netsupport | a62ef8b3fdece9258ccaa159eb72469dcc67bcdef94281a1079ccb1f3b058c47

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
09-07-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

38.9MB
MD5

e43590cf5c0bbc73af1d6532e9803258
SHA1

e242676637f8566b26dc2b6bba920a1e950ced5f
SHA256

a62ef8b3fdece9258ccaa159eb72469dcc67bcdef94281a1079ccb1f3b058c47
SHA512

c806030884a7d4d27a13dd8afcb83e97c1d964159e7f612defebcd905db31cda924b2a3efcc8a9f3055747fc939c31b0f2346021ffef2b427ae5ab74253eb3f9
SSDEEP

786432:r8dl217gZe+0fGuKiahOXPRfWkfmy7sf3z4LMTQPa5UQ5bw0Kno4razqEzfBZxYb:YO17gZe+TXQ/8key7/sQS59KzGOEzjxA

Score

10^/10

netsupport persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops file in Drivers directory 6 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\pcisys.sys	winst64.exe
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe
File created	C:\Windows\system32\drivers\nskbfltr2.sys	winst64.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET7407.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET7407.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\gdihook5.sys	DrvInst.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	MSI6836.tmp

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2268	MSIEXEC.EXE
5	2860	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\A:	client32.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	client32.exe
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	MSI6836.tmp

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\clhook4.dll	winst64.exe
File created	C:\Windows\system32\client32provider.dll	winst64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\SET72C1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	winst64.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\gdihook5.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\SET72C0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\SET72E2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	winst64.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\SysWOW64\pcimsg.dll	MSI6836.tmp
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	MSI6836.tmp
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\SET72C0.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\gdihook5.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\SET72D1.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\SET72D1.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\gdihook5.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\system32\SET7437.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\SET72E2.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\gdihook5.inf_amd64_neutral_d8853853669e565a\gdihook5.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\gdihook5.inf_amd64_neutral_d8853853669e565a\gdihook5.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	winst64.exe
File created	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\SET72C1.tmp	DrvInst.exe
File created	C:\Windows\system32\SET7437.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	client32.exe
File created	C:\Windows\system32\clhook4.dll	winst64.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\gdihook5.dll	DrvInst.exe
File opened for modification	C:\Windows\system32\gdihook5.dll	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
632	pcicfgui_client.exe
632	pcicfgui_client.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up_grey.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\gdihook5.INF	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\computer2.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\x64\gdihook5.sys	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\toastImageAndText.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC	MSI6836.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIHOOKS.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32Provider.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\IsMetro.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\NSClient32UI.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.cat	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-heap-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\libssl-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_down_grey.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\AudioCapture.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcp140.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcr100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\IcoViewer.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\logo.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-environment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcp100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\pcictl.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\VolumeControlWVI.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.upd	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\unknown.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\toastMessage.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\toastChat.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIIMAGE.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_down.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\greenbar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\pciconn.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-convert-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\pcisys.sys	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\pscrinst.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-time-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\_Shared Data.lnk	MSI6836.tmp
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini	pcicfgui_client.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\bar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\network2.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\VolumeControlWXP.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\CryptPak.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\mfc100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\printer2.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\redbar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\startlogo.bmp	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-multibyte-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-conio-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmexec.exe	msiexec.exe

Drops file in Windows directory 48 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5B8C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI621B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62A8.tmp	msiexec.exe
File opened for modification	C:\Windows\setupact.log	winst64.exe
File opened for modification	C:\Windows\setuperr.log	winst64.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5B8B.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7756e7.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI787D.tmp	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5EEA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5CA7.tmp	msiexec.exe
File created	C:\Windows\Installer\f7756e7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F67.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7756e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BAC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI650A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{CBB68368-7767-4CFF-B3E5-211488346702}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	winst64.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\setuperr.log	MSI6836.tmp
File created	C:\Windows\Installer\f7756e6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6033.tmp	msiexec.exe
File created	C:\Windows\Installer\{CBB68368-7767-4CFF-B3E5-211488346702}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6836.tmp	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI791A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8241.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5B6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI76E6.tmp	msiexec.exe
File created	C:\Windows\Installer\f7756e9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A51.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	winst64.exe
File opened for modification	C:\Windows\Installer\MSI61CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI620A.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\setupact.log	MSI6836.tmp
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI5C58.tmp	msiexec.exe

Executes dropped EXE 11 IoCs

pid	Process
2692	Setup.exe
2032	MSI5CA7.tmp
1260	MSI62A8.tmp
2788	checkdvd.exe
2312	MSI6836.tmp
1752	winst64.exe
2640	MSI791A.tmp
2616	client32.exe
632	pcicfgui_client.exe
1732	pcicfgui_client.exe
988	client32.exe

Loads dropped DLL 64 IoCs

pid	Process
2556	Setup.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
2000	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
592	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2312	MSI6836.tmp
1752	winst64.exe
2312	MSI6836.tmp
2544	MsiExec.exe
2544	MsiExec.exe
2544	MsiExec.exe
2616	client32.exe
2616	client32.exe
2616	client32.exe
2616	client32.exe
2616	client32.exe
2616	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK	client32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	client32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	client32.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4DE1B4E-F341-474F-AA6B-F8752E57E67A}	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{E4DE1B4E-F341-474F-AA6B-F8752E57E67A}\02-ab-4e-fe-3b-f7	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	winst64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	winst64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	client32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	client32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\02-ab-4e-fe-3b-f7\WpadDecisionTime = 70a8ab9697d1da01	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	winst64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\expirymonth = "8"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show	MSI6836.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command	MSI6836.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\ = "IconViewer Class"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib	MsiExec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID\ = "IcoViewer.IconViewer.1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\ = "{C58E5039-E78C-441D-AA62-383AD6F38FC8}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ = "IIconViewer"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C61D9FBB5C49E141B2D086B0653E432	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\InprocServer32 = 41002700360050006a00530043005200680040004c005a007e004f0029004e00460060006a00210043006c00690065006e0074003e0027007300430050006200280031004a007b00380068007a004400660043004f006d0030006b00240000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\startyear = "2024"	MsiExec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList\PackageName = "NetSupport Manager.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command	MSI6836.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\Nb6b46a9e\expiryyear = "2024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32	winst64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\expiryyear = "2024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile	MSI6836.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell	MSI6836.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "NetSupport Manager Replay File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	MSI6836.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\expirymonth = "8"	MSI6836.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show	MSI6836.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with NetSupport School"	MSI6836.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with NetSupport School"	MSI6836.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell	MSI6836.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\Nb6b46a9e	MSI6836.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\startmonth = "7"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show	MSI6836.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\startday = "8"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ = "Client32Provider.dll"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nb6b46a9e\currentver = "1400"	pcicfgui_client.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
988	client32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2860	msiexec.exe
2860	msiexec.exe
2312	MSI6836.tmp
2312	MSI6836.tmp
2312	MSI6836.tmp
2312	MSI6836.tmp
2616	client32.exe
2616	client32.exe
988	client32.exe
988	client32.exe
988	client32.exe
988	client32.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2268	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2268	MSIEXEC.EXE
Token: SeRestorePrivilege	2860	msiexec.exe
Token: SeTakeOwnershipPrivilege	2860	msiexec.exe
Token: SeSecurityPrivilege	2860	msiexec.exe
Token: SeCreateTokenPrivilege	2268	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2268	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2268	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2268	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2268	MSIEXEC.EXE
Token: SeTcbPrivilege	2268	MSIEXEC.EXE
Token: SeSecurityPrivilege	2268	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2268	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2268	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2268	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2268	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2268	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2268	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2268	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2268	MSIEXEC.EXE
Token: SeBackupPrivilege	2268	MSIEXEC.EXE
Token: SeRestorePrivilege	2268	MSIEXEC.EXE
Token: SeShutdownPrivilege	2268	MSIEXEC.EXE
Token: SeDebugPrivilege	2268	MSIEXEC.EXE
Token: SeAuditPrivilege	2268	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2268	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2268	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2268	MSIEXEC.EXE
Token: SeUndockPrivilege	2268	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2268	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2268	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2268	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2268	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2268	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2268	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	2268	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	2268	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2268	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	2268	MSIEXEC.EXE
Token: SeTcbPrivilege	2268	MSIEXEC.EXE
Token: SeSecurityPrivilege	2268	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	2268	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	2268	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	2268	MSIEXEC.EXE
Token: SeSystemtimePrivilege	2268	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	2268	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	2268	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	2268	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	2268	MSIEXEC.EXE
Token: SeBackupPrivilege	2268	MSIEXEC.EXE
Token: SeRestorePrivilege	2268	MSIEXEC.EXE
Token: SeShutdownPrivilege	2268	MSIEXEC.EXE
Token: SeDebugPrivilege	2268	MSIEXEC.EXE
Token: SeAuditPrivilege	2268	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	2268	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	2268	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	2268	MSIEXEC.EXE
Token: SeUndockPrivilege	2268	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	2268	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	2268	MSIEXEC.EXE
Token: SeManageVolumePrivilege	2268	MSIEXEC.EXE
Token: SeImpersonatePrivilege	2268	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	2268	MSIEXEC.EXE
Token: SeCreateTokenPrivilege	2268	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2268	MSIEXEC.EXE
2268	MSIEXEC.EXE
988	client32.exe
988	client32.exe
988	client32.exe
2268	MSIEXEC.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
988	client32.exe
988	client32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2556 wrote to memory of 2692	2556	Setup.exe	30
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2692 wrote to memory of 2268	2692	Setup.exe	31
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2860 wrote to memory of 2000	2860	msiexec.exe	33
PID 2268 wrote to memory of 2760	2268	MSIEXEC.EXE	34
PID 2268 wrote to memory of 2760	2268	MSIEXEC.EXE	34
PID 2268 wrote to memory of 2760	2268	MSIEXEC.EXE	34
PID 2268 wrote to memory of 2760	2268	MSIEXEC.EXE	34
PID 2760 wrote to memory of 2968	2760	cmd.exe	36
PID 2760 wrote to memory of 2968	2760	cmd.exe	36
PID 2760 wrote to memory of 2968	2760	cmd.exe	36
PID 2760 wrote to memory of 2968	2760	cmd.exe	36
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 592	2860	msiexec.exe	41
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2032	2860	msiexec.exe	43
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 2544	2860	msiexec.exe	44
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 1260	2860	msiexec.exe	45
PID 2860 wrote to memory of 2788	2860	msiexec.exe	46
PID 2860 wrote to memory of 2788	2860	msiexec.exe	46
PID 2860 wrote to memory of 2788	2860	msiexec.exe	46
PID 2860 wrote to memory of 2788	2860	msiexec.exe	46
PID 2860 wrote to memory of 2312	2860	msiexec.exe	47
PID 2860 wrote to memory of 2312	2860	msiexec.exe	47
PID 2860 wrote to memory of 2312	2860	msiexec.exe	47

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2968	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\Setup.exe
  C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\Setup.exe /q"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\NetSupport Manager.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="Setup.exe"
    3⤵
    - Blocklisted process makes network request
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2268
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
        5⤵
        Views/modifies file attributes
        
        PID:2968
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\system32\explorer.exe
    3⤵
    PID:2840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D03CFC3F538138F8BB4D2D8CDCDB5633 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A371E9A15E495115E1745E347D43D0B1
  2⤵
  - Loads dropped DLL
  PID:592
- C:\Windows\Installer\MSI5CA7.tmp
  "C:\Windows\Installer\MSI5CA7.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD81C01E6BA78152C92AB73FC4562253 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  PID:2544
- C:\Windows\Installer\MSI62A8.tmp
  "C:\Windows\Installer\MSI62A8.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
  2⤵
  - Executes dropped EXE
  PID:1260
- C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
  "C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\Windows\Installer\MSI6836.tmp
  "C:\Windows\Installer\MSI6836.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *
  2⤵
  - Sets service image path in registry
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2312
- - C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe
    winst64.exe /q /q /ex /i
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Modifies registry class
    PID:1752
- C:\Windows\Installer\MSI791A.tmp
  "C:\Windows\Installer\MSI791A.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
  "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies registry class
  PID:632
- - C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
    "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"
    3⤵
    - Executes dropped EXE
    PID:1732

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2408

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "00000000000005D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2096

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{461027e8-8650-75dc-def1-6f645d9b2040}\gdihook5.inf" "9" "6d3d268df" "00000000000005E4" "WinSta0\Default" "00000000000005A4" "208" "c:\program files (x86)\netsupport\netsupport manager"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2332

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "gdihook5.inf:gdihook5.Mfg.NTamd64:gdihook5:11.11.0.704:pci_gdihook5_hwid" "6d3d268df" "00000000000005E4" "0000000000000590" "00000000000005F4"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2452

C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2616
- C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
  "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:988
- - C:\Windows\SysWOW64\cscript.exe
    "cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 49913
    3⤵
    - Modifies data under HKEY_USERS
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f7756e8.rbs

Filesize
39KB

MD5
11b444771af5e0a62c1d56c5c719cc83

SHA1
d9797b41dcd8f99f0e87989365008522f6307ad7

SHA256
7ca81c65d04988702f4bd273e7f28513391a510327a73f07507335c88ebd19e0

SHA512
556f723e45a9b55b4e2602b49182b39fdcf7600a5cd473c2726c955133c9f19ced0231dc035f258d551b5bf464f3d22a29822a69142ead18c397c61ed97d4ac3

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport Manager\product.dat

Filesize
506B

MD5
ff7c0d2dbb9195083bbabaff482d5ed6

SHA1
5c2efbf855c376ce1b93e681c54a367a407495dc

SHA256
065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

SHA512
ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD42.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL_{CBB68368-7767-4CFF-B3E5-211488346702}.ini

Filesize
7KB

MD5
0d1fed9a699e09025437ed22abc59317

SHA1
560719838d5cad4cf39eedb8c31730a0c2bf401e

SHA256
5683ca8566451556d1d70cf34a16af67faae80cc8639e52aa6158a846abe8069

SHA512
555edd3a68302d7902ac18c53e3a992a3a6e51afae750d87e915dd5feaae5facac120dcc85df2823db2e96735db724f5e179e56c4476f393874fe0afe5c970bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD54.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\NetSupport Manager.msi

Filesize
39.7MB

MD5
89cae9bde0f3e1a2d61adbe7bba774d6

SHA1
f46168a1faa5231b68ea5592301d54204d2e7f4d

SHA256
cffb621b1d176998e5bdf49019da3dd6f15c4e5fbac38f24527dfe36a5e595df

SHA512
65aca3ccb33fb50481bd368e25e4cbb54eafdc791e7e083196fed5c3870f7dc0f8c8c1b6ab813a1c9000b25912aa26e73e6e0b0c8fa0bcf934e79cace44e15b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\Setup.INI

Filesize
5KB

MD5
e3911c00797574a4dc9d8f4bca6673c3

SHA1
f8d56536b5be665d8241f76b419aa5458263d701

SHA256
b13a908d30d4156f6161c912e6d56cfa137324bafd5d3fc88ece04f51751a374

SHA512
11f768ecd8a6d42067831fa85bb5edb5662731345c657f56aa2bea61aebb33fa5777287a6ae4fbb13fc72688d61283bba148158583713755a55859cc3065e3f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\Setup.exe

Filesize
38.9MB

MD5
e43590cf5c0bbc73af1d6532e9803258

SHA1
e242676637f8566b26dc2b6bba920a1e950ced5f

SHA256
a62ef8b3fdece9258ccaa159eb72469dcc67bcdef94281a1079ccb1f3b058c47

SHA512
c806030884a7d4d27a13dd8afcb83e97c1d964159e7f612defebcd905db31cda924b2a3efcc8a9f3055747fc939c31b0f2346021ffef2b427ae5ab74253eb3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\_ISMSIDEL.INI

Filesize
592B

MD5
fae67ec91527d724dbb94a2310d65534

SHA1
c6896b524520fe2325bd7fd9820167c090fa9f4a

SHA256
2434254d559e16c4dc609de93ef8ff2406755356ec37187468b0f08d3ee2ca5d

SHA512
9a4cdad1b6ba05dcef4082db5f90d4a87c36ea2a9c89d2fb425e814695e5f0752872854e63dc707396bc3f9466162270df573b8e7c1b764390719a757f048024

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AFD94567-A1A0-4DF7-BBFE-DEF3380DD09E}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Windows\Installer\MSI62A8.tmp

Filesize
745KB

MD5
0fcf65c63e08e77732224b2d5d959f13

SHA1
5419b79fe14e21d1d5b51fe8187f7b86ec20de74

SHA256
f3e587f94a79c46a603b39286e93b17fabc895c6b71b26b0fc5d812cf155b7e5

SHA512
7c289aaf3ac1b998c8ca9593a58c8aa3a9aa9f41852c1ed4192b908e0ad51871400d585b4fe508d49368bdfc7378807d289971914870a7a47b0410a946e5e381

Download Submit
C:\Windows\Installer\MSI76E6.tmp

Filesize
244KB

MD5
c4ca339bc85aae8999e4b101556239dd

SHA1
d090fc385e0002e35db276960a360c67c4fc85cd

SHA256
4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

SHA512
9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

Download Submit
C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\SET72D1.tmp

Filesize
8KB

MD5
2d31ce5fe7cd81c996615ebcc29c058a

SHA1
4d74fe8e3170d36666df779e43fe8016986b154a

SHA256
019290c9b7e5b48fb6de95f9563ed481cd42f8658451c6fbc8ad131d61209ce0

SHA512
b8188481050630e7317d2f0687790a46e86f30a79f34164e4b02ec28da39334da80bd494a4f32ae8bb60fa2f01273cdcd9d15100f901517b0c01507678330052

Download Submit
C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\SET72E2.tmp

Filesize
2KB

MD5
703c7774b981e5d02e058340a27a5b75

SHA1
37534d7f0b31d2328d70ca578047d597273b73b6

SHA256
4cfca868959f4e1b85bfd6b8a970ae06c0810d9c341f260df3ab8479089500e9

SHA512
758e84915fa7ebb343bafd096bc40d9d226fe0da7c167b2b8e59f664e1be796143228bc3405df7e3447cdc918004db516344365d3d07a8e6c040df2b90456d78

Download Submit
C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\SET72C0.tmp

Filesize
95KB

MD5
52b88eb20beb3b34a692a4cae0ff2196

SHA1
26a297b2baeb118f8856c1de41ee855572ba958a

SHA256
2b675e9c27d3fb01cb9df2583b380de8dc8c0d5bbbe18af458f90b47c6d62b03

SHA512
29567fc4db46d85f9ab8f6ecf2a708ec2c8def2e49eccd439daceda327b7411957b2014171a8370c3928d4a03a13bc6124d93678a87684370a5e6042d1c2ad6e

Download Submit
C:\Windows\System32\DriverStore\Temp\{04b73ceb-93bd-46e4-eb3c-b7042309882b}\x64\SET72C1.tmp

Filesize
68KB

MD5
9a348ed02f8b1efc9bfc5f53827f8a9c

SHA1
c1f22705392af57b277d1fb4f46258dddffe8f33

SHA256
641f2b86f013a95707ffdf0f584e3a83fedc1392cea3b546905b9ccb54ae10cf

SHA512
9debb460fd74cb586ed66b7fa4bbb51a8e1184c1a061e81f4fd6f5e700fdb1e91b809a3f517fe55dd889f60df6ea29190455073dfa1cb5b85032b91efd12033f

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
eec2f4d8ffabfa7d35670b8d05e2e045

SHA1
2ce087bf532fc9852cec1ea24cf823000a8310e0

SHA256
1472fdc37a076a315067332c5b6c01d7f51c86fc876f7d689c95afd6573442bb

SHA512
a1acf78549eabb6ffdf30b9fb9785806d431f16e25688a9147378edc79ba65ce926f0714c9f212e41c2026a79c323d3c082d4f0782a4f64d1ef9bc0fb05d20fe

Download Submit
\Users\Admin\AppData\Local\Temp\MSIAEFB.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
\Users\Admin\AppData\Local\Temp\MSIAF98.tmp

Filesize
511KB

MD5
d524b639a3a088155981b9b4efa55631

SHA1
39d8eea673c02c1522b110829b93d61310555b98

SHA256
03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

SHA512
84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

Download Submit
\Users\Admin\AppData\Local\Temp\MSIB025.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBF9B.tmp

Filesize
487KB

MD5
3085d62326cc1ae4ab21489576973621

SHA1
e3c847dee0ecc7176c1168d6d1df9b9e98b19936

SHA256
d2dc425f47d8c80abd8cadbcd8aa53516e7754c371bd3bad3907294a6ca57c5c

SHA512
f993e4e04b348f7eb346d2f3d00fdaed2212f28ba885bbe50c1959737c5b6cab9cfbe17c4aba992521aa0ecdcf5216fa9e6c36a47746077307d32170223a9a97

Download Submit
memory/632-704-0x0000000002530000-0x00000000026B0000-memory.dmp

Filesize
1.5MB

Download
memory/988-726-0x0000000005470000-0x0000000005577000-memory.dmp

Filesize
1.0MB

Download