64a6b8d85dcbe4a5a30d8cb381778043179cadb3044e7d3d418a9aebb29b360b

Analysis

max time kernel
72s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2023 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NTLite_setup_x64.exe
Size

23.5MB
MD5

391907fdc98797abccc1718767f736ef
SHA1

7471f0c2be722b6943f70cd1e16b8051d6bb195d
SHA256

64a6b8d85dcbe4a5a30d8cb381778043179cadb3044e7d3d418a9aebb29b360b
SHA512

76ecb4d249af88fba9753b278d1cb750603aa93c6c36e0ba02ab1b5680407d287c59a696f8b29f50732ebaa4a7f5b203f9ff72aa1c2ce0b4b9d0004c15848a90
SSDEEP

393216:pul8cgRtT0C6zhmTodWoDPJMr9a9zKNuHjRCLoyAzveL:pZcgRtIpzhmTaWozJr10Loywvg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1964	NTLite_setup_x64.tmp
3164	NTLite.exe

Loads dropped DLL 1 IoCs

pid	Process
3164	NTLite.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3164	NTLite.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-kernel32-l2-1-0.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-2DM9Q.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-73OOH.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-58516.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Website.url	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\is-6GDTU.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-I3BUA.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\settings.xml	NTLite.exe
File opened for modification	C:\Program Files\NTLite\settings.xml	NTLite.exe
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-ole32-l1-1-1.dll	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-user32-l1-1-1.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\is-NU4D7.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\HWLists\is-KOFC4.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-1Q886.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-ole32-l1-1-1.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\HWLists\is-JJVQ3.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-I8EQA.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-3QJUB.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-0QDRU.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\NTLite.exe	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\unins000.dat	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\is-8USGI.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\wimlib\x64\is-6DJ7E.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-V933F.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-advapi32-l1-1-1.dll	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-version-l1-1-0.dll	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\7-zip\x64\7z.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\is-1RTUM.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-JE05A.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\wimlib\x64\libwim-15.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\is-A06IC.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\is-2TH8C.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-IQ3TM.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-E0JJ2.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-4SN3F.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-user32-l1-1-1.dll	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-advapi32-l4-1-0.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\is-1EPJ8.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\x64\is-FP5FM.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\x64\is-6TMT3.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\7-zip\is-UECOB.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-OMTBA.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\x64\api-ms-win-downlevel-kernel32-l1-1-0.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\x64\is-0F3SD.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\is-JG7F1.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\wimlib\is-Q80UG.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-K6U8C.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-advapi32-l1-1-1.dll	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-kernel32-l2-1-0.dll	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-kernel32-l1-1-0.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\HWLists\is-R0LQ2.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\x64\is-AFEQ3.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\x64\is-7NSPC.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\is-E574I.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-31CR6.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\unins000.msg	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-version-l1-1-0.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\is-FIU9P.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-DDQGB.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-TVHN9.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-3LMJ1.tmp	NTLite_setup_x64.tmp
File opened for modification	C:\Program Files\NTLite\Tools\ApiWrappers\api-ms-win-downlevel-advapi32-l4-1-0.dll	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Tools\ApiWrappers\x64\is-8EUSS.tmp	NTLite_setup_x64.tmp
File created	C:\Program Files\NTLite\Lang\is-5CVMQ.tmp	NTLite_setup_x64.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 24 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	NTLite.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	NTLite.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	NTLite.exe

Modifies registry class 39 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5400310000000000bb564a9910004e544c69746500003e0009000400efbebb564999bb564a992e0000004a27020000000700000000000000000000000000000096b001014e0054004c00690074006500000016000000	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NTLite.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings	NTLite.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000bb564999110050524f4752417e310000740009000400efbe874fdb49bb5649992e0000003f0000000000010000000000000000004a00000000001bc8b700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NTLite.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NTLite.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NTLite.exe
Key created	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NTLite.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	NTLite.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1964	NTLite_setup_x64.tmp
1964	NTLite_setup_x64.tmp
3164	NTLite.exe
3164	NTLite.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	3164	NTLite.exe
Token: SeSecurityPrivilege	3164	NTLite.exe
Token: SeBackupPrivilege	3164	NTLite.exe
Token: SeShutdownPrivilege	3164	NTLite.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1964	NTLite_setup_x64.tmp
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe
3164	NTLite.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1964	4092	NTLite_setup_x64.exe	84
PID 4092 wrote to memory of 1964	4092	NTLite_setup_x64.exe	84
PID 4092 wrote to memory of 1964	4092	NTLite_setup_x64.exe	84
PID 1964 wrote to memory of 3164	1964	NTLite_setup_x64.tmp	91
PID 1964 wrote to memory of 3164	1964	NTLite_setup_x64.tmp	91

C:\Users\Admin\AppData\Local\Temp\NTLite_setup_x64.exe
"C:\Users\Admin\AppData\Local\Temp\NTLite_setup_x64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\is-8JOTC.tmp\NTLite_setup_x64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8JOTC.tmp\NTLite_setup_x64.tmp" /SL5="$1A0022,23634002,832512,C:\Users\Admin\AppData\Local\Temp\NTLite_setup_x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Program Files\NTLite\NTLite.exe
    "C:\Program Files\NTLite\NTLite.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Program Files directory
    - Checks SCSI registry key(s)
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\NTLite\Lang\Arabic.xml

Filesize
366KB

MD5
2c9f6dd071bf0c16fedcbb3fb0425fd8

SHA1
237ffedd396d96c9b7df5587b04a258dc8510af6

SHA256
0a380c3669c1fa4ce040fa00dc8d1bafbaa4b1cd63b1e924a12b7bd501aca762

SHA512
b5440184c16c78bb7397f5c28d1f9978959d0db09bb952c3e174cc2fb2ac60bcd5a28ed83a0eab9bc6b6c61a81723f88cf7b79c7ebabd35109a1663713ef3849

Download Submit
C:\Program Files\NTLite\Lang\Bulgarian.xml

Filesize
310KB

MD5
4c8c7dac079034ab4c6dc539bdfb8540

SHA1
d9039d38d673f27b8a8da270bd85e33d125cf7da

SHA256
877e505dbef36311179b95614a2c980be6d5ff2828a05788895e477dbff92136

SHA512
668c6ce16b91c003c682f627d838f475ac9b217361f9b0e1df04550cab02f06978a58588a882842942ab1597a580f39a7aed1d3deb16b905d3419dafdc4d3311

Download Submit
C:\Program Files\NTLite\Lang\Chinese (Simplified).xml

Filesize
176KB

MD5
c89052e7fd174e6dc284a4bca1aef3cc

SHA1
08a0aa9a2f0f0b4fbc47df0fd4673bfd59d2e6a9

SHA256
8fdfe0ae7a15c609f2085730aac9a4eeff989cd2e5a672aa477bd170c320ed83

SHA512
83d01732f959eef7f87a6551bc3a7e0a92108d68b9317729f3a452b350b22450c59bdf6ecdf3b56da074bd9d9985e282c033de1ee9f9d5e230f664f039f14cfe

Download Submit
C:\Program Files\NTLite\Lang\Chinese (Traditional).xml

Filesize
176KB

MD5
b867123cf95cc8eea1324945dcc8cfa6

SHA1
b86612bc8e3d3db8352d5b5949d489b7ed214f6e

SHA256
70a7ed3bf0ddb31d09703bf6fdcecfec6839deb747279018d956bf9459ccc261

SHA512
bd7aff4a3ffc9c8d69c2951694d7c8df15314d8c2bb8d5843a1950d4dfdf42c2837130c1ca26ba65c122f78b6bb5b58f6402e8ae6db134f218d443f3f7604b91

Download Submit
C:\Program Files\NTLite\Lang\Dutch.xml

Filesize
179KB

MD5
942e8dba0bd45f5a0e0ce4642a6947b3

SHA1
3a58f70d4dd72cad4e1eafb675192e0555336c71

SHA256
1a28405b6c1e85d6eb629d7ba9269496a03edd2bb6a639d4308f483dd833acb8

SHA512
2cf4727a71b7423658078d5ec59e3d086c258c426619cfc2b7a24719162b4cd7fcbc5d1695df6262eb21d0ed1c6dc6ebec94d11e22de9782e2f12612c8ca3d63

Download Submit
C:\Program Files\NTLite\Lang\Farsi.xml

Filesize
247KB

MD5
24a0a443d60558d5a3ee5745ba30af57

SHA1
dafbf13721fa912ac3203c44e57c066ae5501cc9

SHA256
6e177b90db711e52c6a0e165f2df01ba8b9c0faa06861098e398ddddf598cd66

SHA512
06dc212c102918f072bdf63cc2fb912824b661f4d1f2ae51a1ca32af92f71b95662ae2ad0ec070f0ef1410d28c7863808575a8c71ef3437b6c61c0caa54d94ae

Download Submit
C:\Program Files\NTLite\Lang\French.xml

Filesize
221KB

MD5
bdbabe017ea40da5ec6057dce3183b6d

SHA1
ddaa733bc9384dc0c66244b89e25e0863619309c

SHA256
111a43cf081bf8edfa338b1440ce6b340895ddf3293a4354eb2809778bcb7162

SHA512
3cf095b757372ca6fa26a9cff7ca9f583d91ccb4af49aeeea7311f6e41719a68419dd8e2987aed4a84630fce05270f597062df3d6eed3d468021df6809af6774

Download Submit
C:\Program Files\NTLite\Lang\German.xml

Filesize
218KB

MD5
c4499c7a97604fe0c465359f5e6eaf90

SHA1
d5599e829b31f8850cee0cc9725522978178444c

SHA256
ec99bfe3000e6be6881caa9489ce1c6d55df07094fe31a0e89c1282a06c2fd74

SHA512
e05412f85a6948bbdc5ecc825e4e358a0f4be344d7ae1c86dafaf9f80c9ff23664711020748e258b596accab98e3d0f61f830eb2dc62b7f277fdb55bc7b3233d

Download Submit
C:\Program Files\NTLite\Lang\Greek.xml

Filesize
316KB

MD5
11dead5d399aee0696d8e43e3b83a4f0

SHA1
555697d70278ccfa8a8fc6794e8a934516a57d12

SHA256
3137e88e64f21f1a3674b51f30efccfb7f485958c153afe672960f559d3bcb29

SHA512
42f71ce90a6e833b73810a683b9dce32031439de6ac2e42371ec757849fce45526831e23b2cd332baf8091a4e0c2f352975f616e4e3c88b9769c264e260b6159

Download Submit
C:\Program Files\NTLite\Lang\Hungarian.xml

Filesize
203KB

MD5
4f2057b3a8841f06c78a43263737c01c

SHA1
4da1dbc7bd9e3059ee5ca5b0a998af9dd65d7b4d

SHA256
75be2210420078e16d853d54e6465702cc23245a2a93b3387cc97a1018a94088

SHA512
443dd6c70ccb3aed5803e93428ea2c9762badab472f6b0c84f90d2d5815f70b09374489a810555ada736d50f4fa0dd61d89cfbe07a5758c8b96cc0ba73d727c7

Download Submit
C:\Program Files\NTLite\Lang\Italian.xml

Filesize
211KB

MD5
9a4045f0555ec26cdc30edb3f9a086d1

SHA1
08f65229ed18c956fedc00beb045834d8c7341ba

SHA256
803ac4f1331046eeff47d3d5c910198e9649e742ed5f108046a950d85046648b

SHA512
d7659585857efc9bb4ece9a4384be82053eb3a47153f7b60b0de1146a55da60f9b473505b1079986c49a14227206bbd0723334de9930da295de2376c17a36f4e

Download Submit
C:\Program Files\NTLite\Lang\Japanese.xml

Filesize
247KB

MD5
7ccb14204110779745049fc12f45a534

SHA1
679314e4ab9cc337ea5400c20916f89c4a88705d

SHA256
2a58e86331562cd075b45356981033c94726960f8b494ae9acf1533e8bb0734a

SHA512
6f0519b577e2f3b52caeb473a3eaf0905b0279be94821a99555cc181db0ea987431415606709cbb0bffb449ca171c6965f7df62cef419592c4f9019737d1919a

Download Submit
C:\Program Files\NTLite\Lang\Korean.xml

Filesize
219KB

MD5
f5d2de635e3d990bee4bb040acd1850e

SHA1
4d7f2d026c73dfab1c06cd8694d771f25153e05b

SHA256
91fbe3de6f5ab890f4e99b903c514ba7a1c22e33c38f347e730e0be3dafb2473

SHA512
4a21e57c0fa3495634ac2362cf95a9c6f235fc2ca01d050bb8b15236ffc4b9dc2cedf78a1732f3e3b17cdb1ff96201ab6f0030d86c8e94d3f2c0d1bd86761b10

Download Submit
C:\Program Files\NTLite\Lang\Polish.xml

Filesize
199KB

MD5
fdb474b006addefe3cb713c2cdce96e4

SHA1
b214c94a740a58d6b373bd4966d0370a2dbd8ef8

SHA256
e61840d706513446f280eb06e5f991160e15aa1d63dea99c32faea493218e998

SHA512
2b65adad1a5d8c58cf502cf177d518ffeb0f63dc55ce69cf37f76ea8dd0eee5083aad52bc220e4860f30ad47e4e833dffda1cc1ece53a649a7d029c28952da36

Download Submit
C:\Program Files\NTLite\Lang\Portuguese (Brazil).xml

Filesize
198KB

MD5
f524a149dadff38a7bbe9bb558265453

SHA1
d63490a2ae469d7308d4d3f7f47a0659c54d3641

SHA256
445bfbddd618de1a09717e6ed622a4e7b0e15b91a5c3cc27df5eabf1307080ff

SHA512
62082ba938da522581aa150353c5e906ab032573fa9992b148f9359e30d457c641196405d866712db90ec3bdba5850020d718bf959cab949af015b0940d700be

Download Submit
C:\Program Files\NTLite\Lang\Romanian.xml

Filesize
212KB

MD5
6145d9d8dbec3a4e76b8e29a8ec23576

SHA1
879b3bf22f03278fe48af45691450da464455429

SHA256
3fda9d86f5ddb8338e6e4f309ebb94d81c0c2e52899a1ea0936fab8939b2d236

SHA512
5eb3280b22cc4a320ce03d624210b0656629c06f01ca2bca5ca5ffec292926303de50951bed11d6a8c968254f4dd868c654e4d1c559af3b67ca80cb4be4f0b4b

Download Submit
C:\Program Files\NTLite\Lang\Russian.xml

Filesize
280KB

MD5
7f9f039c97e43f589226110c1e0e79c7

SHA1
67664367ce3345f7cab72e395673106a5c45f7c0

SHA256
63a7ec048c25a4c7ef09c199288835720372a3dc724e9665530889309459c344

SHA512
ddfd7c7cde2ef8274649fafa3325e6ef49c1e0a63c655ed53139109cfbb76d263543110b44186f0e3769a4582c421b1b42ec58885354dec743ccd01e84cb59c4

Download Submit
C:\Program Files\NTLite\Lang\Slovak.xml

Filesize
185KB

MD5
0977933e739d5e1e86d6803f3868a02b

SHA1
a11994b489d2447bb07c05c7b6e31eff89c81dfe

SHA256
4f922532b4f92ca5fb6262865ff2ee902783be37ece2def08b5d4ab99f5fab68

SHA512
cfa6d6d84da55794a3c884c35f100bf4179d324e8c2216b1b0440436edad779c792d9668a6ff751789496e0aebe2800c2dd5f75788e6144825f18394cba4f66f

Download Submit
C:\Program Files\NTLite\Lang\Spanish.xml

Filesize
191KB

MD5
8ab0a8e1754f72d82112ed5ea85720ab

SHA1
a3122dd3f1ab34780fa6f852b5457d8617c7d58e

SHA256
02e0e8a61e37ba486d63dad60a5720bb774b371208ab1bd47f51b65cf698c3d8

SHA512
7afb5dff007f59920efe56c625a0f37b7046e6b80bca4455e98dde4c04bb147dada3b85282adcae5cb2d994320a9a9c3be3410930006ecf7dc08d0ffe04bcdef

Download Submit
C:\Program Files\NTLite\Lang\Swedish.xml

Filesize
202KB

MD5
70d9062ab88f73e0774ce9977af5c434

SHA1
d940c16c9d7ef3960fa34c1b27bf2677342b87ba

SHA256
77a69baa71a3f75f37e5801acec46fa516371b92ba938ebdb913110eaf1fc431

SHA512
71165808792f8ba91149fd46d829e6fcac6a86b7fa8ff4f8a4b845d87aae0abb095dfe5478d0cb5c8c9fff5a27adb1b904da5e3e21d7848defda2619b1068f79

Download Submit
C:\Program Files\NTLite\Lang\Turkish.xml

Filesize
193KB

MD5
d432c19fab005f1510174ad1cae9afbd

SHA1
f249667425e3d2f9c9d2b6f684c5d320d918223d

SHA256
3a080fe171feeca3491daa011b581d3d6bc50da1a769409ebd613bcbb5e8982e

SHA512
961a23d7fd20e4d5fb808f986339ee030a0e3b390414f41050c3057dd173cdbbcb5a3e7395e676b77318ea10ea3c70db07bafc14b645756d17671ec27f46eb06

Download Submit
C:\Program Files\NTLite\Lang\Ukrainian.xml

Filesize
314KB

MD5
374acfad9985500dd21b805600c9262d

SHA1
96b21ba69700d8600f01df14b216d5cc6ac9ac1d

SHA256
1c4ced85a790c7b39c92ca3ddcb5feb33300ca4ab0bd293ed56e4c8b221de467

SHA512
4cd06d623f99763ac3c23cc3c576c45fe0a057342de958dd76b31a1a6bfab86b38cda765925b1d91c489e30139f166fb6ea698bdd8b5e4cb91d1ce5da2c63674

Download Submit
C:\Program Files\NTLite\License.txt

Filesize
6KB

MD5
7753df2f6faf71ca9b58b17c2d9da71a

SHA1
951cd3856f76d14329fa9f0c3fb3491ff8ef2c51

SHA256
ac8d7aba4d4d857ecd30d21f33c2fb63783829524b765391824cacf7695ddce1

SHA512
b9835b0df64e6429f353753a687d827c38451255431caef616a2cae02d1c1060d6dd969e35f8c46e887f7d0a226ca803188445d99976fefcb5439c2e265c4591

Download Submit
C:\Program Files\NTLite\NTLite.exe

Filesize
20.0MB

MD5
eed787aac7b2204e13953bc5f4cf23e4

SHA1
f2ecb95a1a71b6036cb2aa699f816cad5eb6675a

SHA256
15dac1b8b387339e8760fad2d84d8d50a3a6780e50bbf01f68be5281b6dff60f

SHA512
792c9fc8eb833011b62e8c790264dd4773cd220e97ae0258447fb6720598db17d2dc8eb1e2327ab773efc8405e69d4ef4ab8e7b33f2b04ba45227f15ec219388

Download Submit
C:\Program Files\NTLite\NTLite.exe

Filesize
20.0MB

MD5
eed787aac7b2204e13953bc5f4cf23e4

SHA1
f2ecb95a1a71b6036cb2aa699f816cad5eb6675a

SHA256
15dac1b8b387339e8760fad2d84d8d50a3a6780e50bbf01f68be5281b6dff60f

SHA512
792c9fc8eb833011b62e8c790264dd4773cd220e97ae0258447fb6720598db17d2dc8eb1e2327ab773efc8405e69d4ef4ab8e7b33f2b04ba45227f15ec219388

Download Submit
C:\Program Files\NTLite\NTLite.exe

Filesize
20.0MB

MD5
eed787aac7b2204e13953bc5f4cf23e4

SHA1
f2ecb95a1a71b6036cb2aa699f816cad5eb6675a

SHA256
15dac1b8b387339e8760fad2d84d8d50a3a6780e50bbf01f68be5281b6dff60f

SHA512
792c9fc8eb833011b62e8c790264dd4773cd220e97ae0258447fb6720598db17d2dc8eb1e2327ab773efc8405e69d4ef4ab8e7b33f2b04ba45227f15ec219388

Download Submit
C:\Program Files\NTLite\Tools\7-zip\x64\7z.dll

Filesize
1.8MB

MD5
23aace4fa7f82ccc64a9ce7de9611f9f

SHA1
29559b38b11bd86056e7b619eb0f42441e8ed49a

SHA256
3691b02252068bce59c26e73ef70acaea67b892ab8e079514d50153b3a8fd14c

SHA512
eac8e4617fd245ed52482c2e1d105d48c0d91130a5989eba4966c792c0237e06dbf7db09333f32d800a8e62d5cc1c7427f71ef33d29d035a7bb137b54498370d

Download Submit
C:\Program Files\NTLite\Tools\7-zip\x64\7z.dll

Filesize
1.8MB

MD5
23aace4fa7f82ccc64a9ce7de9611f9f

SHA1
29559b38b11bd86056e7b619eb0f42441e8ed49a

SHA256
3691b02252068bce59c26e73ef70acaea67b892ab8e079514d50153b3a8fd14c

SHA512
eac8e4617fd245ed52482c2e1d105d48c0d91130a5989eba4966c792c0237e06dbf7db09333f32d800a8e62d5cc1c7427f71ef33d29d035a7bb137b54498370d

Download Submit
C:\Program Files\NTLite\Website.url

Filesize
48B

MD5
3f6713c2c90a49b6951187bac3a0bda5

SHA1
49705ac5adcb9de49d48aa312a96247e9caba262

SHA256
f6e868955cb011851aecb86832537efa74c58107368fcc56c62e80429f47ebe6

SHA512
bde848d158b4ef06506d58ef6bed42d3a39d7444e6e983ad3103bfb1a9a50122a7b4c82f58033b443b9ddf5ca7fc1bbe246d17b4181c946da0ac8ed5c379588e

Download Submit
C:\Program Files\NTLite\unins000.exe

Filesize
3.1MB

MD5
39b0f74f30db22b0c8969a0d990f9f9d

SHA1
1597fe464fcb835bfea66377a694dbab7573dbd3

SHA256
3a4c4954883d473bb90b10ae2a8ee5409dbcb39672440fdae12fd15c62153fc5

SHA512
da1b907b7ffeaf4b1732d86892a063f5e396dc301392a2f088cec1e7d9a20e6c3b4aa11cae195e3196eb2e1a1944b9e042a22c3cdd7f3571e0ba3af3c2a58ac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
28KB

MD5
e3f4768541e1c6a6a2e232251f283052

SHA1
63c163962651ab59c3d8cf9613cddca1717df312

SHA256
1b880b97504aeacb9e72466a59df20c64b9be86713da879eb1f41c1a1f780121

SHA512
49749a5647c817170410dbd19786c26b371bade104723a8acabe343fd615c0729734fc57af59ea6d5cc415370e2a217db9d780b67d1f4938926668179221c9cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTLite.log

Filesize
281B

MD5
25942a628bf904d16cd1f97c6fbe507c

SHA1
d952f12abf00cb71fc4a998cd5c72b716c56f393

SHA256
faef20afeb94202736ffa7f1bc73a437e2937f434608318dc7ff69943efe603a

SHA512
0a62fe6cddc367310796d96c89f37adccfa44113b1dbc3e716f192643197136e5c6dad1b9743e30b7fcddb9cab6d52ae4abcf2c8ad2bb485a4e58b85848b4c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\NTLite.log

Filesize
451B

MD5
662f695479f2f02445764091ef76b9e4

SHA1
fc069f82430ff47dcd6eaffd4a229f07e6817464

SHA256
c751a5c58a2fe1c31128730767c547ec0dc266970adf309a0f8fd630bf9cbe4f

SHA512
4e93671b4fa13f9b012388f15c0dbf30152a3426deba92e813f8d87876623d41140c778f59ec47fcc48208d8ffafe7da81f5604da04827d32ae15a8f80698327

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8JOTC.tmp\NTLite_setup_x64.tmp

Filesize
3.1MB

MD5
39b0f74f30db22b0c8969a0d990f9f9d

SHA1
1597fe464fcb835bfea66377a694dbab7573dbd3

SHA256
3a4c4954883d473bb90b10ae2a8ee5409dbcb39672440fdae12fd15c62153fc5

SHA512
da1b907b7ffeaf4b1732d86892a063f5e396dc301392a2f088cec1e7d9a20e6c3b4aa11cae195e3196eb2e1a1944b9e042a22c3cdd7f3571e0ba3af3c2a58ac6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8JOTC.tmp\NTLite_setup_x64.tmp

Filesize
3.1MB

MD5
39b0f74f30db22b0c8969a0d990f9f9d

SHA1
1597fe464fcb835bfea66377a694dbab7573dbd3

SHA256
3a4c4954883d473bb90b10ae2a8ee5409dbcb39672440fdae12fd15c62153fc5

SHA512
da1b907b7ffeaf4b1732d86892a063f5e396dc301392a2f088cec1e7d9a20e6c3b4aa11cae195e3196eb2e1a1944b9e042a22c3cdd7f3571e0ba3af3c2a58ac6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\c6d010e82392216311e3dad96d6d8568_2007c659-eb65-4631-bf41-16f7650120a3

Filesize
65B

MD5
370c147a11528605819c28a1dbb002fd

SHA1
8012cd5716012b58aff716e8c9211a0cb713302e

SHA256
9e4310aa199dff8a5cd4d66539c7945c614283aea8e9d2621da82340953646eb

SHA512
5a21bbd89ad062c2bdbf1a3ab8fcf8867e30acfbcecedab0e5cc9c67318a76d03d507f1b676e23cc6cef193f6c0070c4d9d7aec80f1638bfe638eb174271878d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1529757233-3489015626-3409890339-1000\c6d010e82392216311e3dad96d6d8568_2007c659-eb65-4631-bf41-16f7650120a3

Filesize
65B

MD5
1ef5e829303a139ce967440e0cdca10c

SHA1
f0fa45906bd0f4c3668fcd0d8f68d4b298b30e5b

SHA256
98ce42deef51d40269d542f5314bef2c7468d401ad5d85168bfab4c0108f75f7

SHA512
19dc6ae12de08b21b36c1ec7f353ce9e7cef73fa4d1354c436234167f0847bc9e2b85e2f36208f773ef324e2d79e6af1beca4470e44b8672b47d077efe33a1f8

Download Submit
memory/1964-267-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1964-141-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1964-139-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/3164-261-0x00007FF7FA610000-0x00007FF7FBDA0000-memory.dmp

Filesize
23.6MB

Download
memory/3164-334-0x00007FF7FA610000-0x00007FF7FBDA0000-memory.dmp

Filesize
23.6MB

Download
memory/3164-335-0x0000020979DC0000-0x000002097B237000-memory.dmp

Filesize
20.5MB

Download
memory/3164-337-0x00000209783B0000-0x00000209783C0000-memory.dmp

Filesize
64KB

Download
memory/3164-265-0x0000020979DC0000-0x000002097B237000-memory.dmp

Filesize
20.5MB

Download
memory/3164-283-0x00000209783B0000-0x00000209783C0000-memory.dmp

Filesize
64KB

Download
memory/3164-274-0x00000209783F0000-0x00000209783F9000-memory.dmp

Filesize
36KB

Download
memory/3164-270-0x0000020979DC0000-0x000002097B237000-memory.dmp

Filesize
20.5MB

Download
memory/4092-133-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4092-140-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4092-268-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download