3651a2131f423c5c553476236be7ad4f26a63c67d872c3b9ecc135d1d184b1ed

SHA512
a07664e639252a2bd34f42fb6907b95889d31657aa81fcdeea4b171bf3410bd3d56f5e404ee8fc16938d826f7cfffc46efcfe74126afec6e87cb048618d26e89

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport School\product.dat

Filesize
506B

MD5
ff7c0d2dbb9195083bbabaff482d5ed6

SHA1
5c2efbf855c376ce1b93e681c54a367a407495dc

SHA256
065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

SHA512
ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk~RFe57f4b0.TMP

Filesize
2KB

MD5
62650ecd7818e4a218cde29dd2553d2b

SHA1
19f4a707e7118a7a245e6a8035b2ff58e644a002

SHA256
03cf08f133882a031e37fd7d26e5102298e4460d50512228743b09b584d56d84

SHA512
02c90091f92bcaf119d970fff52c886775ae1abebb76ba8772bd41dbeb189eb169a9426adcb389b5f2e33025974e2836d1c49d42c12e51a401eb7d47a2434f50

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\~etSupport School Student Configurator.tmp

Filesize
2KB

MD5
dce565299ce4c5e40d8c6b16fa3e5318

SHA1
9eec9ab47644a86891768e1d540561928c8cda44

SHA256
48e81613bd7cec9ed2512635465761c873d6282d0250134681507dddea2d44e8

SHA512
7ccde358c3d00306db2c61ab17d6c5d5462fa3a2d944a6f8e6e1afe96efd848166c91f6c13c41ec0d203c2e28622990e31247e5345fff23056915bf5da346101

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL_{F021B863-9473-4467-93B2-6FC48C30E42F}.ini

Filesize
4KB

MD5
44a9f1c8cc051ba145fbe562279021a4

SHA1
3e07ad4531015a5d390acbae0857e9088de686bc

SHA256
0c4d3da11262e0a84da54960d2ea5fc89298175ae31cdf9a7b340eb40a9a30dd

SHA512
a505abda5a99e7706df11b439422ec9249bf3a5fe8286e0025f9441e9f0e9ed2148bd1bcdc8b49fb8afe59616e847278399c330d026c53191eb7490f466b6913

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6060.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60CE.tmp

Filesize
511KB

MD5
d524b639a3a088155981b9b4efa55631

SHA1
39d8eea673c02c1522b110829b93d61310555b98

SHA256
03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

SHA512
84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60EE.tmp

Filesize
487KB

MD5
d21afcbb8d2e5a043841b4d145af1df6

SHA1
849db8ddad9e942bfe20a50666d17484b56a26e3

SHA256
c9d4fd904650e4e53de4018951906c1434420d65cdb33e48c23b6c22bc9fdd4c

SHA512
ecb8fbb2826f7f47eed46897701d42873b17b7599cd785ca54e900b793e3de1179c4d6441f317aa5298ae52c1c11157ae43b11822aa0076b9ec93ad5e46f0225

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI60FF.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\Setup.INI

Filesize
5KB

MD5
6fbf86629f47eca07aaed1a95fc56777

SHA1
55fe7be7e600b74d5b67a66ce0d7c379c41bf550

SHA256
32687c846ddb54be27dd5a4f2674ef4ce08b1d3cf8621301e36b319df28ecb26

SHA512
89832543df122de7b0cb2cca77624e1f993b499f6d8bd514a2e86fae72867ae3e26f2c130cc216c9929d65ab7f55f93feafc549053f29157fcfd8061baf8cb84

Download Submit
C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\_ISMSIDEL.INI

Filesize
684B

MD5
93c14552bf13c64935b9a45061d39a9d

SHA1
d483861e87726927d62dab3980812135fe28a624

SHA256
08f44fa5a2b9afc25d5a768304e9a4b7662db1d1b4c58bcd06b0345783d6ffb7

SHA512
3d206d0255ab6dc0de3ea2649d143e043761b2112d1ef6ece57ed06af4a1cf72579f9156ad57cb6ca71a76a4d90b122732398e1de2bc186f5198eb7ae6400021

Download Submit
C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\_ISMSIDEL.INI

Filesize
444B

MD5
a8a03410d0b2208918a473ec6cf7ad9f

SHA1
62819241a661ffd3f5dc9d97a377bfdf2f6a5c9e

SHA256
ee8381ca9d049d68543df8191840a2c1572d0a0f532a29bb8bad5d6624b13a41

SHA512
35b6e91f2edb5c5bae2cfca2ca1223d9a306414340a1896b5a8979a87ae099d94c335509b5b2bb1d5f21a033a34575da58ca7df24af8d8ebe7bc44e12bfae037

Download Submit
C:\Users\Admin\AppData\Local\Temp\{48CACB96-175A-4BAE-806A-DCEA675F97A3}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.ini

Filesize
77B

MD5
3d6de28fc7ae0ea0c8f754fff6246be8

SHA1
2f519518166499a06dfd61c327dd56e681390d2a

SHA256
aacd16e069a0d6c2371767eeea668b5b32b54a16c1d887e16142c845596e033b

SHA512
e3c7c0bf0511e22acf7a0fe3465b33ab774eaac69ce91456cedf3d44f476b7c26c381e888c6d1e481ebecf7a04921bcaa3d059ff7b113ec9841b4460c74ad40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.upd

Filesize
10B

MD5
c7dea5b4aa8726d6e1856b151a3d5e61

SHA1
0e7d482333027b5381e94c945969bfb20aa8bcfc

SHA256
444b6e841966e6306050fd2b2211e00dd877c4aa2b8971a3010d3e53d95ea7ee

SHA512
dd3732dfdb5a56bd70aba7c298001280d76829928d8e1a9add03cfc55e26f24fb317d01b915578ac54ba920fe0e736d4ca04f82eb98e67e0bf773973dc20313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

Filesize
190B

MD5
41b74ffe52b6d2aef850e4b064876ce0

SHA1
549b93bb84df9796e7c9fa5a0925f82a5201e42f

SHA256
73a125a95016a791167410b505b1835cd15fe74a2ba0d2400f6bef2805a3383a

SHA512
35767cee6680bd78ea8184cb92daa0c28955bdf03ccf6115abb71aca7c21ac4fdf233ccd2250341e5213c1c8c6d5968a912397c450268a1fb863373df9efd0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

Filesize
207B

MD5
636a84736677418909c8e65c28c797c6

SHA1
af3475058a12fb1789714884b05d5d8e8380e78c

SHA256
2bd0390f46f697eb3eb2f20d2ebfa87174662e40e39185b390265eb5b9c5613c

SHA512
2c81d9dcb6bb3ab2f155d0a22ce30bfa2d0fa2c23a45329edb815cb406288bcbad88dce397d186ee5d572f050b634ca396d90d29d0d2b411374f481a662a69e8

Download Submit
C:\Windows\Installer\MSIF4F4.tmp

Filesize
244KB

MD5
c4ca339bc85aae8999e4b101556239dd

SHA1
d090fc385e0002e35db276960a360c67c4fc85cd

SHA256
4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

SHA512
9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

Download Submit
memory/1488-540-0x0000000003050000-0x00000000031F3000-memory.dmp

Filesize
1.6MB

Download
memory/3640-631-0x0000000075410000-0x00000000754AF000-memory.dmp

Filesize
636KB

Download
memory/3640-619-0x0000000077190000-0x00000000771F3000-memory.dmp

Filesize
396KB

Download
memory/3640-604-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-605-0x0000000076E40000-0x0000000076EFF000-memory.dmp

Filesize
764KB

Download
memory/3640-611-0x0000000076510000-0x0000000076597000-memory.dmp

Filesize
540KB

Download
memory/3640-651-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-650-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-648-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-647-0x0000000076510000-0x0000000076597000-memory.dmp

Filesize
540KB

Download
memory/3640-646-0x0000000075140000-0x0000000075169000-memory.dmp

Filesize
164KB

Download
memory/3640-645-0x0000000075140000-0x0000000075169000-memory.dmp

Filesize
164KB

Download
memory/3640-644-0x0000000076900000-0x000000007695F000-memory.dmp

Filesize
380KB

Download
memory/3640-643-0x00000000756F0000-0x0000000075CA3000-memory.dmp

Filesize
5.7MB

Download
memory/3640-640-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-639-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-638-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-637-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-636-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-635-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-634-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-633-0x00000000754B0000-0x000000007558C000-memory.dmp

Filesize
880KB

Download
memory/3640-587-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-630-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/3640-629-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/3640-626-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-625-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-624-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-623-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-622-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-621-0x0000000011320000-0x0000000011365000-memory.dmp

Filesize
276KB

Download
memory/3640-620-0x0000000075590000-0x00000000755EE000-memory.dmp

Filesize
376KB

Download
memory/3640-589-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-618-0x0000000077190000-0x00000000771F3000-memory.dmp

Filesize
396KB

Download
memory/3640-617-0x0000000075E50000-0x0000000075F23000-memory.dmp

Filesize
844KB

Download
memory/3640-616-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-614-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-613-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-612-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-610-0x0000000075140000-0x0000000075169000-memory.dmp

Filesize
164KB

Download
memory/3640-609-0x0000000075140000-0x0000000075169000-memory.dmp

Filesize
164KB

Download
memory/3640-608-0x0000000076900000-0x000000007695F000-memory.dmp

Filesize
380KB

Download
memory/3640-607-0x00000000756F0000-0x0000000075CA3000-memory.dmp

Filesize
5.7MB

Download
memory/3640-649-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-642-0x00000000756F0000-0x0000000075CA3000-memory.dmp

Filesize
5.7MB

Download
memory/3640-641-0x0000000076E40000-0x0000000076EFF000-memory.dmp

Filesize
764KB

Download
memory/3640-632-0x0000000075410000-0x00000000754AF000-memory.dmp

Filesize
636KB

Download
memory/3640-606-0x00000000756F0000-0x0000000075CA3000-memory.dmp

Filesize
5.7MB

Download
memory/3640-615-0x0000000074EA0000-0x0000000075131000-memory.dmp

Filesize
2.6MB

Download
memory/3640-603-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-602-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-601-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-600-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-599-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-598-0x0000000076CD0000-0x0000000076D4A000-memory.dmp

Filesize
488KB

Download
memory/3640-597-0x00000000754B0000-0x000000007558C000-memory.dmp

Filesize
880KB

Download
memory/3640-596-0x0000000075410000-0x00000000754AF000-memory.dmp

Filesize
636KB

Download
memory/3640-595-0x0000000075410000-0x00000000754AF000-memory.dmp

Filesize
636KB

Download
memory/3640-594-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/3640-590-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-588-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/3640-593-0x0000000077360000-0x0000000077575000-memory.dmp

Filesize
2.1MB

Download
memory/3640-586-0x0000000000D40000-0x0000000000E4C000-memory.dmp

Filesize
1.0MB

Download
memory/4424-584-0x0000000006330000-0x0000000006454000-memory.dmp

Filesize
1.1MB

Download