Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
31/01/2025, 13:58
Static task
static1
Behavioral task
behavioral1
Sample
NetSupport School 15.10.0003.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
NetSupportInstall.bat
Resource
win11-20241007-en
General
-
Target
NetSupport School 15.10.0003.exe
-
Size
146.9MB
-
MD5
50c6a195ea8b2cac825a3bd2b2e5d5f7
-
SHA1
7704b7bc735066139657919cc589fef8fdfd76a1
-
SHA256
f1f0d729245cd9272510e8fd258708ead8ed7ab0db39343c6f69cf9d35a35c2b
-
SHA512
838332cb950b70aef47ffbff2dbb1503b26ee0fcb702376fbf6633e00bd33aa2b8add3432b28ce79ce0b44d51a7812dbb9c749782d4efc21c5df7c7a78a53088
-
SSDEEP
3145728:7ghv5tQmlmVPMfix3deHWzomfJ4dbOO+2iX3gvB159GRiYDNAC77:7gF7QmlmVPguPRfy62KwvO/BAe
Malware Config
Signatures
-
NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
-
Netsupport family
-
Drops file in Drivers directory 2 IoCs
description ioc Process File created C:\Windows\system32\drivers\nskbfltr.sys winst64.exe File created C:\Windows\system32\drivers\nskbfltr2.sys winst64.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\nskbfltr\ImagePath = "\\SystemRoot\\system32\\drivers\\nskbfltr.sys" MSI6091.tmp -
Blocklisted process makes network request 2 IoCs
flow pid Process 2 1052 MSIEXEC.EXE 3 1052 MSIEXEC.EXE -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: MSIEXEC.EXE File opened (read-only) \??\N: MSIEXEC.EXE File opened (read-only) \??\O: MSIEXEC.EXE File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: runplugin.exe File opened (read-only) \??\T: MSIEXEC.EXE File opened (read-only) \??\I: runplugin.exe File opened (read-only) \??\E: runplugin64.exe File opened (read-only) \??\W: MSIEXEC.EXE File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: runplugin.exe File opened (read-only) \??\U: runplugin.exe File opened (read-only) \??\Y: runplugin.exe File opened (read-only) \??\S: MSIEXEC.EXE File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: runplugin.exe File opened (read-only) \??\N: runplugin64.exe File opened (read-only) \??\B: runplugin64.exe File opened (read-only) \??\E: MSIEXEC.EXE File opened (read-only) \??\H: MSIEXEC.EXE File opened (read-only) \??\X: MSIEXEC.EXE File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\N: runplugin.exe File opened (read-only) \??\P: runplugin64.exe File opened (read-only) \??\U: runplugin64.exe File opened (read-only) \??\V: runplugin64.exe File opened (read-only) \??\E: runplugin.exe File opened (read-only) \??\Q: runplugin.exe File opened (read-only) \??\V: runplugin.exe File opened (read-only) \??\X: runplugin.exe File opened (read-only) \??\I: runplugin64.exe File opened (read-only) \??\O: runplugin64.exe File opened (read-only) \??\Q: runplugin64.exe File opened (read-only) \??\J: MSIEXEC.EXE File opened (read-only) \??\K: runplugin.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: runplugin.exe File opened (read-only) \??\M: runplugin64.exe File opened (read-only) \??\T: runplugin64.exe File opened (read-only) \??\F: runplugin.exe File opened (read-only) \??\F: runplugin64.exe File opened (read-only) \??\X: runplugin64.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: runplugin.exe File opened (read-only) \??\G: runplugin64.exe File opened (read-only) \??\Z: runplugin64.exe File opened (read-only) \??\G: MSIEXEC.EXE File opened (read-only) \??\P: MSIEXEC.EXE File opened (read-only) \??\Q: MSIEXEC.EXE File opened (read-only) \??\J: runplugin.exe File opened (read-only) \??\W: runplugin.exe File opened (read-only) \??\J: runplugin64.exe File opened (read-only) \??\W: runplugin64.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "0" MSI6091.tmp -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\pcimsg.dll MSI6091.tmp File created C:\Windows\system32\client32provider.dll winst64.exe File opened for modification C:\Windows\system32\client32provider.dll winst64.exe File created C:\Windows\SysWOW64\pcimsg.dll MSI6091.tmp -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2728 pcicfgui_setup.exe 2728 pcicfgui_setup.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\NetSupport\NetSupport School\AudioCapture.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\nssres_150.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\WINSTALL.EXE msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\Dummy.Lic msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-handle-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\vcruntime140.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\Control.kbd msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\url_list.gif msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\NSS32.chm msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\product.dat msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\_Data.lnk MSI5F29.tmp File opened for modification C:\Program Files (x86)\NetSupport\NetSupport School\Client32u.ini pcicfgui_setup.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\supporttool.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-environment-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\PCINSSCD.EXE msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\KeyShowHook64.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentPicked.wav msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-debug-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\PCICL32.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\pluginprintmanmodule.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\setroom.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\nskbfltr2.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\nskbfltr.sys msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\NSSilence.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\clientRestarter.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-file-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-convert-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\ReportDb.htf msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\weblock.jpg msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\remcmdstub.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\nsdevcon64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-file-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-localization-l1-2-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\VolumeControlWVI.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\keyShow64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\PlaySound.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\Sounds\StudentAnswered.wav msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\PciHooksApp64.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processthreads-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\DBI.EXE msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\image_name.jpg msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\weblock.htm msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\x64\gdihook5.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\_Shared Data.lnk MSI5F29.tmp File opened for modification C:\Program Files (x86)\NetSupport\NetSupport School\_Shared Data.lnk MSI6091.tmp File opened for modification C:\Program Files (x86)\NetSupport\NetSupport School\client32.ini pcicfgui_setup.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\gdihook5.cat msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\NSClientTB.exe msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\NSS.ini msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-processthreads-l1-1-1.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-heap-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-math-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\ucrtbase.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\pluginiemodule.DLL msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-console-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-core-sysinfo-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\api-ms-win-crt-utility-l1-1-0.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\libcrypto-1_1.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\icuuc51.dll msiexec.exe File opened for modification C:\Program Files (x86)\NetSupport\NetSupport School\sec.log SecEdit.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\DeskDup.dll msiexec.exe File created C:\Program Files (x86)\NetSupport\NetSupport School\LoopbackUnblocker.dll msiexec.exe -
Drops file in Windows directory 62 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI4E7E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5388.tmp msiexec.exe File opened for modification C:\Windows\setupact.log MSI6091.tmp File opened for modification C:\Windows\Installer\MSI6BA0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI530A.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI6844.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B8C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5503.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5EF9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5F29.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FD7.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut3_80D45F4DD8E3472CB2C7080AAA34AB2A.exe msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut1_1045CC3CC07549BB86C478A6B724F98D.exe msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI53F6.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\VideoShortcutWin7Abo_484D413D0D3342A2A692F037061C1AA9.exe msiexec.exe File created C:\Windows\SystemTemp\~DF5AAF1C1E3680C373.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI50C6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI54B3.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe msiexec.exe File opened for modification C:\Windows\setuperr.log MSI6091.tmp File opened for modification C:\Windows\Installer\MSI6814.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe msiexec.exe File created C:\Windows\Installer\e5847e3.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\SystemTemp\~DF41A49EDC7E7B7339.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5851.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4B9C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5047.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5058.tmp msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe msiexec.exe File created C:\Windows\SystemTemp\~DFE85C7EEB32F83BE8.TMP msiexec.exe File opened for modification C:\Windows\Installer\e5847e1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4BBD.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{F021B863-9473-4467-93B2-6FC48C30E42F} msiexec.exe File opened for modification C:\Windows\Installer\MSI4FE8.tmp msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI4B1D.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe1_28874BA5F8594ADCBE8AB571ECB4C1AB.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI4BDD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4FD8.tmp msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\schdesigner.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe msiexec.exe File created C:\Windows\SystemTemp\~DF7400D06687CF7289.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI5502.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6091.tmp msiexec.exe File created C:\Windows\Installer\e5847e1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI52F9.tmp msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcideply.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut8_134A4E1756504D7CA2A1E16C4AA879D9.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI562D.tmp msiexec.exe File created C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut4_28874BA5F8594ADCBE8AB571ECB4C1AB.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\pcinssui.exe_5E9E1DA4475445BE9255D1E30AFF412C.exe msiexec.exe File opened for modification C:\Windows\Installer\{F021B863-9473-4467-93B2-6FC48C30E42F}\NewShortcut5_0CEE40B1A09F47C29DE0582B6A44A9EC_1.exe msiexec.exe -
Executes dropped EXE 19 IoCs
pid Process 452 NetSupport School 15.10.0003.exe 2260 MSI5058.tmp 3628 MSI50C6.tmp 4344 MSI562D.tmp 1788 checkdvd.exe 2744 MSI5F29.tmp 3328 MSI6091.tmp 4920 winst64.exe 2728 pcicfgui_setup.exe 2872 pcicfgui_setup.exe 4780 MSI7C4F.tmp 5008 client32.exe 3096 client32.exe 2828 winst64.exe 556 Process not Found 1188 runplugin.exe 1808 runplugin64.exe 2976 runplugin.exe 3840 runplugin64.exe -
Loads dropped DLL 64 IoCs
pid Process 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 2088 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 3736 MsiExec.exe 4920 winst64.exe 3328 MSI6091.tmp 3736 MsiExec.exe 2088 MsiExec.exe 2728 pcicfgui_setup.exe 2728 pcicfgui_setup.exe 2728 pcicfgui_setup.exe 2728 pcicfgui_setup.exe 2728 pcicfgui_setup.exe 2088 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5044 MsiExec.exe 5008 client32.exe 5008 client32.exe 5008 client32.exe 5008 client32.exe 5008 client32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runplugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runplugin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetSupport School 15.10.0003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIEXEC.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI562D.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI6091.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NetSupport School 15.10.0003.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language checkdvd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcicfgui_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI7C4F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI50C6.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSI5F29.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecEdit.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000485242783223abf50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000485242780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048524278000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48524278000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004852427800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Isolation_old_student = "PMEM" client32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL" client32.exe -
Modifies data under HKEY_USERS 10 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-15 = "Balanced" client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-13 = "High performance" client32.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" client32.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\powrprof.dll,-11 = "Power saver" client32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E client32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\"" MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show\command MSI6091.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\TestDesigner = "\x06NSS" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Necd1089c\a = "S" MSI5F29.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\EditFlags = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WMVFile\shell\show MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692} winst64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\client32.exe\" /r\"%1\"" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\command MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show MSI6091.tmp Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Tutor = "\x06NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\TechConsole = "\x06NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\NetSupport_Tutor_Templates = "\x06Tutor" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\ReplayConversion = "\x06NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\943C1EEA70369E845B409AAF32BEB8CD\368B120F37497644392BF64CC8034EF2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32\ThreadingModel = "Apartment" winst64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show MSI6091.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\ = "Client32Provider" winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile\DefaultIcon msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\NSReplayFile msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\DefaultIcon\ = "C:\\Program Files (x86)\\NetSupport\\NetSupport School\\PCIVideo.exe,1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\Play\Command msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71C5A887-11E0-4c5a-9B9B-D4A074555692}\InProcServer32 winst64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\UseOnlineHelpYes = "Common" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\RemoteDeploy = "\x06Tutor" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\AuthorizedLUAApp = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\NSS msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\NameServer = "\x06NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{DF60301B-3D11-4F8F-9A01-E1F0A694E77F}\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ASFFile\shell\show\command\ = "\"C:\\Program Files (x86)\\NetSupport\\NetSupport School\\pcinssui.exe\" /ShowVideo \"%L\"" MSI6091.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Configurator = "NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\DesktopShortcutFeature = "\x06Tutor" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\TutorStudentUpgradeFiles = "\x06TechConsole" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\Media\1 = "DISK1;1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Necd1089c MSI5F29.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Common = "NSS" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\InstalledBySetup = "Common" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\SourceList\PackageName = "NetSupport School.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show\command MSI6091.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rpf\ = "NSReplayFile" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell MSI6091.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AVIFile\shell\show\ = "&Show with NetSupport School" MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\movfile\shell\show MSI6091.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mpegfile\shell\show\command MSI6091.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\368B120F37497644392BF64CC8034EF2\Temp = "NSS" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\ = "NetSupport School Replay File" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\Version = "252313603" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\368B120F37497644392BF64CC8034EF2\ProductName = "NetSupport School" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile\Shell\ = "Play" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\NSReplayFile msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3096 client32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 5044 MsiExec.exe 5044 MsiExec.exe 2504 msiexec.exe 2504 msiexec.exe 3328 MSI6091.tmp 3328 MSI6091.tmp 3328 MSI6091.tmp 3328 MSI6091.tmp 5008 client32.exe 5008 client32.exe 3096 client32.exe 3096 client32.exe 1808 runplugin64.exe 1808 runplugin64.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1188 runplugin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1052 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1052 MSIEXEC.EXE Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeCreateTokenPrivilege 1052 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 1052 MSIEXEC.EXE Token: SeLockMemoryPrivilege 1052 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1052 MSIEXEC.EXE Token: SeMachineAccountPrivilege 1052 MSIEXEC.EXE Token: SeTcbPrivilege 1052 MSIEXEC.EXE Token: SeSecurityPrivilege 1052 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 1052 MSIEXEC.EXE Token: SeLoadDriverPrivilege 1052 MSIEXEC.EXE Token: SeSystemProfilePrivilege 1052 MSIEXEC.EXE Token: SeSystemtimePrivilege 1052 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 1052 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 1052 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 1052 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 1052 MSIEXEC.EXE Token: SeBackupPrivilege 1052 MSIEXEC.EXE Token: SeRestorePrivilege 1052 MSIEXEC.EXE Token: SeShutdownPrivilege 1052 MSIEXEC.EXE Token: SeDebugPrivilege 1052 MSIEXEC.EXE Token: SeAuditPrivilege 1052 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 1052 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 1052 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 1052 MSIEXEC.EXE Token: SeUndockPrivilege 1052 MSIEXEC.EXE Token: SeSyncAgentPrivilege 1052 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 1052 MSIEXEC.EXE Token: SeManageVolumePrivilege 1052 MSIEXEC.EXE Token: SeImpersonatePrivilege 1052 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 1052 MSIEXEC.EXE Token: SeCreateTokenPrivilege 1052 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 1052 MSIEXEC.EXE Token: SeLockMemoryPrivilege 1052 MSIEXEC.EXE Token: SeIncreaseQuotaPrivilege 1052 MSIEXEC.EXE Token: SeMachineAccountPrivilege 1052 MSIEXEC.EXE Token: SeTcbPrivilege 1052 MSIEXEC.EXE Token: SeSecurityPrivilege 1052 MSIEXEC.EXE Token: SeTakeOwnershipPrivilege 1052 MSIEXEC.EXE Token: SeLoadDriverPrivilege 1052 MSIEXEC.EXE Token: SeSystemProfilePrivilege 1052 MSIEXEC.EXE Token: SeSystemtimePrivilege 1052 MSIEXEC.EXE Token: SeProfSingleProcessPrivilege 1052 MSIEXEC.EXE Token: SeIncBasePriorityPrivilege 1052 MSIEXEC.EXE Token: SeCreatePagefilePrivilege 1052 MSIEXEC.EXE Token: SeCreatePermanentPrivilege 1052 MSIEXEC.EXE Token: SeBackupPrivilege 1052 MSIEXEC.EXE Token: SeRestorePrivilege 1052 MSIEXEC.EXE Token: SeShutdownPrivilege 1052 MSIEXEC.EXE Token: SeDebugPrivilege 1052 MSIEXEC.EXE Token: SeAuditPrivilege 1052 MSIEXEC.EXE Token: SeSystemEnvironmentPrivilege 1052 MSIEXEC.EXE Token: SeChangeNotifyPrivilege 1052 MSIEXEC.EXE Token: SeRemoteShutdownPrivilege 1052 MSIEXEC.EXE Token: SeUndockPrivilege 1052 MSIEXEC.EXE Token: SeSyncAgentPrivilege 1052 MSIEXEC.EXE Token: SeEnableDelegationPrivilege 1052 MSIEXEC.EXE Token: SeManageVolumePrivilege 1052 MSIEXEC.EXE Token: SeImpersonatePrivilege 1052 MSIEXEC.EXE Token: SeCreateGlobalPrivilege 1052 MSIEXEC.EXE Token: SeCreateTokenPrivilege 1052 MSIEXEC.EXE Token: SeAssignPrimaryTokenPrivilege 1052 MSIEXEC.EXE Token: SeLockMemoryPrivilege 1052 MSIEXEC.EXE -
Suspicious use of FindShellTrayWindow 9 IoCs
pid Process 1052 MSIEXEC.EXE 1052 MSIEXEC.EXE 3096 client32.exe 3096 client32.exe 3096 client32.exe 3096 client32.exe 3096 client32.exe 3096 client32.exe 3096 client32.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 3096 client32.exe 3096 client32.exe 3096 client32.exe 3096 client32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2828 winst64.exe 1188 runplugin.exe 1808 runplugin64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1496 wrote to memory of 452 1496 NetSupport School 15.10.0003.exe 77 PID 1496 wrote to memory of 452 1496 NetSupport School 15.10.0003.exe 77 PID 1496 wrote to memory of 452 1496 NetSupport School 15.10.0003.exe 77 PID 452 wrote to memory of 1052 452 NetSupport School 15.10.0003.exe 78 PID 452 wrote to memory of 1052 452 NetSupport School 15.10.0003.exe 78 PID 452 wrote to memory of 1052 452 NetSupport School 15.10.0003.exe 78 PID 2504 wrote to memory of 5044 2504 msiexec.exe 82 PID 2504 wrote to memory of 5044 2504 msiexec.exe 82 PID 2504 wrote to memory of 5044 2504 msiexec.exe 82 PID 1052 wrote to memory of 3576 1052 MSIEXEC.EXE 83 PID 1052 wrote to memory of 3576 1052 MSIEXEC.EXE 83 PID 1052 wrote to memory of 3576 1052 MSIEXEC.EXE 83 PID 3576 wrote to memory of 4760 3576 cmd.exe 85 PID 3576 wrote to memory of 4760 3576 cmd.exe 85 PID 3576 wrote to memory of 4760 3576 cmd.exe 85 PID 1052 wrote to memory of 464 1052 MSIEXEC.EXE 86 PID 1052 wrote to memory of 464 1052 MSIEXEC.EXE 86 PID 1052 wrote to memory of 464 1052 MSIEXEC.EXE 86 PID 464 wrote to memory of 1272 464 cmd.exe 88 PID 464 wrote to memory of 1272 464 cmd.exe 88 PID 464 wrote to memory of 1272 464 cmd.exe 88 PID 2504 wrote to memory of 1420 2504 msiexec.exe 92 PID 2504 wrote to memory of 1420 2504 msiexec.exe 92 PID 2504 wrote to memory of 2088 2504 msiexec.exe 94 PID 2504 wrote to memory of 2088 2504 msiexec.exe 94 PID 2504 wrote to memory of 2088 2504 msiexec.exe 94 PID 2504 wrote to memory of 2260 2504 msiexec.exe 95 PID 2504 wrote to memory of 2260 2504 msiexec.exe 95 PID 2504 wrote to memory of 3628 2504 msiexec.exe 97 PID 2504 wrote to memory of 3628 2504 msiexec.exe 97 PID 2504 wrote to memory of 3628 2504 msiexec.exe 97 PID 2504 wrote to memory of 3736 2504 msiexec.exe 98 PID 2504 wrote to memory of 3736 2504 msiexec.exe 98 PID 2504 wrote to memory of 3736 2504 msiexec.exe 98 PID 2504 wrote to memory of 4344 2504 msiexec.exe 99 PID 2504 wrote to memory of 4344 2504 msiexec.exe 99 PID 2504 wrote to memory of 4344 2504 msiexec.exe 99 PID 2504 wrote to memory of 1788 2504 msiexec.exe 100 PID 2504 wrote to memory of 1788 2504 msiexec.exe 100 PID 2504 wrote to memory of 1788 2504 msiexec.exe 100 PID 2504 wrote to memory of 2744 2504 msiexec.exe 101 PID 2504 wrote to memory of 2744 2504 msiexec.exe 101 PID 2504 wrote to memory of 2744 2504 msiexec.exe 101 PID 2504 wrote to memory of 3328 2504 msiexec.exe 102 PID 2504 wrote to memory of 3328 2504 msiexec.exe 102 PID 2504 wrote to memory of 3328 2504 msiexec.exe 102 PID 3328 wrote to memory of 4920 3328 MSI6091.tmp 103 PID 3328 wrote to memory of 4920 3328 MSI6091.tmp 103 PID 2504 wrote to memory of 2748 2504 msiexec.exe 104 PID 2504 wrote to memory of 2748 2504 msiexec.exe 104 PID 2748 wrote to memory of 2760 2748 cmd.exe 106 PID 2748 wrote to memory of 2760 2748 cmd.exe 106 PID 2748 wrote to memory of 2760 2748 cmd.exe 106 PID 2504 wrote to memory of 2728 2504 msiexec.exe 107 PID 2504 wrote to memory of 2728 2504 msiexec.exe 107 PID 2504 wrote to memory of 2728 2504 msiexec.exe 107 PID 2728 wrote to memory of 2872 2728 pcicfgui_setup.exe 108 PID 2728 wrote to memory of 2872 2728 pcicfgui_setup.exe 108 PID 2728 wrote to memory of 2872 2728 pcicfgui_setup.exe 108 PID 1052 wrote to memory of 4780 1052 MSIEXEC.EXE 110 PID 1052 wrote to memory of 4780 1052 MSIEXEC.EXE 110 PID 1052 wrote to memory of 4780 1052 MSIEXEC.EXE 110 PID 5008 wrote to memory of 3096 5008 client32.exe 112 PID 5008 wrote to memory of 3096 5008 client32.exe 112 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1272 attrib.exe 4760 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe"C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\{DF60301B-3D11-4F8F-9A01-E1F0A694E77F}\NetSupport School 15.10.0003.exe"C:\Users\Admin\AppData\Local\Temp\{DF60301B-3D11-4F8F-9A01-E1F0A694E77F}\NetSupport School 15.10.0003.exe" /q"C:\Users\Admin\AppData\Local\Temp\NetSupport School 15.10.0003.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{DF60301B-3D11-4F8F-9A01-E1F0A694E77F}" /IS_temp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:452 -
C:\Windows\SysWOW64\MSIEXEC.EXE"C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{DF60301B-3D11-4F8F-9A01-E1F0A694E77F}\NetSupport School.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="NetSupport School 15.10.0003.exe"3⤵
- Blocklisted process makes network request
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\attrib.exeATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4760
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c ATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\attrib.exeATTRIB -R "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\nsm.lic5⤵
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1272
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSI7C4F.tmp"C:\Users\Admin\AppData\Local\Temp\MSI7C4F.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EI4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4780
-
-
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\system32\explorer.exe3⤵PID:3112
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 49BF84C1DE93DCBB3968364042C8275E C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5044
-
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1420
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2D9EEE4C3BAF29C1E3535A42A6D29A9D2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2088
-
-
C:\Windows\Installer\MSI5058.tmp"C:\Windows\Installer\MSI5058.tmp" /p "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\\Detect64LSP.txt"2⤵
- Executes dropped EXE
PID:2260
-
-
C:\Windows\Installer\MSI50C6.tmp"C:\Windows\Installer\MSI50C6.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2C62578C509F7E2199262C567373C767 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:3736
-
-
C:\Windows\Installer\MSI562D.tmp"C:\Windows\Installer\MSI562D.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EU2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4344
-
-
C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"C:\Program Files (x86)\NetSupport\NetSupport School\checkdvd.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Windows\Installer\MSI5F29.tmp"C:\Windows\Installer\MSI5F29.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EC /Q /Q /C2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2744
-
-
C:\Windows\Installer\MSI6091.tmp"C:\Windows\Installer\MSI6091.tmp" /G"C:\Program Files (x86)\NetSupport\NetSupport School\" /EV"NetSupport School" /EC /Q /Q /I *2⤵
- Sets service image path in registry
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exewinst64.exe /q /q /i3⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:4920
-
-
-
C:\Windows\system32\cmd.execmd.exe /c secedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\SecEdit.exesecedit /configure /areas SECURITYPOLICY /db hisecws.sdb /cfg "C:\Users\Admin\AppData\Local\Temp\{F021B863-9473-4467-93B2-6FC48C30E42F}\NS.inf" /log "C:\Program Files (x86)\NetSupport\NetSupport School\sec.log" /overwrite /quiet3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2760
-
-
-
C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe" /Q "C:\Program Files (x86)\NetSupport\NetSupport School\Client32.ini"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"C:\Program Files (x86)\NetSupport\NetSupport School\pcicfgui_setup.exe"3⤵
- Executes dropped EXE
PID:2872
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:2928
-
C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" /* *1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe"C:\Program Files (x86)\NetSupport\NetSupport School\client32.exe" * /VistaUI2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3096 -
C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe"C:\Program Files (x86)\NetSupport\NetSupport School\winst64.exe" /Q /Q /EBd020a,03⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2828
-
-
C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1188
-
-
C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe" /USER=SYSTEM3⤵
- Enumerates connected drives
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"C:\Program Files (x86)\NetSupport\NetSupport School\runplugin.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976
-
-
C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"C:\Program Files (x86)\NetSupport\NetSupport School\runplugin64.exe"3⤵
- Executes dropped EXE
PID:3840
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD56896e247aeefd7f0b2f4e9800cc162f3
SHA1d3629484161e7c192774210f82497a3982a87e61
SHA256680aba8bba2335df29316ba1d5c8e0bf92a2902d2580f0d8c286f952b9d9b4e4
SHA5121938a770375e5e438b41701ae6ad7238f639ae0ff120659fdd85653d6575bc1b249c740a3b7ba50e34ab26e8e178058655529bc221ffcb86027ad2d67528dbf2
-
Filesize
745KB
MD50228cb02aa58ef2876713130990c8ccf
SHA1f6766273a186b6911a6127fbb5af90125e267bbe
SHA2563651a2131f423c5c553476236be7ad4f26a63c67d872c3b9ecc135d1d184b1ed
SHA512a07664e639252a2bd34f42fb6907b95889d31657aa81fcdeea4b171bf3410bd3d56f5e404ee8fc16938d826f7cfffc46efcfe74126afec6e87cb048618d26e89
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk
Filesize2KB
MD52353c7bf9a86d95fa2def9449b1129ab
SHA1cea5c49fb42b77fbba305be31a17ba85721ee79f
SHA256d8d9ede8c0eda71bc7540ccd898ea35af9286db0fff136294ecbc9c99907838a
SHA512d0235bb9206a8c84c81b12279840b86f5efd60a92078e4c4b356a95d76609a21b5f00b80984bdbd6c47060517870bbb3671aa79a5d42f12fc6c31a20c36abeb2
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NetSupport School\NetSupport School Student Configurator.lnk~RFe585ec5.TMP
Filesize2KB
MD58a0fc4a67435e2ce8f7938c5bab5e661
SHA1a5d44d2059593d8b6b879b1823539d6618024a16
SHA256d1d4c134581432fe6bf7f51456072612e794c664f9532465c6710ff1b11da270
SHA51229559bd393b350afbf35c2c9812103e40034bb0621a89b2eb63adea3690863f265dd6c9b87658fe93180822812ce3d24db9fa944a275d4d5fc237f2485c5b0f1
-
Filesize
4KB
MD561219a34684278a262fbb1d335d009c3
SHA178b0fe3543b9908ab3bcaa01117e126359b77983
SHA2561ad8e4f6c03733d156b0c298de2aef38742a0653d313dce9d757fe02a7916073
SHA5124f964b9e0edd4c4b1efbaab34ad4e3e85bc0cffd410b14ca7bc43f18bae6790e1247262a0c36044e21016038ce37dd8e6aa220b9b483b22eaf4606284bb3acb6
-
Filesize
169KB
MD50e6fda2b8425c9513c774cf29a1bc72d
SHA1a79ffa24cb5956398ded44da24793a2067b85dd0
SHA256e946b2fae0b36c43064463a8c16a2774adac30c4188c5af90e9338b903c501c9
SHA512285bb7759a1214abed36162ac8be2d48df17a05278c4de97562448e20fd43b635563a6819f37e23d92a5f5ed0205a68bffe43dac0d3a67513bd0303b4e7f89aa
-
Filesize
511KB
MD5d524b639a3a088155981b9b4efa55631
SHA139d8eea673c02c1522b110829b93d61310555b98
SHA25603d91c8cd20b846625a092a3dae6a12369930c65d6216a455a00449ebb0dc289
SHA51284f8ab54122f93a40da08fd83bca767ab49eb0f73c4ab274d9bda11dd09224134df011fa02e5a3abbafcc6fbef6a60673dd48feabdf829a1e22c85a2a759b7ac
-
Filesize
487KB
MD5d21afcbb8d2e5a043841b4d145af1df6
SHA1849db8ddad9e942bfe20a50666d17484b56a26e3
SHA256c9d4fd904650e4e53de4018951906c1434420d65cdb33e48c23b6c22bc9fdd4c
SHA512ecb8fbb2826f7f47eed46897701d42873b17b7599cd785ca54e900b793e3de1179c4d6441f317aa5298ae52c1c11157ae43b11822aa0076b9ec93ad5e46f0225
-
Filesize
153KB
MD5a1b7850763af9593b66ee459a081bddf
SHA16e45955fae2b2494902a1b55a3873e542f0f5ce4
SHA25641b8e92deba5206c78817236ed7f44df95636ca748d95fab05f032f5aec186af
SHA512a87a302a9a0d19d7ce293b42f5e7bc09664b21307a5321f226157fcc57eb2df2b59c6651878cb23969a182c82b55e8671ff00f8462194b81a907974a49cb25b1
-
Filesize
21KB
MD5a108f0030a2cda00405281014f897241
SHA1d112325fa45664272b08ef5e8ff8c85382ebb991
SHA2568b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948
SHA512d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298
-
Filesize
5KB
MD56fbf86629f47eca07aaed1a95fc56777
SHA155fe7be7e600b74d5b67a66ce0d7c379c41bf550
SHA25632687c846ddb54be27dd5a4f2674ef4ce08b1d3cf8621301e36b319df28ecb26
SHA51289832543df122de7b0cb2cca77624e1f993b499f6d8bd514a2e86fae72867ae3e26f2c130cc216c9929d65ab7f55f93feafc549053f29157fcfd8061baf8cb84
-
Filesize
684B
MD59429adf072241a42327b58384d5f909b
SHA18daacb64d07a64c040996fb42881c68b5902b8d9
SHA256e97f2c01afafd4f2e96eb62d602b08d7a5d82f17cccd37a56c1404a76d912558
SHA512b135c28c6172a51fdec8e6e76a193749260583953962572687ec56f72b2b7418deaa273a8047d5cb078cf717e33496bc424bdb3442b149435898b5b543d00afc
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
20B
MD5db9af7503f195df96593ac42d5519075
SHA11b487531bad10f77750b8a50aca48593379e5f56
SHA2560a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13
SHA5126839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b
-
Filesize
92B
MD52891d54b321f58e1569376ebca72e826
SHA1b30a8b47cf07b0ff56735b43123dd128b5a02e99
SHA25681a7d68b8c25efb544d0bcfca92e9c2d3f98393132fecfe3a8c41337d93966dd
SHA512982134098d06593f527a3c20a31dbb7f471cd158c9ac80f7d972d7c28a90ffe1feaea025a58f3de103ba81c7f5d97f9004c3f90b99b59c753db0267303ad746c
-
Filesize
10B
MD5c7dea5b4aa8726d6e1856b151a3d5e61
SHA10e7d482333027b5381e94c945969bfb20aa8bcfc
SHA256444b6e841966e6306050fd2b2211e00dd877c4aa2b8971a3010d3e53d95ea7ee
SHA512dd3732dfdb5a56bd70aba7c298001280d76829928d8e1a9add03cfc55e26f24fb317d01b915578ac54ba920fe0e736d4ca04f82eb98e67e0bf773973dc20313d
-
Filesize
93B
MD59395ce94041387301999bcac536b0bde
SHA18150eafe6eb013ff9d887cbdfa6109804bf82830
SHA2563b3e0453d8a183b4145e1c7fb56f87a89c89900eee5c49a4a0f2bd0a028b9f55
SHA5126580a9f1000190b27a4d3bb85b371f28d7be7f2077b85f81be60c160fc16a54320a3ff05ab3247cd807a0d782a56e786c8ed1322dedd093ed923ac8ae2784781
-
Filesize
282B
MD539030ae352cc16a7fd0bf49261d97403
SHA1485f2944ead7b484a052c2f436ed950327bfc961
SHA25652703269ec26d1988de1efda21597a3faf563e980e1afc5434441ecd34d80ded
SHA5127c89c1263b693e0802379bfbbd785d354b0686f354abb2aa9f982b3c53dda316d7c584a3af0d4b3fc1a072c49986fa4b93a99b63d9dc2645f798ff8913a29a3d
-
Filesize
244KB
MD5c4ca339bc85aae8999e4b101556239dd
SHA1d090fc385e0002e35db276960a360c67c4fc85cd
SHA2564ab23609cdc64d10b97c9ccb285ed7100f55d54d983cd50762da25ecac4357f9
SHA5129185ec32545fc838d7fef6c9e4dd222dd02114c661b0b344f16287d55e6571bfe7a4233a852acc579d07bcdbab18c5c034c465b1f4bb78535ed51c3499087fe0