netsupport | 1d78526f6b8a98475210e12d2183805bbd22469b63d2e11354987c1c6782ed72

Analysis

max time kernel
509s
max time network
318s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02-09-2024 00:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NetSupport School.msi
Size

150.2MB
MD5

32c821d567a2d7a63d638eba7a6a22cd
SHA1

35a2a92dc9aab0acf09e931cd21bd52c796a0e6a
SHA256

1d78526f6b8a98475210e12d2183805bbd22469b63d2e11354987c1c6782ed72
SHA512

98c46dcdf257d42d6115a5a73119fe0a1b33a89c257fb9ffe78b85d949ec08243003887f65ef86bd15a01a0911599490b98033f86e57b399247343b7ac9368d5
SSDEEP

3145728:/9wr2EaPT3kDVqZDYFnCkp0wbKrtE8yoP+ANeEkqic+w8:/62NDkDgE/pTb/8yoN82+w

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\nskbfltr2.sys	winst64.exe
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	MSI7C4.tmp

Blocklisted process makes network request 2 IoCs

flow	pid	Process
2	4408	msiexec.exe
4	4408	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	runplugin.exe
File opened (read-only)	\??\T:	runplugin64.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	runplugin.exe
File opened (read-only)	\??\U:	runplugin.exe
File opened (read-only)	\??\X:	runplugin64.exe
File opened (read-only)	\??\Y:	runplugin64.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	runplugin.exe
File opened (read-only)	\??\T:	runplugin.exe
File opened (read-only)	\??\M:	runplugin64.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\W:	runplugin.exe
File opened (read-only)	\??\A:	runplugin64.exe
File opened (read-only)	\??\K:	runplugin64.exe
File opened (read-only)	\??\R:	runplugin64.exe
File opened (read-only)	\??\Z:	runplugin64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	runplugin.exe
File opened (read-only)	\??\Y:	runplugin.exe
File opened (read-only)	\??\H:	runplugin64.exe
File opened (read-only)	\??\O:	runplugin64.exe
File opened (read-only)	\??\P:	runplugin64.exe
File opened (read-only)	\??\V:	runplugin64.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	runplugin.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	runplugin64.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	runplugin64.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	runplugin.exe
File opened (read-only)	\??\P:	runplugin.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	runplugin.exe
File opened (read-only)	\??\G:	runplugin.exe
File opened (read-only)	\??\I:	runplugin.exe
File opened (read-only)	\??\N:	runplugin.exe
File opened (read-only)	\??\O:	runplugin.exe
File opened (read-only)	\??\Z:	runplugin.exe
File opened (read-only)	\??\I:	runplugin64.exe
File opened (read-only)	\??\Q:	runplugin64.exe
File opened (read-only)	\??\U:	runplugin64.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	runplugin64.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	MSI7C4.tmp

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\pcimsg.dll	MSI7C4.tmp
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	MSI7C4.tmp
File created	C:\Windows\system32\client32provider.dll	winst64.exe
File opened for modification	C:\Windows\system32\client32provider.dll	winst64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1128	pcicfgui_setup.exe
1128	pcicfgui_setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nsdevcon64.exe	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\winstHooks.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\NSCommonHook.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-datetime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-localization-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pluginprintmanmodule64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Runplugin64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-utility-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIVDD.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nss_lock_image.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\icudt51.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Dummy.Lic	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nssres.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\KeyShowHook64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nss_lock_image_ws.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\icuuc51.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport School\_Data.lnk	MSI7C4.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\WdfCoInstaller01005.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSSilence.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\StoreSoftwareCtl64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nsmres.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-memory-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-runtime-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIMSG.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\blockapp.jpg	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-libraryloader-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PluginCountersModule.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentIncorrect.wav	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport School\NSM.LIC	MSI5EE.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\VolumeControlWXP.DLL	msiexec.exe
File created	C:\Program Files (x86)\Common Files\NSL\NSCommonHook64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\keyShow64.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCICHEK.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-interlocked-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Control.kbd	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PluginDevicesModule.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\remcmdstub.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\wxbase322u_xml_vc_custom.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\schplayer.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PluginDevicesModule64.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentSelected.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\toastImageAndText.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\LoopbackUnblocker.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nskbfltr.inf	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSSecurity.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentCorrect.wav	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\BCGCBPRO3350u141.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\_Data.lnk	MSI5EE.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processenvironment-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\PCIAPPCTRL.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\nsmexec.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport School\NSClientTB.exe	msiexec.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF600.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF951.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ee96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF991.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF2EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF29F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BE.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ee98.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFC75.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EE.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File opened for modification	C:\Windows\Installer\MSIF2CF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5DE.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA0F.tmp	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF18.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF67F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	MSI7C4.tmp
File opened for modification	C:\Windows\Installer\MSIF27F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F021B863-9473-4467-93B2-6FC48C30E42F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF610.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF78.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ee96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF950.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe	msiexec.exe
File created	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7C4.tmp	msiexec.exe
File opened for modification	C:\Windows\setupact.log	MSI7C4.tmp
File opened for modification	C:\Windows\Installer\MSIFE99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1332.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF5EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFAEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFB3C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File opened for modification	C:\Windows\Installer\MSIF68F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe	msiexec.exe

Executes dropped EXE 19 IoCs

pid	Process
4464	MSIF68F.tmp
1932	MSIF6FE.tmp
2172	MSIFC75.tmp
1696	checkdvd.exe
768	MSI5EE.tmp
4852	MSI7C4.tmp
5008	winst64.exe
1128	pcicfgui_setup.exe
2300	pcicfgui_setup.exe
4396	MSI1942.tmp
528	client32.exe
1548	client32.exe
1628	runplugin.exe
4580	runplugin64.exe
2960	runplugin.exe
880	runplugin64.exe
3092	Process not Found
3144	Process not Found
1000	Process not Found

Loads dropped DLL 64 IoCs

pid	Process
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
3852	MsiExec.exe
2232	MsiExec.exe
2232	MsiExec.exe
2232	MsiExec.exe
2232	MsiExec.exe
2232	MsiExec.exe
5008	winst64.exe
4852	MSI7C4.tmp
2232	MsiExec.exe
3852	MsiExec.exe
1128	pcicfgui_setup.exe
1128	pcicfgui_setup.exe
1128	pcicfgui_setup.exe
1128	pcicfgui_setup.exe
1128	pcicfgui_setup.exe
3852	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
2104	MsiExec.exe
528	client32.exe
528	client32.exe
528	client32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIFC75.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	checkdvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI1942.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIF6FE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI7C4.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcicfgui_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI5EE.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecEdit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runplugin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM"	client32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL"	client32.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	client32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MSI5EE.tmp
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MSI7C4.tmp
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	MSI5EE.tmp

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\NSReplayFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\ConfiguratorShortcut = "Configurator"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\ProductIcon = "C:\\Windows\\Installer\\{F021B863-9473-4467-93B2-6FC48C30E42F}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\N4be01d2e\expiryyear = "2024"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	MSI7C4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\TestDesigner = "\x06NSS"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\RemoteDeploy = "\x06Tutor"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with NetSupport School"	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Tutor = "\x06NSS"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\currentver = "1500"	client32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\N4be01d2e\expiryday = "2"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Configurator = "NSS"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\expirymonth = "10"	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\NetSupport_TC_Templates = "\x06TechConsole"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\expiryday = "2"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\expirymonth = "10"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\DefaultIcon\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport School\\PCIVideo.exe,1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\a = "S"	MSI5EE.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment"	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\startmonth = "9"	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\startyear = "2024"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\startmonth = "9"	MSI5EE.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ = "Client32Provider.dll"	winst64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell	MSI7C4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show	MSI7C4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\TutorStudentUpgradeFiles = "\x06TechConsole"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Version = "252313603"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\943C1EEA70369E845B409AAF32BEB8CD\368B120F37497644392BF64CC8034EF2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\startday = "1"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\""	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\ = "&Show with NetSupport School"	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\TechConsole = "\x06NSS"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e	pcicfgui_setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\N4be01d2e\expirymonth = "10"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\BrowserFlags = "8"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\a = "S"	MSI7C4.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Temp = "NSS"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\N4be01d2e	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.rpf	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\client32.exe\" /r\"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N4be01d2e\startyear = "2024"	MSI5EE.tmp

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1548	client32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	MsiExec.exe
2104	MsiExec.exe
4856	msiexec.exe
4856	msiexec.exe
4852	MSI7C4.tmp
4852	MSI7C4.tmp
4852	MSI7C4.tmp
4852	MSI7C4.tmp
528	client32.exe
528	client32.exe
1548	client32.exe
1548	client32.exe
4580	runplugin64.exe
4580	runplugin64.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1628	runplugin.exe
4580	runplugin64.exe
4968	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4408	msiexec.exe
Token: SeSecurityPrivilege	4856	msiexec.exe
Token: SeCreateTokenPrivilege	4408	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4408	msiexec.exe
Token: SeLockMemoryPrivilege	4408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4408	msiexec.exe
Token: SeMachineAccountPrivilege	4408	msiexec.exe
Token: SeTcbPrivilege	4408	msiexec.exe
Token: SeSecurityPrivilege	4408	msiexec.exe
Token: SeTakeOwnershipPrivilege	4408	msiexec.exe
Token: SeLoadDriverPrivilege	4408	msiexec.exe
Token: SeSystemProfilePrivilege	4408	msiexec.exe
Token: SeSystemtimePrivilege	4408	msiexec.exe
Token: SeProfSingleProcessPrivilege	4408	msiexec.exe
Token: SeIncBasePriorityPrivilege	4408	msiexec.exe
Token: SeCreatePagefilePrivilege	4408	msiexec.exe
Token: SeCreatePermanentPrivilege	4408	msiexec.exe
Token: SeBackupPrivilege	4408	msiexec.exe
Token: SeRestorePrivilege	4408	msiexec.exe
Token: SeShutdownPrivilege	4408	msiexec.exe
Token: SeDebugPrivilege	4408	msiexec.exe
Token: SeAuditPrivilege	4408	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4408	msiexec.exe
Token: SeChangeNotifyPrivilege	4408	msiexec.exe
Token: SeRemoteShutdownPrivilege	4408	msiexec.exe
Token: SeUndockPrivilege	4408	msiexec.exe
Token: SeSyncAgentPrivilege	4408	msiexec.exe
Token: SeEnableDelegationPrivilege	4408	msiexec.exe
Token: SeManageVolumePrivilege	4408	msiexec.exe
Token: SeImpersonatePrivilege	4408	msiexec.exe
Token: SeCreateGlobalPrivilege	4408	msiexec.exe
Token: SeCreateTokenPrivilege	4408	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4408	msiexec.exe
Token: SeLockMemoryPrivilege	4408	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4408	msiexec.exe
Token: SeMachineAccountPrivilege	4408	msiexec.exe
Token: SeTcbPrivilege	4408	msiexec.exe
Token: SeSecurityPrivilege	4408	msiexec.exe
Token: SeTakeOwnershipPrivilege	4408	msiexec.exe
Token: SeLoadDriverPrivilege	4408	msiexec.exe
Token: SeSystemProfilePrivilege	4408	msiexec.exe
Token: SeSystemtimePrivilege	4408	msiexec.exe
Token: SeProfSingleProcessPrivilege	4408	msiexec.exe
Token: SeIncBasePriorityPrivilege	4408	msiexec.exe
Token: SeCreatePagefilePrivilege	4408	msiexec.exe
Token: SeCreatePermanentPrivilege	4408	msiexec.exe
Token: SeBackupPrivilege	4408	msiexec.exe
Token: SeRestorePrivilege	4408	msiexec.exe
Token: SeShutdownPrivilege	4408	msiexec.exe
Token: SeDebugPrivilege	4408	msiexec.exe
Token: SeAuditPrivilege	4408	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4408	msiexec.exe
Token: SeChangeNotifyPrivilege	4408	msiexec.exe
Token: SeRemoteShutdownPrivilege	4408	msiexec.exe
Token: SeUndockPrivilege	4408	msiexec.exe
Token: SeSyncAgentPrivilege	4408	msiexec.exe
Token: SeEnableDelegationPrivilege	4408	msiexec.exe
Token: SeManageVolumePrivilege	4408	msiexec.exe
Token: SeImpersonatePrivilege	4408	msiexec.exe
Token: SeCreateGlobalPrivilege	4408	msiexec.exe
Token: SeCreateTokenPrivilege	4408	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4408	msiexec.exe
Token: SeLockMemoryPrivilege	4408	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4408	msiexec.exe
4408	msiexec.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
1548	client32.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe
4968	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	runplugin.exe
4580	runplugin64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 2104	4856	msiexec.exe	75
PID 4856 wrote to memory of 2104	4856	msiexec.exe	75
PID 4856 wrote to memory of 2104	4856	msiexec.exe	75
PID 4408 wrote to memory of 2328	4408	msiexec.exe	76
PID 4408 wrote to memory of 2328	4408	msiexec.exe	76
PID 2328 wrote to memory of 2268	2328	cmd.exe	78
PID 2328 wrote to memory of 2268	2328	cmd.exe	78
PID 2328 wrote to memory of 2268	2328	cmd.exe	78
PID 4408 wrote to memory of 996	4408	msiexec.exe	79
PID 4408 wrote to memory of 996	4408	msiexec.exe	79
PID 996 wrote to memory of 5032	996	cmd.exe	81
PID 996 wrote to memory of 5032	996	cmd.exe	81
PID 996 wrote to memory of 5032	996	cmd.exe	81
PID 4856 wrote to memory of 4980	4856	msiexec.exe	85
PID 4856 wrote to memory of 4980	4856	msiexec.exe	85
PID 4856 wrote to memory of 3852	4856	msiexec.exe	87
PID 4856 wrote to memory of 3852	4856	msiexec.exe	87
PID 4856 wrote to memory of 3852	4856	msiexec.exe	87
PID 4856 wrote to memory of 4464	4856	msiexec.exe	88
PID 4856 wrote to memory of 4464	4856	msiexec.exe	88
PID 4856 wrote to memory of 1932	4856	msiexec.exe	90
PID 4856 wrote to memory of 1932	4856	msiexec.exe	90
PID 4856 wrote to memory of 1932	4856	msiexec.exe	90
PID 4856 wrote to memory of 2232	4856	msiexec.exe	91
PID 4856 wrote to memory of 2232	4856	msiexec.exe	91
PID 4856 wrote to memory of 2232	4856	msiexec.exe	91
PID 4856 wrote to memory of 2172	4856	msiexec.exe	92
PID 4856 wrote to memory of 2172	4856	msiexec.exe	92
PID 4856 wrote to memory of 2172	4856	msiexec.exe	92
PID 4856 wrote to memory of 1696	4856	msiexec.exe	93
PID 4856 wrote to memory of 1696	4856	msiexec.exe	93
PID 4856 wrote to memory of 1696	4856	msiexec.exe	93
PID 4856 wrote to memory of 768	4856	msiexec.exe	94
PID 4856 wrote to memory of 768	4856	msiexec.exe	94
PID 4856 wrote to memory of 768	4856	msiexec.exe	94
PID 4856 wrote to memory of 4852	4856	msiexec.exe	95
PID 4856 wrote to memory of 4852	4856	msiexec.exe	95
PID 4856 wrote to memory of 4852	4856	msiexec.exe	95
PID 4852 wrote to memory of 5008	4852	MSI7C4.tmp	96
PID 4852 wrote to memory of 5008	4852	MSI7C4.tmp	96
PID 4856 wrote to memory of 5028	4856	msiexec.exe	97
PID 4856 wrote to memory of 5028	4856	msiexec.exe	97
PID 5028 wrote to memory of 4576	5028	cmd.exe	99
PID 5028 wrote to memory of 4576	5028	cmd.exe	99
PID 5028 wrote to memory of 4576	5028	cmd.exe	99
PID 4856 wrote to memory of 1128	4856	msiexec.exe	101
PID 4856 wrote to memory of 1128	4856	msiexec.exe	101
PID 4856 wrote to memory of 1128	4856	msiexec.exe	101
PID 1128 wrote to memory of 2300	1128	pcicfgui_setup.exe	102
PID 1128 wrote to memory of 2300	1128	pcicfgui_setup.exe	102
PID 1128 wrote to memory of 2300	1128	pcicfgui_setup.exe	102
PID 4408 wrote to memory of 4396	4408	msiexec.exe	103
PID 4408 wrote to memory of 4396	4408	msiexec.exe	103
PID 4408 wrote to memory of 4396	4408	msiexec.exe	103
PID 528 wrote to memory of 1548	528	client32.exe	105
PID 528 wrote to memory of 1548	528	client32.exe	105
PID 528 wrote to memory of 1548	528	client32.exe	105
PID 1548 wrote to memory of 1628	1548	client32.exe	106
PID 1548 wrote to memory of 1628	1548	client32.exe	106
PID 1548 wrote to memory of 1628	1548	client32.exe	106
PID 1548 wrote to memory of 4580	1548	client32.exe	107
PID 1548 wrote to memory of 4580	1548	client32.exe	107
PID 1548 wrote to memory of 2960	1548	client32.exe	108
PID 1548 wrote to memory of 2960	1548	client32.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2268	attrib.exe
5032	attrib.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\NetSupport School.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\system32\cmd.exe
  cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2268
- C:\Windows\system32\cmd.exe
  cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5032
- C:\Users\Admin\AppData\Local\Temp\MSI1942.tmp
  "C:\Users\Admin\AppData\Local\Temp\MSI1942.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EI
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CB6205514FE15F93CADFD48DC4E23C0C C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD777E509B0B4B21EA350B41C0DEE810
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3852
- C:\Windows\Installer\MSIF68F.tmp
  "C:\Windows\Installer\MSIF68F.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\Detect64LSP.txt"
  2⤵
  - Executes dropped EXE
  PID:4464
- C:\Windows\Installer\MSIF6FE.tmp
  "C:\Windows\Installer\MSIF6FE.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CC092EF907741D4E01BEADDB72F526C5 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Windows\Installer\MSIFC75.tmp
  "C:\Windows\Installer\MSIFC75.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\Installer\MSI5EE.tmp
  "C:\Windows\Installer\MSI5EE.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EC /Q /Q /C
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:768
- C:\Windows\Installer\MSI7C4.tmp
  "C:\Windows\Installer\MSI7C4.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EV"NetSupport School" /EC /Q /Q /I *
  2⤵
  - Sets service image path in registry
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe
    winst64.exe /q /q /i
    3⤵
    - Drops file in Drivers directory
    - Drops file in System32 directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:5008
- C:\Windows\system32\cmd.exe
  cmd.exe /c secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\SecEdit.exe
    secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4576
- C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini"
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"
    3⤵
    - Executes dropped EXE
    PID:2300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2448

C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
"C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" /* *
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:528
- C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe
  "C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" * /VistaUI
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe" /USER=SYSTEM
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:4580
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2960
- - C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe
    "C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"
    3⤵
    - Executes dropped EXE
    PID:880

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ee97.rbs

Filesize
64KB

MD5
7df3e704c13898cac3737462aa692e02

SHA1
7b59c71f775fc323ded78f5799442be05e17c59d

SHA256
01cbdcc2ced84e7796ec33691f40ef9aa881eaa9520b6873605dcf5f48f0df55

SHA512
1c663124b511642d507b6995b026aed90fa99f1cd43a9575f2bd610306c2c0f79bac8edb1622a10e73f466bce2b66004cf7fd3f455f8a63057e4d769ddd7fe39

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE

Filesize
745KB

MD5
0228cb02aa58ef2876713130990c8ccf

SHA1
f6766273a186b6911a6127fbb5af90125e267bbe

SHA256
3651a2131f423c5c553476236be7ad4f26a63c67d872c3b9ecc135d1d184b1ed

SHA512
a07664e639252a2bd34f42fb6907b95889d31657aa81fcdeea4b171bf3410bd3d56f5e404ee8fc16938d826f7cfffc46efcfe74126afec6e87cb048618d26e89

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport School\product.dat

Filesize
506B

MD5
ff7c0d2dbb9195083bbabaff482d5ed6

SHA1
5c2efbf855c376ce1b93e681c54a367a407495dc

SHA256
065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

SHA512
ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk

Filesize
2KB

MD5
6c5019b09ff3561c672165ae64e38a6b

SHA1
309c2657c367e0b36ac6e40d8dc5909f2fcd194f

SHA256
cd9be22113ade589426a07ab8f49914aca3cec862416ebfd5be7d73347df66e3

SHA512
84240f71e55df3235d45390fe7f18dcdc413413e7d0d4881f14ffc119867ec7df9e7c447c9af58f2074bcb841d9c3fb5d139887a598cb02a1fa123852f4c293a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk~RFe580589.TMP

Filesize
2KB

MD5
101590b7a7c7818da8c1ec8502e4e8c6

SHA1
d65dc37a53248d2a1123595c1617ba23f1cc32dd

SHA256
c7825772848dcdbbbe3ab4f64968cabf04d141c82741558056a7b4115c935677

SHA512
30eca5231fffd186bcba971435a4bdcde107812ab533ca48e25975c54f0b9567893f7303222699f350fd67e6800002b3f0f0fd9dc97b538d090ba1a4901c0166

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL_{F021B863-9473-4467-93B2-6FC48C30E42F}.ini

Filesize
4KB

MD5
8d836df93f1f1b4fad9b2bc4d62f3e7f

SHA1
5142f9a7caf42e9230eee3e8f8838c1551be50bd

SHA256
480ee6b54b7138b7cbac04740fe92b51360136da56573073c8bd0c5e55be0c7b

SHA512
14baf13292773ff60390fa310bbe9fb506b27f3a9693d661732e1d78f5671c5753a52804d7bae1c62d57bbfb10b3c1b3e1cdf5e6a92b53cbd44a406b795e5e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI90E6.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9183.tmp

Filesize
511KB

MD5
d524b639a3a088155981b9b4efa55631

SHA1
39d8eea673c02c1522b110829b93d61310555b98

SHA256
03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

SHA512
84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9201.tmp

Filesize
487KB

MD5
d21afcbb8d2e5a043841b4d145af1df6

SHA1
849db8ddad9e942bfe20a50666d17484b56a26e3

SHA256
c9d4fd904650e4e53de4018951906c1434420d65cdb33e48c23b6c22bc9fdd4c

SHA512
ecb8fbb2826f7f47eed46897701d42873b17b7599cd785ca54e900b793e3de1179c4d6441f317aa5298ae52c1c11157ae43b11822aa0076b9ec93ad5e46f0225

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI929E.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.ini

Filesize
77B

MD5
3d6de28fc7ae0ea0c8f754fff6246be8

SHA1
2f519518166499a06dfd61c327dd56e681390d2a

SHA256
aacd16e069a0d6c2371767eeea668b5b32b54a16c1d887e16142c845596e033b

SHA512
e3c7c0bf0511e22acf7a0fe3465b33ab774eaac69ce91456cedf3d44f476b7c26c381e888c6d1e481ebecf7a04921bcaa3d059ff7b113ec9841b4460c74ad40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\Client32.upd

Filesize
10B

MD5
c7dea5b4aa8726d6e1856b151a3d5e61

SHA1
0e7d482333027b5381e94c945969bfb20aa8bcfc

SHA256
444b6e841966e6306050fd2b2211e00dd877c4aa2b8971a3010d3e53d95ea7ee

SHA512
dd3732dfdb5a56bd70aba7c298001280d76829928d8e1a9add03cfc55e26f24fb317d01b915578ac54ba920fe0e736d4ca04f82eb98e67e0bf773973dc20313d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

Filesize
190B

MD5
41b74ffe52b6d2aef850e4b064876ce0

SHA1
549b93bb84df9796e7c9fa5a0925f82a5201e42f

SHA256
73a125a95016a791167410b505b1835cd15fe74a2ba0d2400f6bef2805a3383a

SHA512
35767cee6680bd78ea8184cb92daa0c28955bdf03ccf6115abb71aca7c21ac4fdf233ccd2250341e5213c1c8c6d5968a912397c450268a1fb863373df9efd0d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NSM.LIC

Filesize
207B

MD5
75a96105a1c0f6c4536e16debf9edf40

SHA1
09a0501cb70fbbc9f086aa0eb8242a9ee0d6f9cc

SHA256
7a1bf991023566ba5f926a809b3307fd98f26d327ec416ef23a2988e1f7503a3

SHA512
d679bf58797002b299d99b58518edf33d8d615c3054315c7d9809959a0b12abf979e1685081cd95852ae12dc9437ac9ec8f318b4ee82338061c3f273afaaeb39

Download Submit
C:\Windows\Installer\MSI5BE.tmp

Filesize
244KB

MD5
c4ca339bc85aae8999e4b101556239dd

SHA1
d090fc385e0002e35db276960a360c67c4fc85cd

SHA256
4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

SHA512
9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

Download Submit
memory/1128-507-0x0000000002F20000-0x00000000030AE000-memory.dmp

Filesize
1.6MB

Download
memory/1548-528-0x0000000005230000-0x0000000005346000-memory.dmp

Filesize
1.1MB

Download
memory/4968-557-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-551-0x00007FF8A49F0000-0x00007FF8A50E2000-memory.dmp

Filesize
6.9MB

Download
memory/4968-546-0x00007FF8A47E0000-0x00007FF8A482C000-memory.dmp

Filesize
304KB

Download
memory/4968-536-0x00007FF75AED0000-0x00007FF75AFFC000-memory.dmp

Filesize
1.2MB

Download
memory/4968-559-0x0000000011320000-0x0000000011372000-memory.dmp

Filesize
328KB

Download
memory/4968-558-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-548-0x00007FF8A6660000-0x00007FF8A7A97000-memory.dmp

Filesize
20.2MB

Download
memory/4968-556-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-555-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-554-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-553-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-538-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmp

Filesize
696KB

Download
memory/4968-552-0x00007FF8A61D0000-0x00007FF8A6271000-memory.dmp

Filesize
644KB

Download
memory/4968-550-0x00007FF8A49F0000-0x00007FF8A50E2000-memory.dmp

Filesize
6.9MB

Download
memory/4968-549-0x00007FF8A6280000-0x00007FF8A632A000-memory.dmp

Filesize
680KB

Download
memory/4968-545-0x00007FF8A5460000-0x00007FF8A54A9000-memory.dmp

Filesize
292KB

Download
memory/4968-544-0x00007FF8A53F0000-0x00007FF8A545A000-memory.dmp

Filesize
424KB

Download
memory/4968-543-0x00007FF8A6080000-0x00007FF8A61A5000-memory.dmp

Filesize
1.1MB

Download
memory/4968-542-0x00007FF8A50F0000-0x00007FF8A5279000-memory.dmp

Filesize
1.5MB

Download
memory/4968-540-0x00007FF8A5680000-0x00007FF8A58C9000-memory.dmp

Filesize
2.3MB

Download
memory/4968-539-0x00007FF8A5680000-0x00007FF8A58C9000-memory.dmp

Filesize
2.3MB

Download
memory/4968-537-0x00007FF8A5FD0000-0x00007FF8A607E000-memory.dmp

Filesize
696KB

Download
memory/4968-541-0x00007FF8A5680000-0x00007FF8A58C9000-memory.dmp

Filesize
2.3MB

Download
memory/4968-547-0x00007FF8A6660000-0x00007FF8A7A97000-memory.dmp

Filesize
20.2MB

Download