1bed372c2eac53075a040d6f2aae22659e0e0fee2ce21835dd95e3c580cc1e05

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2024, 04:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
Size

116.4MB
MD5

d164724461b25eb363a1a31d3333cc65
SHA1

6c1192a6e79fbc1b9c5d415fa98567d87be0b2c9
SHA256

1bed372c2eac53075a040d6f2aae22659e0e0fee2ce21835dd95e3c580cc1e05
SHA512

bdb591a44e49cddb56e130b67d4c1f202b362cb64e53ba0608a1408863147f9953d57f17cdafdd5946061318f0825e950dd690f92ace8b88d582a94ad8452548
SSDEEP

3145728:jLH+5LLf4eHgCo6iYPR0vGQNb5ZdqIUhEb0TsT8SO5i:fe5XHggiYPGvDh7dqx2b0T1SO5i

Score

8^/10

discovery evasion execution persistence privilege_escalation trojan

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\nFsFlt64.sys	DrvInst.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Mswtd\Parameters\ServiceDll = "C:\\Windows\\SysWOW64\\Mswtd.dll"	NSecRTS.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	NSecRTS.exe
File opened (read-only)	\??\P:	NSecRTS.exe
File opened (read-only)	\??\S:	NSecRTS.exe
File opened (read-only)	\??\V:	NSecRTS.exe
File opened (read-only)	\??\F:	NSecRTS.exe
File opened (read-only)	\??\L:	NSecRTS.exe
File opened (read-only)	\??\Q:	NSecRTS.exe
File opened (read-only)	\??\R:	NSecRTS.exe
File opened (read-only)	\??\T:	NSecRTS.exe
File opened (read-only)	\??\X:	NSecRTS.exe
File opened (read-only)	\??\Z:	NSecRTS.exe
File opened (read-only)	\??\F:	NSecRTS.exe
File opened (read-only)	\??\E:	NSecRTS.exe
File opened (read-only)	\??\I:	NSecRTS.exe
File opened (read-only)	\??\J:	NSecRTS.exe
File opened (read-only)	\??\O:	NSecRTS.exe
File opened (read-only)	\??\Y:	NSecRTS.exe
File opened (read-only)	\??\F:	instrap.exe
File opened (read-only)	\??\H:	NSecRTS.exe
File opened (read-only)	\??\K:	NSecRTS.exe
File opened (read-only)	\??\N:	NSecRTS.exe
File opened (read-only)	\??\U:	NSecRTS.exe
File opened (read-only)	\??\W:	NSecRTS.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mswtd.dll	NSecRTS.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\nFsFlt64.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E19.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\nFsFlt64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nfsflt64.inf_amd64_3d4483f1b65ddfb3\nFsFlt64.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\InstallUtil.InstallLog	InstallUtil.exe
File created	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E18.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\nFsFlt64.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E19.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nfsflt64.inf_amd64_3d4483f1b65ddfb3\nFsFlt64.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\InstallUtil.exe.log	InstallUtil.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E18.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nfsflt64.inf_amd64_3d4483f1b65ddfb3\nFsFlt64.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E17.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E17.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\nfsflt64.inf_amd64_3d4483f1b65ddfb3\nFsFlt64.sys	DrvInst.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Cached Backup	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\WinNtDes.exe	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\DevExpress.XtraSpreadsheet.v22.1.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\Win\Propkey.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\beta\drivers\ntdes\x64\nxdsupport.sys	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\x64\nxdisolate.sys	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\x86\nxdsupport.cat	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\WinDiskMgr.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\arm\nxdsupport.cat	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\arm64\nxdsupport.inf	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\ntdes\x86\nxdsupport.sys	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\Colors.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\NSEC.Common.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\zh-Hans\DevExpress.ExpressApp.Security.Xpo.v22.1.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\VPatchLib.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\nsdiskcrypt\nsdiskcrypt-x64.sys	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\DevExpress.XtraCharts.v22.1.UI.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\ntdes\x64\nxdisolate.inf	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\arm\nxddt2.inf	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\x64\nxdsupport.sys	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\DeAppNotice.db	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\zh-Hans\DevExpress.DataAccess.v22.1.UI.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\zh-Hans\DevExpress.Xpf.LayoutControl.v22.1.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\Memento.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\arm64\nxddt2.cat	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\7z\7z.exe	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\zh-Hans\DevExpress.XtraPivotGrid.v22.1.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\nss\libnspr4.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\nss\nssutil3.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\Sections.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Stubs\lzma-x86-unicode	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\beta\WinFsCore.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\arm\nxdds2.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\Data\cfg.xml	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\data\NsLogon\windows10_30.jpg	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\ntdes\x86\nxdisolate.cat	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\recordcached.db-journal	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\res\tray_offline.ico	7z.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\zh-Hans\DevExpress.ExpressApp.FileAttachment.Win.v22.1.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\zh-Hans\DevExpress.ExpressApp.ReportsV2.Web.v22.1.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\x64\imDec3.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\cfg.xml	NSecRTS.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\KVDB\CONFIG_Global.crc	Nx.UI.MessageCenter.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\WinVer.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\x64\PolicyHandler.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nsis\Include\Integration.nsh	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\Data\rsa_public.key	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\icon.zip.tmp	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\ntdes\arm\nxdsupport.inf	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\MailKit.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\ntdes\x86\nxdds2.sys	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\NSecUI.AppStore.Client.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\en\Nx.UI.Toolset.FileMaker.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\KVDB\CONFIG_Global.crc	Nx.UI.MessageCenter.exe
File created	C:\Program Files (x86)\Common Files\NSEC\NtDeshs.exe	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\drivers\ntdes\arm\nxdisolate.inf	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\Mswtd.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\xConfig.db-journal	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\RD\testauth.exe	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\MiddleExe.exe	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\en\NSecUI.AppStore.resources.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\nxd\la\drivers\ntdes\arm\nxddt2.cat	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
File opened for modification	C:\Program Files (x86)\Common Files\NSEC\Data\KVDB\99_Global	NSecRTS.exe
File created	C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\NSecsoft.NativeModule.dll	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe

Executes dropped EXE 29 IoCs

pid	Process
4412	NSec.exe
4572	instrap.exe
2312	NSecRTS.exe
1200	NSecRTS.exe
3396	fixit.exe
3496	wg.exe
3572	wg.exe
3624	NSecRTS.exe
4388	NSecDs.exe
4508	NSecDs.exe
4620	NSecRTS.exe
2236	Nx.UI.MessageCenter.exe
4400	Fixit.exe
1468	NSecRTS.exe
4424	NSecRTS.exe
2068	NSecRTS.exe
4392	Nx.UI.MessageCenter.exe
2180	NSecRTX2.exe
4008	Nx.UI.MessageCenter.exe
3980	Nx.UI.MessageCenter.exe
4412	Nx.UI.MessageCenter.exe
4408	Nx.UI.MessageCenter.exe
3080	Nx.UI.MessageCenter.exe
4756	7z.exe
3964	Nx.UI.MessageCenter.exe
1824	Nx.UI.MessageCenter.exe
1760	Nx.UI.MessageCenter.exe
4240	Nx.UI.MessageCenter.exe
3068	Nx.UI.MessageCenter.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4664	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
1200	NSecRTS.exe
3396	fixit.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
4620	NSecRTS.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
2236	Nx.UI.MessageCenter.exe
4380	WerFault.exe
4380	WerFault.exe
1200	NSecRTS.exe
3512	InstallUtil.exe
3512	InstallUtil.exe
2976	svchost.exe
1988	regsvr32.exe
4280	PowerShell.exe
4400	Fixit.exe
4672	WerFault.exe
4280	PowerShell.exe
4672	WerFault.exe
3300	regsvr32.exe
2520	regsvr32.exe
380	WerFault.exe
380	WerFault.exe
3456	Process not Found
3456	Process not Found
3848	Process not Found
3848	Process not Found
2068	NSecRTS.exe
2068	NSecRTS.exe
2068	NSecRTS.exe
2068	NSecRTS.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe
1512	WerFault.exe
4392	Nx.UI.MessageCenter.exe
4392	Nx.UI.MessageCenter.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NSecRTS.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	NSecRTS.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 21 IoCs

pid	pid_target	Process	procid_target
4380	2236	WerFault.exe	124
4672	2236	WerFault.exe	124
380	4280	WerFault.exe	122
1512	4392	WerFault.exe	159
4988	4392	WerFault.exe	159
1464	4008	WerFault.exe	172
3496	4008	WerFault.exe	172
1208	3980	WerFault.exe	183
4768	4412	WerFault.exe	193
4664	4412	WerFault.exe	193
4740	4408	WerFault.exe	204
1780	3080	WerFault.exe	213
1392	3080	WerFault.exe	213
4852	3964	WerFault.exe	240
1800	3964	WerFault.exe	240
4688	1824	WerFault.exe	251
3028	1760	WerFault.exe	260
2536	1760	WerFault.exe	260
1428	4240	WerFault.exe	271
2196	4240	WerFault.exe	271
1780	3068	WerFault.exe	285

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSecRTX2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSecDs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fixit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nx.UI.MessageCenter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NSec.exe

Checks SCSI registry key(s) 3 TTPs 34 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	NSecRTS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	NSecRTS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	NSecRTS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	NSecRTS.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	NSecRTS.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	NSecRTS.exe

Modifies data under HKEY_USERS 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\policies\Explorer	NSecRTS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\GrpConv	grpconv.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	NSecRTS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	InstallUtil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\NoDriveTypeAutorun = "0"	NSecRTS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9d0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	NSecRTS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	NSecRTS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	NSecRTS.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	InstallUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	runonce.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\policies	NSecRTS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	NSecRTS.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\PropertySheetHandlers\DesPropSheet	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.ShlExt\ = "ShlExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E78466C5-7047-4137-B9D3-D0284A6656A0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E78466C5-7047-4137-B9D3-D0284A6656A0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E11B33B-EED9-48EB-A105-9654D8AE09B6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1A7F1761-D0C2-4124-981F-368E04997760}\TypeLib\Version = "1.0"	NSecDs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A7F1761-D0C2-4124-981F-368E04997760}\TypeLib\ = "{AF6E9166-F5EF-4ABF-A1FD-457CBFAB9D7F}"	NSecDs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0ACFC9E-8D81-4211-865F-A411AA4AD5D8}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C673BA1D-2EDC-4A64-AF56-1355219C129D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Research\\NSEC\\NShellExt32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet.1\CLSID\ = "{8c32302c-3970-446e-9ac5-478648c7ab53}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet\ = "DesPropSheet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78466C5-7047-4137-B9D3-D0284A6656A0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C77398C-85C8-4239-92D6-D4C45EB1E64C}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C77398C-85C8-4239-92D6-D4C45EB1E64C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}\ = "DESFileMenu Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E11B33B-EED9-48EB-A105-9654D8AE09B6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF6E9166-F5EF-4ABF-A1FD-457CBFAB9D7F}\1.0\ = "NSecDsLib"	NSecDs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}\ = "DESFileMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0ACFC9E-8D81-4211-865F-A411AA4AD5D8}\1.0\0\win32\ = "C:\\Program Files (x86)\\Microsoft Research\\NSEC\\NShellExt32.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E78466C5-7047-4137-B9D3-D0284A6656A0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet\ = "DesPropSheet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF6E9166-F5EF-4ABF-A1FD-457CBFAB9D7F}\1.0\HELPDIR	NSecDs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DESFileMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet.1\ = "DesPropSheet Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{DF4B840E-6FAA-4491-901A-FB56D43B5FFB}\ = "NShellExtLib"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E11B33B-EED9-48EB-A105-9654D8AE09B6}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Research\\NSEC\\NShellExt32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1A7F1761-D0C2-4124-981F-368E04997760}	NSecDs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C673BA1D-2EDC-4A64-AF56-1355219C129D}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DESFileMenu\ = "{F5438C29-4011-4997-A4A2-B568732B040C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.ShlExt.1\CLSID\ = "{9E11B33B-EED9-48EB-A105-9654D8AE09B6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AF6E9166-F5EF-4ABF-A1FD-457CBFAB9D7F}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\NSEC\\NSecDs.exe"	NSecDs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\Version\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E11B33B-EED9-48EB-A105-9654D8AE09B6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E78466C5-7047-4137-B9D3-D0284A6656A0}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C77398C-85C8-4239-92D6-D4C45EB1E64C}\ = "IDESFileMenu"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C673BA1D-2EDC-4A64-AF56-1355219C129D}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DESFileMenu.1\ = "DESFileMenu Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Research\\NSEC\\NShellExt32.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E0ACFC9E-8D81-4211-865F-A411AA4AD5D8}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C77398C-85C8-4239-92D6-D4C45EB1E64C}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DesPropSheet.1\ = "DesPropSheet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F5438C29-4011-4997-A4A2-B568732B040C}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DESFileMenu	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.ShlExt\ = "ShlExt Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E11B33B-EED9-48EB-A105-9654D8AE09B6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8c32302c-3970-446e-9ac5-478648c7ab53}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\DESFileMenu	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C77398C-85C8-4239-92D6-D4C45EB1E64C}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.DESFileMenu\CLSID\ = "{F5438C29-4011-4997-A4A2-B568732B040C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NShellExtLib.ShlExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C77398C-85C8-4239-92D6-D4C45EB1E64C}\TypeLib\ = "{E0ACFC9E-8D81-4211-865F-A411AA4AD5D8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8512044F-B351-49D6-9A44-6E27EA5EAEA6}\VersionIndependentProgID\ = "NSecDs.PolicyHelper"	NSecDs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8512044F-B351-49D6-9A44-6E27EA5EAEA6}\AppID = "{3BC61EEB-6261-473F-BF53-85B3DA06F1F2}"	NSecDs.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3624	NSecRTS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4412	NSec.exe
4412	NSec.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
4620	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
4280	PowerShell.exe
4280	PowerShell.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
4280	PowerShell.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
1200	NSecRTS.exe
1200	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
3624	NSecRTS.exe
1200	NSecRTS.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3624	NSecRTS.exe

Suspicious behavior: LoadsDriver 24 IoCs

pid	Process
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	NSecRTS.exe
Token: SeSystemtimePrivilege	1200	NSecRTS.exe
Token: SeShutdownPrivilege	3624	NSecRTS.exe
Token: SeSystemtimePrivilege	3624	NSecRTS.exe
Token: SeDebugPrivilege	3624	NSecRTS.exe
Token: SeBackupPrivilege	3624	NSecRTS.exe
Token: SeBackupPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe
Token: SeSecurityPrivilege	3624	NSecRTS.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3624	NSecRTS.exe
3624	NSecRTS.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4412	NSec.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
3624	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe
4620	NSecRTS.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4412	4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe	102
PID 4852 wrote to memory of 4412	4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe	102
PID 4852 wrote to memory of 4412	4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe	102
PID 4852 wrote to memory of 4572	4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe	103
PID 4852 wrote to memory of 4572	4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe	103
PID 4852 wrote to memory of 4572	4852	setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe	103
PID 4572 wrote to memory of 2312	4572	instrap.exe	104
PID 4572 wrote to memory of 2312	4572	instrap.exe	104
PID 4572 wrote to memory of 2312	4572	instrap.exe	104
PID 1200 wrote to memory of 3396	1200	NSecRTS.exe	107
PID 1200 wrote to memory of 3396	1200	NSecRTS.exe	107
PID 1200 wrote to memory of 3396	1200	NSecRTS.exe	107
PID 1200 wrote to memory of 3496	1200	NSecRTS.exe	108
PID 1200 wrote to memory of 3496	1200	NSecRTS.exe	108
PID 1200 wrote to memory of 4000	1200	NSecRTS.exe	110
PID 1200 wrote to memory of 4000	1200	NSecRTS.exe	110
PID 1200 wrote to memory of 4000	1200	NSecRTS.exe	110
PID 4000 wrote to memory of 4916	4000	cmd.exe	112
PID 4000 wrote to memory of 4916	4000	cmd.exe	112
PID 4000 wrote to memory of 4916	4000	cmd.exe	112
PID 4000 wrote to memory of 3572	4000	cmd.exe	113
PID 4000 wrote to memory of 3572	4000	cmd.exe	113
PID 1200 wrote to memory of 3624	1200	NSecRTS.exe	114
PID 1200 wrote to memory of 3624	1200	NSecRTS.exe	114
PID 1200 wrote to memory of 3624	1200	NSecRTS.exe	114
PID 1200 wrote to memory of 4388	1200	NSecRTS.exe	150
PID 1200 wrote to memory of 4388	1200	NSecRTS.exe	150
PID 1200 wrote to memory of 4388	1200	NSecRTS.exe	150
PID 1200 wrote to memory of 2804	1200	NSecRTS.exe	116
PID 1200 wrote to memory of 2804	1200	NSecRTS.exe	116
PID 1200 wrote to memory of 2804	1200	NSecRTS.exe	116
PID 2804 wrote to memory of 3312	2804	net.exe	118
PID 2804 wrote to memory of 3312	2804	net.exe	118
PID 2804 wrote to memory of 3312	2804	net.exe	118
PID 3624 wrote to memory of 4620	3624	NSecRTS.exe	121
PID 3624 wrote to memory of 4620	3624	NSecRTS.exe	121
PID 3624 wrote to memory of 4280	3624	NSecRTS.exe	122
PID 3624 wrote to memory of 4280	3624	NSecRTS.exe	122
PID 3624 wrote to memory of 4280	3624	NSecRTS.exe	122
PID 1200 wrote to memory of 3512	1200	NSecRTS.exe	127
PID 1200 wrote to memory of 3512	1200	NSecRTS.exe	127
PID 1200 wrote to memory of 3512	1200	NSecRTS.exe	127
PID 1200 wrote to memory of 4960	1200	NSecRTS.exe	128
PID 1200 wrote to memory of 4960	1200	NSecRTS.exe	128
PID 1200 wrote to memory of 4960	1200	NSecRTS.exe	128
PID 4960 wrote to memory of 1780	4960	net.exe	133
PID 4960 wrote to memory of 1780	4960	net.exe	133
PID 4960 wrote to memory of 1780	4960	net.exe	133
PID 1200 wrote to memory of 4664	1200	NSecRTS.exe	165
PID 1200 wrote to memory of 4664	1200	NSecRTS.exe	165
PID 1200 wrote to memory of 4664	1200	NSecRTS.exe	165
PID 1200 wrote to memory of 1988	1200	NSecRTS.exe	138
PID 1200 wrote to memory of 1988	1200	NSecRTS.exe	138
PID 1200 wrote to memory of 1988	1200	NSecRTS.exe	138
PID 2976 wrote to memory of 4400	2976	svchost.exe	139
PID 2976 wrote to memory of 4400	2976	svchost.exe	139
PID 2976 wrote to memory of 4400	2976	svchost.exe	139
PID 1200 wrote to memory of 3300	1200	NSecRTS.exe	141
PID 1200 wrote to memory of 3300	1200	NSecRTS.exe	141
PID 1200 wrote to memory of 3300	1200	NSecRTS.exe	141
PID 3300 wrote to memory of 2520	3300	regsvr32.exe	143
PID 3300 wrote to memory of 2520	3300	regsvr32.exe	143
PID 1200 wrote to memory of 1468	1200	NSecRTS.exe	145
PID 1200 wrote to memory of 1468	1200	NSecRTS.exe	145

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NSecRTS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\SoftwareSASGeneration = "1"	NSecRTS.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NSecRTS.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutorun = "0"	NSecRTS.exe

C:\Users\Admin\AppData\Local\Temp\setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe
"C:\Users\Admin\AppData\Local\Temp\setup_Ir5swQ5DpeRNwxXBTQuvwewK.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Program Files (x86)\Common Files\NSEC\NSec.exe
  "C:\Program Files (x86)\Common Files\NSEC\NSec.exe" -ip
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4412
- C:\Program Files (x86)\Common Files\NSEC\instrap.exe
  "C:\Program Files (x86)\Common Files\NSEC\instrap.exe"
  2⤵
  - Enumerates connected drives
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe
    "C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2312

C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe
"C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe" -r
1⤵
- Server Software Component: Terminal Services DLL
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1200
- C:\Program Files (x86)\Common Files\NSEC\fixit.exe
  "C:\Program Files (x86)\Common Files\NSEC\fixit.exe" -df -flag=00000334
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3396
- C:\Program Files (x86)\Common Files\NSEC\Plugins\wg\wg.exe
  "C:\Program Files (x86)\Common Files\NSEC\Plugins\wg\wg.exe" genkey
  2⤵
  - Executes dropped EXE
  PID:3496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c type "C:\Program Files (x86)\Common Files\NSEC\Data\netguard_privateKey.key" | "C:\Program Files (x86)\Common Files\NSEC\Plugins\wg\wg.exe" pubkey > "C:\Program Files (x86)\Common Files\NSEC\Data\netguard_publicKey.key"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c type "C:\Program Files (x86)\Common Files\NSEC\Data\netguard_privateKey.key"
    3⤵
    PID:4916
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\wg\wg.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\wg\wg.exe" pubkey
    3⤵
    - Executes dropped EXE
    PID:3572
- C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe
  "C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe" -elevated
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3624
- - C:\Program Files (x86)\Common Files\NSEC\x64\NSecRTS.exe
    "C:\Program Files (x86)\Common Files\NSEC\x64\NSecRTS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4620
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
    PowerShell "Get-AppxPackage | Select Name, Version,publisher, IsFramework,NonRemovable,installLocation,PackageFullName"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4280
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 2116
      4⤵
      Loads dropped DLL
      Program crash
      PID:380
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2236
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 964
      4⤵
      Loads dropped DLL
      Program crash
      PID:4380
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 1076
      4⤵
      Loads dropped DLL
      Program crash
      PID:4672
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4392
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 960
      4⤵
      Loads dropped DLL
      Program crash
      PID:1512
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4392 -s 968
      4⤵
      Program crash
      PID:4988
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    PID:4008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 956
      4⤵
      Program crash
      PID:1464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 964
      4⤵
      Program crash
      PID:3496
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 972
      4⤵
      Program crash
      PID:1208
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4412
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 956
      4⤵
      Program crash
      PID:4768
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 1060
      4⤵
      Program crash
      PID:4664
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4408 -s 972
      4⤵
      Program crash
      PID:4740
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3080
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 956
      4⤵
      Program crash
      PID:1780
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3080 -s 964
      4⤵
      Program crash
      PID:1392
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3964
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 956
      4⤵
      Program crash
      PID:4852
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3964 -s 1052
      4⤵
      Program crash
      PID:1800
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1824
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 960
      4⤵
      Program crash
      PID:4688
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 960
      4⤵
      Program crash
      PID:3028
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1760 -s 968
      4⤵
      Program crash
      PID:2536
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4240
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 956
      4⤵
      Program crash
      PID:1428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 964
      4⤵
      Program crash
      PID:2196
- - C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe
    "C:\Program Files (x86)\Common Files\NSEC\Plugins\NSecUI\Nx.UI.MessageCenter.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:3068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3068 -s 940
      4⤵
      Program crash
      PID:1780
- C:\Program Files (x86)\Common Files\NSEC\NSecDs.exe
  "C:\Program Files (x86)\Common Files\NSEC\NSecDs.exe" /Service
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4388
- C:\Windows\SysWOW64\net.exe
  net start NSecDs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecDs
    3⤵
    PID:3312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" "C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\NSecRTX2.exe"
  2⤵
  - Drops file in System32 directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:3512
- C:\Windows\SysWOW64\net.exe
  net stop mswtd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop mswtd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- C:\Windows\SysWOW64\sc.exe
  sc delete mswtd
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4664
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\Microsoft Research\NSEC\NShellExt32.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1988
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\Microsoft Research\NSEC\NShellExt64.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Windows\system32\regsvr32.exe
    /s "C:\Program Files (x86)\Microsoft Research\NSEC\NShellExt64.dll"
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:2520
- C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe
  "C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe" -install_nfsflt_drivers
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1468
- - C:\Windows\system32\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\system32\setupapi.dll,InstallHinfSection DefaultInstall 132 C:\Program Files (x86)\Common Files\NSEC\drivers\nfsflt\nFsFlt64.inf
    3⤵
    - Adds Run key to start application
    - Drops file in Windows directory
    PID:4912
  - - C:\Windows\system32\runonce.exe
      "C:\Windows\system32\runonce.exe" -r
      4⤵
      Checks processor information in registry
      Modifies data under HKEY_USERS
      PID:4844
    - - C:\Windows\System32\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        5⤵
        Modifies data under HKEY_USERS
        
        PID:2736
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  PID:3388
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    PID:4916
- C:\Program Files (x86)\Common Files\NSEC\x64\NSecRTS.exe
  "C:\Program Files (x86)\Common Files\NSEC\x64\NSecRTS.exe" -i
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4044
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3048
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2520
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3328
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1604
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  PID:1604
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2536
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1196
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4424
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4916
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3392
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  PID:1464
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3348
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:928
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    PID:2536
- C:\Program Files (x86)\Common Files\NSEC\Plugins\7z\7z.exe
  "C:\Program Files (x86)\Common Files\NSEC\Plugins\7z\7z.exe" x -y -aoa -o"C:\Program Files (x86)\Common Files\NSEC\res" "C:\Program Files (x86)\Common Files\NSEC\icon.zip"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4756
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3124
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:440
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3496
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  PID:2160
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3968
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1724
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3396
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1616
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1136
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3432
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    - System Location Discovery: System Language Discovery
    PID:408
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:100
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    PID:840
- C:\Windows\SysWOW64\net.exe
  net start nFsFlt
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start nFsFlt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- C:\Windows\SysWOW64\net.exe
  net start NSecKrnl
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3824
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start NSecKrnl
    3⤵
    PID:2732

C:\Program Files (x86)\Common Files\NSEC\NSecDs.exe
"C:\Program Files (x86)\Common Files\NSEC\NSecDs.exe"
1⤵
- Executes dropped EXE
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2236 -ip 2236
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2236 -ip 2236
1⤵
PID:4844

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k NetworkServicePnp -s Mswtd
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\Microsoft Research\NSEC\Fixit.exe
  "C:\Program Files (x86)\Microsoft Research\NSEC\Fixit.exe" -dfx
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4280 -ip 4280
1⤵
PID:2912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:3008
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8d0cb2af-f3c7-1f44-ab2c-72bbb316a768}\nFsFlt64.inf" "9" "46249fc23" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files (x86)\Common Files\NSEC\drivers\nfsflt"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:756
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "8" "4" "C:\Windows\System32\DriverStore\FileRepository\nfsflt64.inf_amd64_3d4483f1b65ddfb3\nfsflt64.inf" "0" "46249fc23" "0000000000000150" "WinSta0\Default"
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4388

C:\Program Files (x86)\Common Files\NSEC\x64\NSecRTS.exe
"C:\Program Files (x86)\Common Files\NSEC\x64\NSecRTS.exe" -r
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4392 -ip 4392
1⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4392 -ip 4392
1⤵
PID:1692

C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\NSecRTX2.exe
"C:\Program Files (x86)\Common Files\NSEC\plugins\NSecUI\NSecRTX2.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4008 -ip 4008
1⤵
PID:3760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4008 -ip 4008
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 3980 -ip 3980
1⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4412 -ip 4412
1⤵
PID:2404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 4412 -ip 4412
1⤵
PID:4296

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4408 -ip 4408
1⤵
PID:2944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 3080 -ip 3080
1⤵
PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3080 -ip 3080
1⤵
PID:2372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3964 -ip 3964
1⤵
PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3964 -ip 3964
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1824 -ip 1824
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1760 -ip 1760
1⤵
PID:1392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 1760 -ip 1760
1⤵
PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4240 -ip 4240
1⤵
PID:380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4240 -ip 4240
1⤵
PID:4536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3068 -ip 3068
1⤵
PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\NSec\Debug\Log\NSecRTS.exe-system_2024-10-15.log

Filesize
2KB

MD5
14e797f7b51e34c4142f8be4b5e4a992

SHA1
45676efd079f8f8f1c8371f70884146c4e438c48

SHA256
7581e3d1273507c3313459b69d346adb1f6bde091db59ad99da9509e1902f798

SHA512
79ad75088975dd51320ab757323fde1a6f9ed5e8c75cb9310106f7bab7382f9ebdb453de349f3e0be902f4ae747af32a72e4893c6f0699e973fbbbf426f5d57e

Download Submit
C:\NSec\Debug\Log\NSecRTS.exe-system_2024-10-15.log

Filesize
3KB

MD5
678e869a4d9d84630abea40bf7361ccc

SHA1
06088bcd23dc57e498077b599aecbcaab0b663ae

SHA256
2d1c9160bd87339d57209369af3cc369da6b1cc1820d9bd70e3bebaafe9ec4aa

SHA512
a7cc1657badd6125ff8a6b2710714995c1963fe2b52e2e3dbadfd72fb42684e5098cbc92f6a40a8c65ad63c0f7637956e36596ab90f7a6039d67ef1ffaed48cf

Download Submit
C:\NSec\Debug\Log\NSecRTS.exe-system_2024-10-15.log

Filesize
6KB

MD5
3de4ca395d608dc3b9b7e5444dbded84

SHA1
b4b2daa6fe258f4148a52e25ce0a03d6b328c548

SHA256
16d9c051bbc7ef53232d14ca0d71f2c8ba547b0e409f9e53d98de72498410850

SHA512
7aac3550ab0d6e8c69d82616ba84063ec434d6d4ec44dc1526451b9525c07673cb70b09c61dd0f5aeff084ac1140a5640642182b49d1c82292d28412960220b3

Download Submit
C:\NSec\Debug\Log\NSecRTS.exe-user_2024-10-15.log

Filesize
4KB

MD5
aaa9f5fabbdf647de8994240308fdccd

SHA1
9a1c364e4b16f7deac87fdc7952f0e4b10da1bee

SHA256
583eca35e9bf2207705c6908560a2a08391b2f9b685e3d78c29a4e228d124188

SHA512
64c317922513f00d69def8e7a46f72306a10e7c34ae9d01ea238784e805ab3db7f2e638aee7fdc3bd535a3da0b9521771477a6e3139b114d591dcc189f9adc93

Download Submit
C:\NSec\cache.ini

Filesize
42B

MD5
8a20029e5f75ceb34337f50b70e36672

SHA1
11e9e8ba22c27dbea6f4e2cb3ad99f955da41450

SHA256
cd0dbc40516f79e24200455c0ee9e1fa44059626083024d4494a6b99da8e23cf

SHA512
abe31165076561947b2a1cc4905cf9b168b80659fcfcb51df94456978d37c80a48f698dab128158fce20d0c967dc34389839a4a541ccc38c576f205ada0667c0

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\KVDB\CONFIG_Global

Filesize
4KB

MD5
3b364121298dea15b7b52d1d991c4e0f

SHA1
f91b0613f7d6b4eedb51730baf50f5b8c97070ba

SHA256
62b29a100ab8ba48a57fb4434a778104e88f17d440467d22192ff1c9f565402a

SHA512
5754bb8e9107eb3bc5a7908d6d59c8298c3fc9f2006c5789e5cd5a37d82f59286624fe5adc81f7d01976f0a4b73fe4611128e657c063234ddb49c65796c786d8

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\KVDB\CONFIG_Global.crc

Filesize
4KB

MD5
1aef84a1703bcc940820e12dbe08b301

SHA1
84799ce2609579937e9ce5b3f503a1729c05fd8f

SHA256
516433b7a54c6e8fdc8e49b1c950e263239808149d9a3cd6e526851d410078a5

SHA512
515ab50068d8e92e8e6c3a9acadcce9fdd3614ce4c4d7ef11a22c1fd242b6c534d034816eeebd84a9a453b49f1a8fb435793768a1dcac5bee409364133994556

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\Language.xml

Filesize
16KB

MD5
68cef007f420c3f2cafb9cb1b4839b07

SHA1
8b564a3b98aed9ebb7606fb695bd9409b66f02f2

SHA256
fa95363688d9a4cf3c201c25c0dd032800c8b2958ccdf8a4b9e196b0b9b17368

SHA512
2182a8293711796742ae82bd420d6b2ceec69b85d36e6db68fd8990442735f38429a5855cbca9d6977406471a70d78e650120291484f8a5fca8a70c6ed9c5457

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\NSecScreen.xml

Filesize
1KB

MD5
c0cde14d689102120d8eeccdfc7dbe42

SHA1
f4dbca6234a3e76feedcdc9edc8e815bda1100ea

SHA256
158f1b028fa2f032d66319a000c5d005373fad2804a471471713268addaad0ae

SHA512
49385cb9a157cdfad2648ab021002513a65b8e6683fbb1c8299af572924cb6a4f587d0c71ce17036ce1926b70e8a4221c9da5067abb24a2e316c06379ade4686

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\arrow.png

Filesize
1KB

MD5
338dc6bb173ab2b8047407b8aa0a39fa

SHA1
306673e6fd78a7c93d505feb337df17b5a91f646

SHA256
e0af3e5ff498f1cd17f009eb2c5d8f9147c6d8c4394ba9209563720dca4c20a0

SHA512
fe4841cef91d081cf608c60d3d3bb69a164eaa80ec592cae3dc27477b5c7df93dbb67b6dcb25bfad649189d8c7a1b736c2e617beb44e75e6f3d3dd15a6cfac8a

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\eyes.png

Filesize
578B

MD5
2a33184a8d795e7a83fc2ba527723820

SHA1
0bcb142d289666736756435748b071d1ec96cd63

SHA256
ac9dc975b32519ec2ae2585fd3a0f452c06ff2be8c1f8170352794d2dae796af

SHA512
992d63ecfab556a0b3520a778f844e0c7d480471a6b70dba8ec637f16ca230eab3e7144e5acbe664c61cd3a9559fcc4c13a90bbb10ec5130feeb964832060b01

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\guest.png

Filesize
5KB

MD5
ce1e5810d7c9f27a6b139b7bb5772198

SHA1
ec7dd31f242502ea55223a00c883044cba378ba4

SHA256
0ae29a2e9fb4ca75da5145ac86ab6dd9f12767cadb5bc6a9aa4b1036edc128e7

SHA512
44975121e40b3fa90d1c32ca56e53e2fcd5c768e64e22cc9f9ac73991b1ca79aa9745136b7dea10bac6c88c946af0155ba2abb91b14eb182dd1e69c2a718a63a

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10.jpg

Filesize
675KB

MD5
9d40b75e453033c39529b5dc39d7a857

SHA1
1121f5fe9db8bd4807f9844f4ad140577ef37ec1

SHA256
742976b917c83a51ac97e3f86c19a34128949fb05ebde1efd41710d3d3f3a94d

SHA512
c9d4deaa4f98dc11bf0de473575b7cccd62354717b2bd83b4fe2b7cc5cbe6bf0b9962decea625fad2818d06a5ef593c62288345663741ba491622bd12e739c45

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10_10.jpg

Filesize
173KB

MD5
d16a26370510f7395d8c77b28bd9c1df

SHA1
b47a6280856550a07d72d35b74a3f4bd21b22140

SHA256
a7d663739bf994cc7bfe5376f0f0de6646edaa64867df7bbf393cb53ff2ae164

SHA512
9058676e65eb3c0630f78a462e34d54538703e83daf883690f9f13e7f36601a2906f040f7538a98e2a738e3f1f705be3e36e4d2c3ad62b878932b0c3073171a1

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10_15.jpg

Filesize
169KB

MD5
4294c69a7827b7bfd7c4c4c9cfa7aa89

SHA1
6d72d06efefdf349ddf5dae3cb8120991955ed06

SHA256
0e810cab1d3e9cacec6bef011769df312bd5f40c3006bd801a37e9d6306d91e6

SHA512
6dee692da2d7cb622230d65c18102ec793d2c763be38ec81058e9491c04206b99e41fff3b4f6d724fe6d06ba2ee304705eaf35b22bc62edd7795267862d25eaf

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10_20.jpg

Filesize
166KB

MD5
1fe41a25ddeeaea25d08f0fdcabdf006

SHA1
445e83d1ed6c511c3eed0df12dabff405f56745f

SHA256
b92528a61be89d3fcf56aaed402ea2eb48d6676618bed0c4c1667c732d9a4446

SHA512
b20a51aec76e42bd9163bf1391ed4807e5752d51e67813ec074bf082b316f77fb719f3c2abf2ce9dd55c4ae7d7ceaed1cbc4f8000d917148eab91218cf15265c

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10_25.jpg

Filesize
164KB

MD5
303259ffc5aea937cdf9f36e9e5f35cf

SHA1
a3b61dd8cfaff53da15728758aff125e4c566efe

SHA256
f41ef713bc87a958c5d5a44b5e76d3f4bc8aafbd970773064e9208d075dd3b64

SHA512
b091d1a4f7539b8ea525076bbb3b9f97e3dc81ea13f5f7b0f2a3da26ee0d60fc2c31efec741e755441728df4cd2b1fe2dc04d3d32fd3b1178d2ea8b2f071484d

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10_30.jpg

Filesize
162KB

MD5
66515e82a97b83b9f1613a765f9534f2

SHA1
05fa54e9f95922ad5c9c783c6b2f27c688f003b8

SHA256
1cf4bddfa92dc6fab1a79e726d3756e245bb7efe96134e0833183a2266ba7473

SHA512
7c808d61431360ef3e5900a0139b87edc84737c20d916e79ef09dce52d430489844812d9d721ef63a0c9b1de5789ae89e58243859a5423d3f11ba2c68949f245

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows10_5.jpg

Filesize
181KB

MD5
fb6e924e67b711cd6a78c2bf7891de06

SHA1
0d35c3839a251beb9d1d179789028f540f94c413

SHA256
f8f6bb8c2118be7ae3e762985ab372db3ef7a751c5f6699f5839aa375700b887

SHA512
4fa8934c35b5804dce38dc95946758bc0a36e02eac4f2d09717a5ad1176b9978f7b5be1a5ab3467ebffbf465cd5dda53167498d1457cdff629c96aac7d8aacaa

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7.jpg

Filesize
97KB

MD5
0d8ec8177eced9febe9ebbbd1a86ec88

SHA1
e40b719eaa9fcefb3f292d44f143ff43e8cf11d2

SHA256
40c45a084b79c7c048263161bdf185c13dc89cd0fcf5fbe70d9b2351fa00f681

SHA512
4b06a59cf0e77718024b3680355ddc6fa5f69c199fe34387ae454f5cc34a4559ada9258799aa5cdcbc2dabcda8028253faa8670f36d58ec7df0e4a0efe4c44e9

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7_10.jpg

Filesize
57KB

MD5
c7da392879417f68b3c708fcf13460d3

SHA1
3b0af146d22a23f37e20ce8448ccb11597b897f8

SHA256
31ee06dfb53aaaae841f85ecdb65485e2f9d39d557c70bfe4359f9b04cc29c37

SHA512
76423c083ce8f5fe42293c66d9c6e486e3aaf1525dbf011329f80fdac235227e42929f04491bcbd8e83bfde4f9e68c66fed66f2773fd82ab85040d8db246a6ed

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7_15.jpg

Filesize
55KB

MD5
2099680665b8cf737b9b12f4457060e3

SHA1
0e806bc4edebbb2b70294d8048cc14352fca0888

SHA256
3679965008c005fcd30598c2b23fccb48449caae270c691e0262a854f72e4f15

SHA512
6ce21aa2eb1021707a2cdb3fb0622436cea4bd67f3c4dd36be8e2789f538132a2a34415b90cc761299d2bbb70af2896bd67f92d7a4ee880b7ef1dc2cf6b50b61

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7_20.jpg

Filesize
54KB

MD5
2eb13cd4d753644ed8f4a0c7a9d4806f

SHA1
96b35872315ebec3ab0ea453cbcc9c03a924944b

SHA256
4d44455f29f35f640f585dc9e3cb1d9ba3ad0c0be17eaf741df064fed22c09f2

SHA512
424ece58e98745e4b58d5bab43da597aeb1edfdf85de61d7513ba11348281a3dea698de380f90a745d6ccdc104e1d9face5051707e9796d532d846cbdd38c94b

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7_25.jpg

Filesize
54KB

MD5
f49bfeacda6813af20b098adaf246ed6

SHA1
a69ee0cd6c030925e4b654364688e530a916520b

SHA256
0f1e1df65a821b3d8af0571ad92c8736817369174ce6dd3845082fa91f546e09

SHA512
7ab3dd5490c0a97fa99d7ed84b5d3fdd385f63d8526cf4d1a6c79d79427ce531fe8e2cef48634b859a0b5d0a003ede4e92aa23a86e521cb7ae03f2f0139cb2b7

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7_30.jpg

Filesize
53KB

MD5
4e5805f65f0102bb81b8319e8382d97b

SHA1
e7bdee9e5829234c3bfb505f9f2fae4728eb6705

SHA256
cf31607d1b36c843dc5390ee72ddeaf73fd60b10b1fea66772d952f12177fb07

SHA512
708e6de9be67027c298a97ff637e9f60e663d52a812f72795fc81dff95968dcbae822a31e6141eaf81f8d854817753c15bebdc468008d3140f5f69a8877de587

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\NsLogon\windows7_5.jpg

Filesize
61KB

MD5
5ada19cfa0bd2f7bdff8338950bc886a

SHA1
4d032b2270d5f1fa7d4786dfff1b7957d8c64202

SHA256
034e595c338a1cfdb19869d731cb00a31b616e8e89182738f4155f0f9e5f41c6

SHA512
b575041b201024c96c1e89a8406f5824036ea8322f2a7443bcefe9756bd31e1595619f9eba7c9a6223839ab9e67b1926f957064c368232cad67832136a58a865

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\actag.dat

Filesize
1KB

MD5
03273b6ff0e2c64e97fe5ff9abf037d9

SHA1
6167c3932630c3271d52f3ac50217f014a446c31

SHA256
a93f713ee5d6110afb4a9d78c0abe29f1cc7aa5cadbe5160a0123e2175df1047

SHA512
75df40f89096bc75cf65e836a59afba9ab5fa11bafb1d974095ce629f79340138c639dd615bac73272b9f7214bd53f1af199ac5be1bc6c642cdfaa4560c96fb5

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\av_feature.xml

Filesize
5KB

MD5
516030be7676e0ac969de4361f9eecb0

SHA1
18cf166ce8557006f6e3d631d0d5ae3dfe912326

SHA256
c53a64b6f07c7135c0cd5ba0f5353a71a724af6df351bf1efab62e763eb70765

SHA512
ffca028b2efd37f9a98594dc7d20f67f492e025b232744fe8c635b606e7e2dfd85b6652ba063ecc0dc9bd9a80bc8389c9a67b07660e12cc816970302d6232187

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\db_bk\readme.txt

Filesize
35B

MD5
cb185c009cd055984369438416e70d3a

SHA1
6113127cb63d46c8377913b034960c58180ef2c2

SHA256
69da25b0d8675053e361bbb3293a094c0255fb4f6f47dd4c35ff84c7e186bbf5

SHA512
f60f7dfd3e463d934b1b8d710c2e8531e8f887df516f448f4b5cd1299d5db86c1f56672529474e890cb9fe47d1af63588b7e7cdf48763d59eb8d9b083fc2747a

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\db_template\doc_txt_db_template.db

Filesize
6KB

MD5
a0c78e31bbea0882c8dc1cb16e4b8aff

SHA1
8ae0e34190c02bba419975f3ee2d947ca0f2501c

SHA256
826048232070c72b99156411bc3f47fe07dc0f091298eaf1987a96621b746801

SHA512
004ba16883c85d6709827cd4e24cf583e39a6232f7185d5a6249f7b97fdc3525c85b99cc7da26df70661291b7c07fe1e9fdd25f3b3875b906236f11e552bdea8

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\fileopermatchedrules.json

Filesize
2KB

MD5
6d972226b3afce0b23468c0529c018d6

SHA1
eca7109c637cf9df85e2f4b243b4557c26ef80c2

SHA256
3e063e14fd601fd941628b350c12819a3ffb6ea3b519a0508a3542dce7fee8ec

SHA512
12a290636a4451e24ada56ec3a2e701045ad68ebadbd88d536a4e9cb7b3d58952b8aee2ddf99525010abe930a3e94fa4df0ab90db8a3bbcef3cf50c0f344a5a9

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\local_file_template.db

Filesize
5KB

MD5
ce66dfd64068d65360c49fe5ac5a652d

SHA1
f19fa745bcd244f6e6978170041b79da947d6f56

SHA256
6b7827b13b2356e8ec26319574b2827c66cbf547bb27a07301d58b26b70b9bac

SHA512
6e3a7f1ccb42b0ca0acc8fa2220cd0a26a3a314fcd41cc58226605e59193011f18a9e5e4e8f23d0660cbbac1b034aef00839214d8d6746034f8024e8e635bbe3

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\nsec_magic.json

Filesize
1KB

MD5
956f6251654134c9a17291858747f215

SHA1
ba0fd44b876d1ad0323626f85d0363a3ded7261b

SHA256
fb70809b3adef7150f0f2615bbd1e7617d5b8578242b82051dedcb53f38d58bb

SHA512
9dc14b6f4097ff1fd6d2a84808d39589586959641d4f5d01f063caff7abdf7eff7c7d2dda17fe55c7130bad32f62b08b2c0e5a1d0656502b602ecc8c65c360f9

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\piracy_engine_config.json

Filesize
14KB

MD5
e8907fa253b0e987809f0303c565a826

SHA1
c52199f0f3ea9d14d0dc1125a7183b1713679ff1

SHA256
da35328cf88ec50961557c1ed5ec7a7600ec7edcd363c4ac8d2160f47fb94ec9

SHA512
6e9ea17fefba6490275c05aab029f79f7a11213beba299e42513edd66ae781a93645a85eebaa9b9a264227b7a5254049f91d0678923a7a1df6b7d726800f25b8

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\sensitive_info_template.db

Filesize
3KB

MD5
19a34508f2537f9c31f6ad6f6336c8ae

SHA1
db89d5754fbcfb33e3f77508b8d283612b2af27d

SHA256
2836cecc7984721ac5b0a5940ebdeb284e19b2152151779926eb6643531f9b26

SHA512
56edc2f4de562f0c75969ca49f3b61406b4a0d9e69335508c6b5251e4c5fdb207e9936855e8eba5672a32e28f7b210d82374eb5591f7376315e4f768bcb67e46

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\smartsnap_template.db

Filesize
6KB

MD5
40e4e71730f21b94bb88b1e69844d145

SHA1
48812e9f2b29478fd71cd1c78e5300995ce771f0

SHA256
eb3a362e22418fcd73ff9a616840b86602182b9fe9dee89b13e2ad4f9e36c862

SHA512
03deca70af3c5fb1a7f71a0fbacadc2e6e509c1e18d6a84b9e41121c934ff88bb394653212a788ee454bc0f1229c68e7c70fef55b97b94542615d8a2e89683ed

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\triddefs.trd

Filesize
6.0MB

MD5
88fb324c2c698a24aab40962dcfc542c

SHA1
794b86e3b7cc57c0879ddf340d19bfb4d4b47c37

SHA256
58b8fff0555ba836a2128f7d9fe3fac66b98f11a19eb0ae83b303663f13e3629

SHA512
c7c77495f948c6f1a8186559d007aa7e118a7e9820be065219dc2a9cc8d3ff9164f6584a882f94e588f69b8e6af9c8b5bd2714b8719e3e6e165b8168b9d84cc0

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\wc-sig_template.db

Filesize
6KB

MD5
6b20228422ac1a7598ebb30ec536251f

SHA1
82349005cc70fe86c09231da3af3ee80f686b98c

SHA256
69a60e1a61b7b397bb5fa6aaed30c72900d3470788bdc9a7dd48df5ec0298cb9

SHA512
dd28b16ba20b66c3b5d2b928580cb790fd99d46341cc8d74e574d63139dc28c9d988ec9538ea700a93606041157f0e7bf8484e5b9a31e465d1b8874c8ac95abc

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Data\workstat_template.db

Filesize
5KB

MD5
d3af4f5e8461c0275834b4dab37bb9ad

SHA1
5a1c8669b13474b416c30307844d2ecf740be34b

SHA256
f76c4e4720d462fd72debe0321f451c69796723143a314981a42891fe29a27d1

SHA512
9e99c4da5eca98f5b387eee155ad81b4ef6e184cdeadf2013daae283ce3cffc9b1c3c1ff1e5fcb499e86b164ff2faf8a55dc74f60f1eedc00fc19753a626a111

Download Submit
C:\Program Files (x86)\Common Files\NSEC\NFPCore.dll

Filesize
2.7MB

MD5
8525fbc5b3b260b2080c83a0d2d9146d

SHA1
4f28472c7b6c773856c596b77de2b8fc5fa3fef6

SHA256
1766948fd1ce813ae9fa2d1cd8160b6de4784dacb576ca575bb4daba9443dc78

SHA512
026efe10876f55b1cf8674101612eb68ae873d2ba69685122d9a5f6b0b8c50fe5d169d5d46d25977cdf5b77654f8bf9a5184b8217721a14c20e40f0a8fa6d30d

Download Submit
C:\Program Files (x86)\Common Files\NSEC\NSec.exe

Filesize
5.3MB

MD5
e425102d2fa540a134028be823406004

SHA1
fb3ec0233147513e4923fa2cf8a47733f961c5c5

SHA256
abceea97406fd707554295dd44091f5b959d8d42ff25e2b6501b8e73c7f52623

SHA512
b02295968407c946ff9894588dfef4f221b91cf58d43f03318b98e266e0095c6d04ffe630e9a378e6d68a51f6198a49a73eeef506b612d3126728369345b8333

Download Submit
C:\Program Files (x86)\Common Files\NSEC\NSecRTS.exe

Filesize
5.8MB

MD5
6bed8b45e65cd2ceba26cd14bd26c11e

SHA1
1d7e9d39b687ba4f802e82ffd8c9eaf38820dd81

SHA256
5211d67042acb740df73938162cdb2691be6c798a5e0c19e5adc7306227f3a38

SHA512
af649c48c2355791dc5966bac286f8a8aea89da9103a7248b7cdb3578c839e424da6b23a8bf211357bca7b80f8f5b7c10955e8de7e4d47eb82e1e2fd4cb71d1a

Download Submit
C:\Program Files (x86)\Common Files\NSEC\Plugins\7z\7z.dll

Filesize
1.1MB

MD5
1d609dde1bf42bd586dc6ffd9baec9ad

SHA1
5fbef0f1da6ddb894e66ec9fb2940b2a6e2528c4

SHA256
8621c36f640b15e24432289fa6576cfc0650b58ec7dc4e9bb368f770a7d1e063

SHA512
d47b3aa894051df6b95dd8b691d8547cd2ab6f483f2d9251e17eb04487c89fbd109f64bf2bfbc37c907436af5a9af71493d70bd5497f155dc0d79123c141ccc6

Download Submit
C:\Program Files (x86)\Common Files\NSEC\PolicyHandler.dll

Filesize
3.2MB

MD5
d152cf477f3e82eb1d3e77c17e19ed18

SHA1
a6ed6775a53c89531c723879a1c42f83c53bedfd

SHA256
d9dd0094adbd3b6f1483dae6deb43dd3e9fdf13fe7bd2d4093193c054a906508

SHA512
0218b64504f2758e4b8dbf1afdb3658fd951016075aabb35564b37a0f688527fd723e93b5f33859f7851e87471343de265e386e6a72481d0e504bdc7eb372c63

Download Submit
C:\Program Files (x86)\Common Files\NSEC\WinDisTask.dll

Filesize
3.0MB

MD5
259cdfa75645910ccc40ac05e27ea1b6

SHA1
18694cbba6689d0233e44e30d8a039e508b57723

SHA256
4ef9531084081d71dea68b340c3adfc18f6fed8ff76e1632f5c37934af1d577a

SHA512
f0d4be1bfef96b6c0348d9794a3f35922ec69467d24b5c9fc18eef67e12fa3e8d1a00ee8a1af5af8bf3e984173484f80ecef787a6e6b1f476bd4930000af726e

Download Submit
C:\Program Files (x86)\Common Files\NSEC\WinDiskMgr.dll

Filesize
3.1MB

MD5
de4f0b4c4a2e8026edba79a12e17e946

SHA1
c4bc184773e9d6da279acbacefe33e8c467b642e

SHA256
c27924ad7a62cefd0b7ec463d64190573f7e706e204f7276f2e5fd429086e7a0

SHA512
28e5df88a38fbe7390c99b1a4c36a772474472d28d6bf6453fea24a09ad63a0db40c36392a6892b1507532d19489eab38eacec936bb15464f8e1150a12dc8404

Download Submit
C:\Program Files (x86)\Common Files\NSEC\WinNetGuard32.dll

Filesize
3.0MB

MD5
abaf10ef2848a10df8730283075c81aa

SHA1
bc3877f181a4bf44a0eccadc6b19d93cb73cf0ad

SHA256
364122bee13b381f16bb863e99abcffce5a2c16440fbc17b703479921eba0d72

SHA512
dea0f6a8f5c8c2931121196860a776cd3b82569fd6708ce10dd88a19cd5f78770c51f3bace9a4bcd8a30d06c5e05c1f057ce4fc642bc127162361df39ffacbd8

Download Submit
C:\Program Files (x86)\Common Files\NSEC\buildin.cfg

Filesize
202B

MD5
c9939ebd0a4e5454f901c97a86073010

SHA1
7677f8fa223eef95e6e234c620237af114a15ece

SHA256
d53cbc22b6db79abb62b66ac2954fd9916fa3096564f2af59cd1a054ba092ad5

SHA512
d2f1ca9761fa87eb78acb2a1329ce5d7d3840bdbeadc45cea5a252d99a4e354bfcf4002aaadf030fd5b342c3fbd02fdd8f0f8b23ebb9462768e8285820049779

Download Submit
C:\Program Files (x86)\Common Files\NSEC\data\cfg.xml

Filesize
12KB

MD5
1287f183d5ecbad1e909d66f76150362

SHA1
571bab0b4a3517d8cc7976887104180a411d9b03

SHA256
2db43f0437c820fff050a6d0f78353c4fc0449bda5c93f1bfb7cf79558b2abc8

SHA512
61c9fe5de457fe821a9124ad395ba1791ac2142523592131371e61d0bbdf3276b994f1a44ba2186045c44fa15c13ba4f2f33f3db3e421f46f25e20a375ac65aa

Download Submit
C:\Program Files (x86)\Common Files\NSEC\data\cfg.xml

Filesize
12KB

MD5
23d6f5882e2c9b68ba878583fa2475c8

SHA1
60890ddd291a17e6e1a147017d4ecc7721969366

SHA256
9eb52968a99a489a876cb164da3221b6139edadc5afa85f57622e1d469082578

SHA512
2b4f69f1341dec5827c810ed8cafe1143c22d9643a27693e168ad54f476fee5ebf14198ce52398abcf6b81975aa1b8cc87641e069a93e58028199b153d5ea4cb

Download Submit
C:\Program Files (x86)\Common Files\NSEC\data\xConfig.db

Filesize
12KB

MD5
a55796e7908d6bb80e9c4fc3af2fca75

SHA1
b12895b09745a8e56b2322903e562329139ee445

SHA256
a7b6b2d8d86da704b3f702699c7edb685dbafa9ea1b33d5acadc38a84c66ec9b

SHA512
491cbb94f275b88c0f68cd30466c74432885df618e4c22765d1888f43ef6c52e990d8d502a8df8d00b209a9a9495cd52d783425e19902c24ee872220c2451f31

Download Submit
C:\Program Files (x86)\Common Files\NSEC\data\xConfig.db

Filesize
12KB

MD5
3bf9a4dd28ff37173d63ce52b703c821

SHA1
28b945d404d4300821bb00c63b7de228ee8cb63f

SHA256
78b43f82e99c2ddd8586d00a525af7cd9661fecb8de00d0c766c8e575ee0e2d3

SHA512
fe4c1a8ab0c88fb104fcfe2d620dab55eee762746d4d2ac8404266410faa413c2954fb0fecb6a1eb540305a5ae09056d671b72512985e2a26a3d7f97bc122d98

Download Submit
C:\Program Files (x86)\Common Files\NSEC\data\xConfig.db

Filesize
28KB

MD5
80590dfe2a0e3aa6d5a68531a528809e

SHA1
e1097e95f0cd60d0a98ad5cf00decba2bd3a08cc

SHA256
7c3f56a8454bfe848f175e635bfca81bfab2f230f97738ae17a4b23e81babe58

SHA512
803e7eb17e0f7ad8da3db1282516d7ffd067a900f0ed24a7da4cf5bc5d20d51632b5a9ee1a0b00d6498811dddaad13f6b82bd55970cd559d7d8c4991c2ef22f7

Download Submit
C:\Program Files (x86)\Common Files\NSEC\fixit.exe

Filesize
3.1MB

MD5
f68c363bfea4ee9dc40bf4abe6e6d425

SHA1
f69721473f051bcf63c56fb40675437bd83fb443

SHA256
1c6964b440a1fbb195a4e266a27ad3aca936273b09428791b4131613698a271a

SHA512
3140df5781398c34be2934fdd8ee0b8fe6615eef3e08ad991dbc71bcf24ede69ea78dd01f3f5788037342d5371e9abd02c9c0c5c6e217b821b54f8a1e2d1bb63

Download Submit
C:\Program Files (x86)\Common Files\NSEC\instrap.exe

Filesize
2.6MB

MD5
e7fea0d7e68a66d8d267747a060dd653

SHA1
dd8c14238382725906ff0fa7f0c3ef91124a8a6e

SHA256
6e727050992c7d78f7ad704a9af697fb05f59927eb09fa85da95cd83c2ac4513

SHA512
941ec42735fa4d471828ac0e20c62bedd16625788e961fa5b3369a94f1f24906276211facc8ab807c49ba5613c49bb5baff305e4a2cdd1037c1df80262e4c523

Download Submit
C:\Program Files (x86)\Common Files\NSEC\nfcore.dll

Filesize
5.6MB

MD5
b1e40158f9ca274387bbdeb213961403

SHA1
64410d6d00754dad5cba96704ac348127713c824

SHA256
56519197f3385e7fdc0432413c592be735306452aa0d2bd872c422681ef2ad1e

SHA512
9f55374c4edafb3fa4698d48d70be0da3e979e3c300a7f8548590754c8a334dc9ffdc8a252964b7adde2f392bf73136e5ec84711b9265ccd5e6e24c0c6a90744

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2tujqc2y.dth.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\ioSpecial.ini

Filesize
1KB

MD5
74303a480d30871af2ecc4e5b4441268

SHA1
00c8817a33c847a36f35347d707a6bb341e0722c

SHA256
77fe048cdfb6a074e6e8cedb6a477c087f749a7f22cf2d380700b6148cb746cb

SHA512
0d97d298167d97f006e0e10acc51e8863990694fce0a4f14e85ca153b9ab73d48a1672a2558087003f63eaf5f6159b7a8afbf1be3e9ddb7ddfb269f9a732a97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\ioSpecial.ini

Filesize
1000B

MD5
ffa9ff6fd60e45544e693b94b1b51cb1

SHA1
28af36a0d211a759d028e5fb43308bf7d714ab42

SHA256
7238fc818ae2d3501352c45fa66e5abe896cba727de63336198b7fe78cb18a11

SHA512
ffbbc8a3f46b8099fadf1e9d6bb7d75ca100d6255cfc05fe40e3a25900f707ad24b4800e7702a35b0b97112e634068ee75d99508d1cf63454d4ad980cca6adc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\ioSpecial.ini

Filesize
998B

MD5
25f07e7c9f70620067b743528164eade

SHA1
b0fdd90eb72bc1fe6b6aea0ae857d193804c504e

SHA256
107544fdc3e0aa36e0b4a2566cd80b415a98e8f3552da6897a1ec9ff76cfe5f6

SHA512
32656c0ef4b9dd80e1def73f75bcbc53832a4c74a6609e6be0e34c772a2dace5466eaaafdf8b7ad55b1df92ddeb4856bb8425bb561cc73cb571594f8116800ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\nscCAD4.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E17.tmp

Filesize
11KB

MD5
4df787b4beec3da203a67d629674b025

SHA1
fe7af6a2de7fcfb81fb718a33e94f64ad289f7fd

SHA256
cb978f621689b1b0e6aebe3f1728470503bf68a59439be8d79f082efda216aa4

SHA512
95080fd300cfb65dba8142714f302345f1a3a5f6804da3a5abf891f54c8a1555baa69af341d66271ccfda2ccc99008592521f1442cb075689a3ff8b669425fdc

Download Submit
C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E18.tmp

Filesize
2KB

MD5
0450b840f9c38eb58fc61cb4c8626e56

SHA1
ec1bf7dfd0fb8c1f1222b6f95555ef79ac29f631

SHA256
4f337f37944a9299a74aefc505a1d67338fca24b3f76620ce734f96f0976bdc4

SHA512
030da19c6ef8d5a2d4024befc1fed98971a89b9a68e83309d8ef95bf2cb3cba3e908cb1f1c7a85a2bcb8634dfe879cd6e2145b2810030eb620ccf26ae7cae89b

Download Submit
C:\Windows\System32\DriverStore\Temp\{e2b64b6e-f4be-4245-8db0-a2c9221d8f64}\SET6E19.tmp

Filesize
31KB

MD5
15d431631740012f3d1b25fcfbdc8688

SHA1
22c57e19481cd067f26c0ec0c1088172d9cb9cdc

SHA256
fe2b075a379d5319d2636cddc8ef4197610d2c8e24ed2c079c89af0fe9515aa1

SHA512
e44e96ee7201c003404d76b2b21bbc7f327e7c83757897c6b06c2c5ac98c1385d4fcea3da46bb2ed95abdb14880fcba68471f1b6731d3d62440e3156a4d1076e

Download Submit
memory/2180-1471-0x00000000042E0000-0x00000000042EC000-memory.dmp

Filesize
48KB

Download
memory/2180-1473-0x0000000004990000-0x00000000049B4000-memory.dmp

Filesize
144KB

Download
memory/2180-1842-0x0000000004FC0000-0x0000000005070000-memory.dmp

Filesize
704KB

Download
memory/2180-1843-0x0000000005070000-0x00000000053C4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-1122-0x0000000005270000-0x0000000005814000-memory.dmp

Filesize
5.6MB

Download
memory/2236-1206-0x00000000095E0000-0x000000000AB72000-memory.dmp

Filesize
21.6MB

Download
memory/2236-1070-0x000000006D500000-0x000000006D510000-memory.dmp

Filesize
64KB

Download
memory/2236-1073-0x00000000001C0000-0x00000000001DC000-memory.dmp

Filesize
112KB

Download
memory/2236-1072-0x000000006D500000-0x000000006D510000-memory.dmp

Filesize
64KB

Download
memory/2236-1071-0x000000006DAD0000-0x000000006DAE0000-memory.dmp

Filesize
64KB

Download
memory/2236-1149-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/2236-1123-0x0000000004CC0000-0x0000000004CDA000-memory.dmp

Filesize
104KB

Download
memory/2236-1146-0x0000000005D40000-0x0000000006252000-memory.dmp

Filesize
5.1MB

Download
memory/2236-1145-0x0000000006C30000-0x0000000008034000-memory.dmp

Filesize
20.0MB

Download
memory/3080-1990-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

Filesize
64KB

Download
memory/3512-1189-0x0000000003F20000-0x0000000003F42000-memory.dmp

Filesize
136KB

Download
memory/3512-1194-0x0000000003FC0000-0x0000000003FD2000-memory.dmp

Filesize
72KB

Download
memory/3512-1195-0x00000000040D0000-0x000000000410C000-memory.dmp

Filesize
240KB

Download
memory/3512-1147-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/3512-1148-0x0000000003D00000-0x0000000003D1A000-memory.dmp

Filesize
104KB

Download
memory/3512-1166-0x0000000003D80000-0x0000000003D8C000-memory.dmp

Filesize
48KB

Download
memory/3964-2119-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

Filesize
64KB

Download
memory/4008-1540-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

Filesize
64KB

Download
memory/4280-1169-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/4280-1180-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/4280-1127-0x0000000004D90000-0x00000000053B8000-memory.dmp

Filesize
6.2MB

Download
memory/4280-1075-0x0000000004590000-0x00000000045C6000-memory.dmp

Filesize
216KB

Download
memory/4280-1224-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

Filesize
64KB

Download
memory/4280-1168-0x0000000005430000-0x0000000005496000-memory.dmp

Filesize
408KB

Download
memory/4280-1225-0x000000006DAD0000-0x000000006DAE0000-memory.dmp

Filesize
64KB

Download
memory/4280-1167-0x0000000004D40000-0x0000000004D62000-memory.dmp

Filesize
136KB

Download
memory/4280-1223-0x000000006DAD0000-0x000000006DAE0000-memory.dmp

Filesize
64KB

Download
memory/4280-1197-0x0000000005B40000-0x0000000005B8C000-memory.dmp

Filesize
304KB

Download
memory/4280-1196-0x0000000005B10000-0x0000000005B2E000-memory.dmp

Filesize
120KB

Download
memory/4392-1400-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

Filesize
64KB

Download
memory/4408-1878-0x000000006DAC0000-0x000000006DAD0000-memory.dmp

Filesize
64KB

Download