Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
vrep.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
vrep.msi
Resource
win10v2004-20241007-en
General
-
Target
vrep.msi
-
Size
39.7MB
-
MD5
87ef82757aba83e7eb63c7c35dbae97a
-
SHA1
7418c4ddeecba68e253e89622ad9ca45597d9350
-
SHA256
79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89
-
SHA512
605495995a07d7dfaa5d8f09b9d5bde1e0281b5b6581923b9fbd7c103e5ca9f2bb8dcf8e1049c21bd90ac4d68759270d5453e0414c2f6e1eb3ef877eee1a5533
-
SSDEEP
786432:5HqloPKB2RMErvURcUNnywXha1rc3fZ+L28IB1P77y059ze5aaSJJgV6UBXYKe:5HqGRME72cUNnywXg63fxB1P3y031aS1
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory 6 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe File created C:\Windows\system32\drivers\nskbfltr2.sys winst64.exe File opened for modification C:\Windows\system32\DRIVERS\SET9DC5.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET9DC5.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\gdihook5.sys DrvInst.exe File created C:\Windows\system32\drivers\pcisys.sys winst64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" MSI8863.tmp -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 2100 msiexec.exe 4 2176 msiexec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: client32.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: client32.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" MSI8863.tmp -
Drops file in System32 directory 34 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\gdihook5.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\gdihook5.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat winst64.exe File opened for modification C:\Windows\system32\SET9E62.tmp DrvInst.exe File created C:\Windows\system32\SET9E62.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat client32.exe File created C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\SET9BB4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\SET9BB5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\SET9BB5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\SET9BC6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\gdihook5.inf_amd64_neutral_d8853853669e565a\gdihook5.PNF DrvInst.exe File opened for modification C:\Windows\system32\clhook4.dll winst64.exe File created C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\SET9BC6.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\gdihook5.inf_amd64_neutral_d8853853669e565a\gdihook5.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File created C:\Windows\SysWOW64\pcimsg.dll MSI8863.tmp File opened for modification C:\Windows\SysWOW64\pcimsg.dll MSI8863.tmp File created C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\SET9BB3.tmp DrvInst.exe File opened for modification C:\Windows\system32\gdihook5.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\SET9BB3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\gdihook5.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt winst64.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat winst64.exe File created C:\Windows\system32\clhook4.dll winst64.exe File created C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\SET9BB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{5cbf28ae-dad4-27ec-1e81-ef61b94fea00}\x64\gdihook5.sys DrvInst.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2548 pcicfgui_client.exe 2548 pcicfgui_client.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIMSG.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pscrinst64.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-namedpipe-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCICHEK.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Control.kbd msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-memory-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\toastMessage.png msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\AudioCapture.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nssres.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\mfc100u.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC MSI8863.tmp File created C:\Program Files (x86)\NetSupport\NetSupport Manager\_Shared Data.lnk MSI8863.tmp File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\unknown.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmres.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\ucrtbase.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\HTCTL32.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-profile-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\remcmdstub.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\redbar.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.cat msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-utility-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-localization-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\injlib.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\supporttool.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIhtmlgen.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\VolumeControlWVI.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicapi.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-runtime-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIRES.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\computer2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nskbfltr.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\shfolder.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIHOOKS.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-string-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-errorhandling-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini pcicfgui_client.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Pideuryy_HW_U1.bin client32.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-time-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_down.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-sysinfo-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pciconn.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\bar.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\pscrinst.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\DeskDup.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-heap-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\product.dat msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\PCICL32.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.inf msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-process-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-private-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-conio-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-processenvironment-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\gdihook5.cat msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_up_grey.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\cpu2.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport Manager\logo.png msiexec.exe -
Drops file in Windows directory 48 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI80EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8285.tmp msiexec.exe File opened for modification C:\Windows\Installer\{CBB68368-7767-4CFF-B3E5-211488346702}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log winst64.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI7E79.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA102.tmp msiexec.exe File opened for modification C:\Windows\setuperr.log DrvInst.exe File opened for modification C:\Windows\setuperr.log MSI8863.tmp File opened for modification C:\Windows\INF\setupapi.app.log winst64.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\setupact.log MSI8863.tmp File opened for modification C:\Windows\Installer\MSI7B0A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C64.tmp msiexec.exe File created C:\Windows\Installer\f777782.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8178.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI82F4.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\Installer\MSI7C34.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7C94.tmp msiexec.exe File opened for modification C:\Windows\setupact.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIA9AE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA171.tmp msiexec.exe File opened for modification C:\Windows\setuperr.log winst64.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\Installer\MSI8286.tmp msiexec.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIA605.tmp msiexec.exe File opened for modification C:\Windows\Installer\f777781.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7D8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI81A8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8246.tmp msiexec.exe File opened for modification C:\Windows\setupact.log winst64.exe File created C:\Windows\Installer\f777781.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI7C04.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8863.tmp msiexec.exe File created C:\Windows\Installer\f777784.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA161.tmp msiexec.exe File opened for modification C:\Windows\Installer\f777782.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8565.tmp msiexec.exe File created C:\Windows\Installer\{CBB68368-7767-4CFF-B3E5-211488346702}\ARPPRODUCTICON.exe msiexec.exe -
Executes dropped EXE 10 IoCs
pid Process 2140 MSI7E79.tmp 1584 MSI82F4.tmp 2396 checkdvd.exe 1364 MSI8863.tmp 2280 winst64.exe 2616 MSIA171.tmp 2684 client32.exe 2424 client32.exe 2548 pcicfgui_client.exe 2600 pcicfgui_client.exe -
Loads dropped DLL 64 IoCs
pid Process 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 3020 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2572 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 1364 MSI8863.tmp 2280 winst64.exe 1364 MSI8863.tmp 2564 MsiExec.exe 2564 MsiExec.exe 2564 MsiExec.exe 2684 client32.exe 2684 client32.exe 2684 client32.exe 2684 client32.exe 2684 client32.exe 2684 client32.exe 2684 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2100 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI8863.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIA171.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI7E79.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI82F4.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language checkdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cscript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcicfgui_client.exe -
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK client32.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 client32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz client32.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{277EAFB2-470A-447A-AAFD-7155550259EA}\WpadDecisionTime = 20a49817493ddb01 client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0170000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates winst64.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%systemroot%\system32\windowspowershell\v1.0\powershell.exe",-111 = "Performs object-based (command-line) functions" client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\be-fb-3f-7b-93-28\WpadDecisionReason = "1" client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{277EAFB2-470A-447A-AAFD-7155550259EA}\WpadNetworkName = "Network 3" client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{277EAFB2-470A-447A-AAFD-7155550259EA} client32.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs winst64.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" client32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\startyear = "2024" MSI8863.tmp Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\1 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\AuthorizedLUAApp = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\authcode = "0xbdcc5d47" client32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\authcode = "0xbdcc5d47" pcicfgui_client.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\ = "&Show with NetSupport School" MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\ = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show MSI8863.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show MSI8863.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa pcicfgui_client.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\N5cf76cfa\expiryyear = "2024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\a = "M" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command MSI8863.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\startyear = "2024" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\a = "M" MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control\ msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\startday = "22" MSI8863.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\N5cf76cfa MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\0\win32\ = "C:\\PROGRA~2\\NETSUP~1\\NETSUP~1\\ICOVIE~1.DLL" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\currentver = "1400" client32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\ = "&Show with NetSupport School" MSI8863.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable\ msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CLSID\ = "{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\expiryyear = "2024" MSI8863.tmp Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\ = "IIconViewer" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\2C61D9FBB5C49E141B2D086B0653E432 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\authcode = "0xbdcc5d47" client32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell MSI8863.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32 MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa client32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile MSI8863.tmp Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ = "IconViewer Class" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\N5cf76cfa\N5cf76cfa\expirymonth = "12" MsiExec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46} msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\ = "IcoViewer 1.0 Type Library" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\HELPDIR msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer\CurVer msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2424 client32.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 2924 attrib.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 2176 msiexec.exe 2176 msiexec.exe 1364 MSI8863.tmp 1364 MSI8863.tmp 1364 MSI8863.tmp 1364 MSI8863.tmp 2684 client32.exe 2684 client32.exe 2424 client32.exe 2424 client32.exe 2424 client32.exe 2424 client32.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2100 msiexec.exe Token: SeIncreaseQuotaPrivilege 2100 msiexec.exe Token: SeRestorePrivilege 2176 msiexec.exe Token: SeTakeOwnershipPrivilege 2176 msiexec.exe Token: SeSecurityPrivilege 2176 msiexec.exe Token: SeCreateTokenPrivilege 2100 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2100 msiexec.exe Token: SeLockMemoryPrivilege 2100 msiexec.exe Token: SeIncreaseQuotaPrivilege 2100 msiexec.exe Token: SeMachineAccountPrivilege 2100 msiexec.exe Token: SeTcbPrivilege 2100 msiexec.exe Token: SeSecurityPrivilege 2100 msiexec.exe Token: SeTakeOwnershipPrivilege 2100 msiexec.exe Token: SeLoadDriverPrivilege 2100 msiexec.exe Token: SeSystemProfilePrivilege 2100 msiexec.exe Token: SeSystemtimePrivilege 2100 msiexec.exe Token: SeProfSingleProcessPrivilege 2100 msiexec.exe Token: SeIncBasePriorityPrivilege 2100 msiexec.exe Token: SeCreatePagefilePrivilege 2100 msiexec.exe Token: SeCreatePermanentPrivilege 2100 msiexec.exe Token: SeBackupPrivilege 2100 msiexec.exe Token: SeRestorePrivilege 2100 msiexec.exe Token: SeShutdownPrivilege 2100 msiexec.exe Token: SeDebugPrivilege 2100 msiexec.exe Token: SeAuditPrivilege 2100 msiexec.exe Token: SeSystemEnvironmentPrivilege 2100 msiexec.exe Token: SeChangeNotifyPrivilege 2100 msiexec.exe Token: SeRemoteShutdownPrivilege 2100 msiexec.exe Token: SeUndockPrivilege 2100 msiexec.exe Token: SeSyncAgentPrivilege 2100 msiexec.exe Token: SeEnableDelegationPrivilege 2100 msiexec.exe Token: SeManageVolumePrivilege 2100 msiexec.exe Token: SeImpersonatePrivilege 2100 msiexec.exe Token: SeCreateGlobalPrivilege 2100 msiexec.exe Token: SeCreateTokenPrivilege 2100 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2100 msiexec.exe Token: SeLockMemoryPrivilege 2100 msiexec.exe Token: SeIncreaseQuotaPrivilege 2100 msiexec.exe Token: SeMachineAccountPrivilege 2100 msiexec.exe Token: SeTcbPrivilege 2100 msiexec.exe Token: SeSecurityPrivilege 2100 msiexec.exe Token: SeTakeOwnershipPrivilege 2100 msiexec.exe Token: SeLoadDriverPrivilege 2100 msiexec.exe Token: SeSystemProfilePrivilege 2100 msiexec.exe Token: SeSystemtimePrivilege 2100 msiexec.exe Token: SeProfSingleProcessPrivilege 2100 msiexec.exe Token: SeIncBasePriorityPrivilege 2100 msiexec.exe Token: SeCreatePagefilePrivilege 2100 msiexec.exe Token: SeCreatePermanentPrivilege 2100 msiexec.exe Token: SeBackupPrivilege 2100 msiexec.exe Token: SeRestorePrivilege 2100 msiexec.exe Token: SeShutdownPrivilege 2100 msiexec.exe Token: SeDebugPrivilege 2100 msiexec.exe Token: SeAuditPrivilege 2100 msiexec.exe Token: SeSystemEnvironmentPrivilege 2100 msiexec.exe Token: SeChangeNotifyPrivilege 2100 msiexec.exe Token: SeRemoteShutdownPrivilege 2100 msiexec.exe Token: SeUndockPrivilege 2100 msiexec.exe Token: SeSyncAgentPrivilege 2100 msiexec.exe Token: SeEnableDelegationPrivilege 2100 msiexec.exe Token: SeManageVolumePrivilege 2100 msiexec.exe Token: SeImpersonatePrivilege 2100 msiexec.exe Token: SeCreateGlobalPrivilege 2100 msiexec.exe Token: SeCreateTokenPrivilege 2100 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2100 msiexec.exe 2424 client32.exe 2424 client32.exe 2424 client32.exe 2100 msiexec.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2424 client32.exe 2424 client32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2176 wrote to memory of 3020 2176 msiexec.exe 32 PID 2100 wrote to memory of 2884 2100 msiexec.exe 33 PID 2100 wrote to memory of 2884 2100 msiexec.exe 33 PID 2100 wrote to memory of 2884 2100 msiexec.exe 33 PID 2884 wrote to memory of 2924 2884 cmd.exe 35 PID 2884 wrote to memory of 2924 2884 cmd.exe 35 PID 2884 wrote to memory of 2924 2884 cmd.exe 35 PID 2884 wrote to memory of 2924 2884 cmd.exe 35 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2572 2176 msiexec.exe 39 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2140 2176 msiexec.exe 41 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 2564 2176 msiexec.exe 42 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 1584 2176 msiexec.exe 43 PID 2176 wrote to memory of 2396 2176 msiexec.exe 44 PID 2176 wrote to memory of 2396 2176 msiexec.exe 44 PID 2176 wrote to memory of 2396 2176 msiexec.exe 44 PID 2176 wrote to memory of 2396 2176 msiexec.exe 44 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 2176 wrote to memory of 1364 2176 msiexec.exe 45 PID 1364 wrote to memory of 2280 1364 MSI8863.tmp 46 PID 1364 wrote to memory of 2280 1364 MSI8863.tmp 46 PID 1364 wrote to memory of 2280 1364 MSI8863.tmp 46 PID 1364 wrote to memory of 2280 1364 MSI8863.tmp 46 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 PID 2176 wrote to memory of 2616 2176 msiexec.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2924 attrib.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\vrep.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\system32\cmd.execmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\attrib.exeATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Views/modifies file attributes
PID:2924
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91FCA4DE7186DB814D27D0C405F30A1D C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C15ED951C9F8A1DC5143F1B2D0CEE1C22⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2572
-
-
C:\Windows\Installer\MSI7E79.tmp"C:\Windows\Installer\MSI7E79.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7ED01C81A58EC034C07696DF8C8A5717 M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2564
-
-
C:\Windows\Installer\MSI82F4.tmp"C:\Windows\Installer\MSI82F4.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584
-
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396
-
-
C:\Windows\Installer\MSI8863.tmp"C:\Windows\Installer\MSI8863.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *2⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exewinst64.exe /q /q /ex /i3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:2280
-
-
-
C:\Windows\Installer\MSIA171.tmp"C:\Windows\Installer\MSIA171.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616
-
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"3⤵
- Executes dropped EXE
PID:2600
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1616
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000070" "0000000000000498"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1164
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1ad43768-5629-04c4-1aac-047a315b4438}\gdihook5.inf" "9" "6d3d268df" "00000000000005DC" "WinSta0\Default" "0000000000000494" "208" "c:\program files (x86)\netsupport\netsupport manager"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2404
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\DISPLAY\0000" "C:\Windows\INF\oem2.inf" "gdihook5.inf:gdihook5.Mfg.NTamd64:gdihook5:11.11.0.704:pci_gdihook5_hwid" "6d3d268df" "00000000000005DC" "000000000000058C" "00000000000005FC"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1696
-
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2684 -
C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2424 -
C:\Windows\SysWOW64\cscript.exe"cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 498903⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2584
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39KB
MD5d2b51a0a6d4a810ab21a6226b3bcc5dd
SHA1312a08575c45b8b65ca22049308776a222fc71b8
SHA25645c5e8dbfe87f97bd32c4792ffe71d94019f4419cbb1f8b3420c1da61ca668f5
SHA51294e9f1073e4443bd20714873e7a77424dc73ba2a808c7969dde8ec01d343d0601bff1806ad112fc64d716362f9953a77f1b1cd6157db8bc83d1c0eb439ecbba7
-
Filesize
506B
MD5ff7c0d2dbb9195083bbabaff482d5ed6
SHA15c2efbf855c376ce1b93e681c54a367a407495dc
SHA256065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075
SHA512ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
7KB
MD5a3d0b08e2edda26505533bb3594bab0b
SHA19e17948471784c73be1f63981238fdbb27f7d2de
SHA25617f384e12f546ff14a60cbba4338f216f3fb684741075cfd9d30741a0f4e683a
SHA5123704eff090311dd310ec97b55e9f0badc34eda6877f1d961153b008063fc0d2a1bbfc3a9aa6b80549e2a3733409799abd3f1cb2e39fb5123ec748a8bce7fc1a9
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
511KB
MD5d524b639a3a088155981b9b4efa55631
SHA139d8eea673c02c1522b110829b93d61310555b98
SHA25603d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289
SHA51284f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1
-
Filesize
487KB
MD53085d62326cc1ae4ab21489576973621
SHA1e3c847dee0ecc7176c1168d6d1df9b9e98b19936
SHA256d2dc425f47d8c80abd8cadbcd8aa53516e7754c371bd3bad3907294a6ca57c5c
SHA512f993e4e04b348f7eb346d2f3d00fdaed2212f28ba885bbe50c1959737c5b6cab9cfbe17c4aba992521aa0ecdcf5216fa9e6c36a47746077307d32170223a9a97
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
745KB
MD50fcf65c63e08e77732224b2d5d959f13
SHA15419b79fe14e21d1d5b51fe8187f7b86ec20de74
SHA256f3e587f94a79c46a603b39286e93b17fabc895c6b71b26b0fc5d812cf155b7e5
SHA5127c289aaf3ac1b998c8ca9593a58c8aa3a9aa9f41852c1ed4192b908e0ad51871400d585b4fe508d49368bdfc7378807d289971914870a7a47b0410a946e5e381
-
Filesize
244KB
MD5c4ca339bc85aae8999e4b101556239dd
SHA1d090fc385e0002e35db276960a360c67c4fc85cd
SHA2564ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9
SHA5129185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0
-
Filesize
39.7MB
MD587ef82757aba83e7eb63c7c35dbae97a
SHA17418c4ddeecba68e253e89622ad9ca45597d9350
SHA25679040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89
SHA512605495995a07d7dfaa5d8f09b9d5bde1e0281b5b6581923b9fbd7c103e5ca9f2bb8dcf8e1049c21bd90ac4d68759270d5453e0414c2f6e1eb3ef877eee1a5533
-
Filesize
8KB
MD52d31ce5fe7cd81c996615ebcc29c058a
SHA14d74fe8e3170d36666df779e43fe8016986b154a
SHA256019290c9b7e5b48fb6de95f9563ed481cd42f8658451c6fbc8ad131d61209ce0
SHA512b8188481050630e7317d2f0687790a46e86f30a79f34164e4b02ec28da39334da80bd494a4f32ae8bb60fa2f01273cdcd9d15100f901517b0c01507678330052
-
Filesize
2KB
MD5703c7774b981e5d02e058340a27a5b75
SHA137534d7f0b31d2328d70ca578047d597273b73b6
SHA2564cfca868959f4e1b85bfd6b8a970ae06c0810d9c341f260df3ab8479089500e9
SHA512758e84915fa7ebb343bafd096bc40d9d226fe0da7c167b2b8e59f664e1be796143228bc3405df7e3447cdc918004db516344365d3d07a8e6c040df2b90456d78
-
Filesize
95KB
MD552b88eb20beb3b34a692a4cae0ff2196
SHA126a297b2baeb118f8856c1de41ee855572ba958a
SHA2562b675e9c27d3fb01cb9df2583b380de8dc8c0d5bbbe18af458f90b47c6d62b03
SHA51229567fc4db46d85f9ab8f6ecf2a708ec2c8def2e49eccd439daceda327b7411957b2014171a8370c3928d4a03a13bc6124d93678a87684370a5e6042d1c2ad6e
-
Filesize
68KB
MD59a348ed02f8b1efc9bfc5f53827f8a9c
SHA1c1f22705392af57b277d1fb4f46258dddffe8f33
SHA256641f2b86f013a95707ffdf0f584e3a83fedc1392cea3b546905b9ccb54ae10cf
SHA5129debb460fd74cb586ed66b7fa4bbb51a8e1184c1a061e81f4fd6f5e700fdb1e91b809a3f517fe55dd889f60df6ea29190455073dfa1cb5b85032b91efd12033f
-
Filesize
8KB
MD5c391f20baff9276c43b6600e63e6fb73
SHA12582a2e865465c15a09611856251808becff683d
SHA256021414165a3cbd807c7b6a81a235819c92c01bb738e588417f74be6c217b4110
SHA5122cc77ab793997787ee619db0b075724e83151c94b4bc506e15cddf7f9232dc4fefa9c95f2afaccc212c5ec0f7e947b469600c9f4154e83faae7810e301fe4722