61c1c11c4054e61ab9fa8777caeaf9c84821ad1b7e773e4bc8b5d844d90e8c7d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Lets20Compress.exe
Size

16.8MB
MD5

c34118d64ca94041f56cbeba5daf9abd
SHA1

14ef602cc6ea87ac0f961fc3dac25a4e56923e00
SHA256

61c1c11c4054e61ab9fa8777caeaf9c84821ad1b7e773e4bc8b5d844d90e8c7d
SHA512

ca6878539c9e4f590f628785794ee1fe7c0f0cb8148ef0657e57de33d37595439731b299a42008a6fc6cb282da6cca97adc48f9e52ca083d171568a9f1f3d150
SSDEEP

393216:neTuAoAu6yJEULuZmyGdM90bq/5H7hifJJ8fM:nAJZcEUSG40bY1ihJ8U

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
27	1308	powershell.exe
29	4240	powershell.exe
30	3680	powershell.exe
41	3716	powershell.exe
56	3108	powershell.exe

Loads dropped DLL 22 IoCs

pid	Process
2380	Lets20Compress.exe
2380	Lets20Compress.exe
4144	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
4892	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
1940	MsiExec.exe
2380	Lets20Compress.exe
1940	MsiExec.exe
1940	MsiExec.exe
4892	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	Lets20Compress.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	Lets20Compress.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	Lets20Compress.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	Lets20Compress.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	Lets20Compress.exe
File opened (read-only)	\??\O:	Lets20Compress.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	Lets20Compress.exe
File opened (read-only)	\??\V:	Lets20Compress.exe
File opened (read-only)	\??\Y:	Lets20Compress.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	Lets20Compress.exe
File opened (read-only)	\??\R:	Lets20Compress.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	Lets20Compress.exe
File opened (read-only)	\??\Z:	Lets20Compress.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	Lets20Compress.exe
File opened (read-only)	\??\S:	Lets20Compress.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	Lets20Compress.exe
File opened (read-only)	\??\N:	Lets20Compress.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	Lets20Compress.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	Lets20Compress.exe
File opened (read-only)	\??\W:	Lets20Compress.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	Lets20Compress.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{B97D3330-5AE2-4322-81E2-D11BBDC99C02}	msiexec.exe
File created	C:\Windows\Installer\e5851a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5851a5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5290.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI535C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI58DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5AC1.tmp	msiexec.exe
File created	C:\Windows\Installer\e5851a7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EF9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI53BB.tmp	msiexec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3752	powershell.exe
1308	powershell.exe
4240	powershell.exe
3680	powershell.exe
3716	powershell.exe
2236	powershell.exe
3108	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lets20Compress.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8	Lets20Compress.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 0f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c0b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000006200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df8653000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c01400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b1d00000001000000100000005467b0adde8d858e30ee517b1a19ecd909000000010000000c000000300a06082b060105050703030300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b8200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Lets20Compress.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8\Blob = 1900000001000000100000005d1b8ff2c30f63f5b536edd400f7f9b40300000001000000140000004efc31460c619ecae59c1bce2c008036d94c84b809000000010000000c000000300a06082b060105050703031d00000001000000100000005467b0adde8d858e30ee517b1a19ecd91400000001000000140000001f00bf46800afc7839b7a5b443d95650bbce963b53000000010000001f000000301d301b060567810c010330123010060a2b0601040182373c0101030200c06200000001000000200000007b9d553e1c92cb6e8803e137f4f287d4363757f5d44b37d52f9fca22fb97df860b000000010000004200000047006c006f00620061006c005300690067006e00200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400350000000f0000000100000030000000c130bba37b8b350e89fd5ed76b4f78777feee220d3b9e729042bef6af46e8e4c1b252e32b3080c681bc9a8a1afdd0a3c200000000100000076050000308205723082035aa00302010202107653feac75464893f5e5d74a483a4ef8300d06092a864886f70d01010c05003053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f7420523435301e170d3230303331383030303030305a170d3435303331383030303030305a3053310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613129302706035504031320476c6f62616c5369676e20436f6465205369676e696e6720526f6f742052343530820222300d06092a864886f70d01010105000382020f003082020a0282020100b62dc530dd7ae8ab903d0372b03a4b991661b2e5ffa5671d371ce57eec9383aa84f5a3439b98458ab863575d9b00880425e9f868924b82d84bc94a03f3a87f6a8f8a6127bda144d0fdf53f22c2a34f918db305b22882915dfb5988050b9706c298f82ca73324ee503a41ccf0a0b07b1d4dd2a8583896e9dff91b91bb8b102cd2c7431da20974a180af7be6330a0c596b8ebcf4ab5a977b7fae55fb84f080fe844cd7e2babdc475a16fbd61107444b29807e274abff68dc6c263ee91fe5e00487ad30d30c8d037c55b816705c24782025eb676788abba4e34986b7011de38cad4bea1c09ce1df1e0201d83be1674384b6cffc74b72f84a3bfba09373d676cb1455c1961ab4183f5ac1deb770d464773cebfbd9595ed9d2b8810fefa58e8a757e1b3cfa85ae907259b12c49e80723d93dc8c94df3b44e62680fcd2c303f08c0cd245d62ee78f989ee604ee426e677e42167162e704f960c664a1b69c81214e2bc66d689486c699747367317a91f2d48c796e7ca6bb7e466f4dc585122bcf9a224408a88537ce07615706171224c0c43173a1983557477e103a45d92da4519098a9a00737c4651aaa1c6b1677f7a797ec3f1930996f31fbea40b2e7d2c4fac9d0f050767459fa8d6d1732bef8e97e03f4e787759ad44a912c850313022b4280f2896a36cfc84ca0ce9ef8cb8dad16a7d3ded59b18a7c6923af18263f12e0e2464df0203010001a3423040300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e041604141f00bf46800afc7839b7a5b443d95650bbce963b300d06092a864886f70d01010c050003820201005e2bba749734445f764828408493ee016ee9a1b3d68025e67be4bc09913d0ffc76add7d43020bb8f60d091d61cf29cef781a2b943202c12496525202d0f3d1fcf29b396e99e11f8e43417d9a1e5bc95d9a84fc26e687f3747226ada41bd93d3b6a52a03c091e2f1e7bb333b445c7f7acb1af9360ad76aeb8b21578eb836aebffdb46ab24e5ee02fa901f59c02f5dd6b75da45c10b77253f8414eccfa781a254acafe85624361c3b437aa81d2f4d63a0fbd8d597e3047de2b6be72150335fd4679bd4b8679f3c279903ff85438e7312ca20cde861d5b166dc17d6396d0fdbcf2337a182894e1c6b3fd6a0cdaa079d3e4226aad70ceefa47bf1a527ed17581d3c98a62176d4f88a021a0263eaf6dd962301fe99828ae6e8dd58e4c726693808d2ae355c760679042565c22510fb3dc4e39ee4dddd91d7810543b6ed0976f03b51eb22373c612b29a64d0fc958524a8ffdfa1b0dc9140aedf0933abb9dd92b7f1cc91743b69eb67971b90bfe7c7a06f71bb57bfb78f5aed7a406a16cd80842d2fe102d4249443b315fc0c2b1bfd716ffccbbc75173a5e83d2c9b32f1bd59c8d7f54fe7e7ee456a387a79de1595294418f6d5bbe86959aff1a76dd40d2514a70b41f336323773fec271e59e40887ed34824a0f3ffea01dc1f56773458678f4aa29e92787c619dbc61314c33949874da097e06513f59d7756e9dab358c73af2c0cd82	Lets20Compress.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3752	powershell.exe
3752	powershell.exe
1308	powershell.exe
1308	powershell.exe
4240	powershell.exe
4240	powershell.exe
3680	powershell.exe
3680	powershell.exe
3716	powershell.exe
3716	powershell.exe
1824	msiexec.exe
1824	msiexec.exe
2236	powershell.exe
2236	powershell.exe
2236	powershell.exe
3108	powershell.exe
3108	powershell.exe
3108	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	1824	msiexec.exe
Token: SeCreateTokenPrivilege	2380	Lets20Compress.exe
Token: SeAssignPrimaryTokenPrivilege	2380	Lets20Compress.exe
Token: SeLockMemoryPrivilege	2380	Lets20Compress.exe
Token: SeIncreaseQuotaPrivilege	2380	Lets20Compress.exe
Token: SeMachineAccountPrivilege	2380	Lets20Compress.exe
Token: SeTcbPrivilege	2380	Lets20Compress.exe
Token: SeSecurityPrivilege	2380	Lets20Compress.exe
Token: SeTakeOwnershipPrivilege	2380	Lets20Compress.exe
Token: SeLoadDriverPrivilege	2380	Lets20Compress.exe
Token: SeSystemProfilePrivilege	2380	Lets20Compress.exe
Token: SeSystemtimePrivilege	2380	Lets20Compress.exe
Token: SeProfSingleProcessPrivilege	2380	Lets20Compress.exe
Token: SeIncBasePriorityPrivilege	2380	Lets20Compress.exe
Token: SeCreatePagefilePrivilege	2380	Lets20Compress.exe
Token: SeCreatePermanentPrivilege	2380	Lets20Compress.exe
Token: SeBackupPrivilege	2380	Lets20Compress.exe
Token: SeRestorePrivilege	2380	Lets20Compress.exe
Token: SeShutdownPrivilege	2380	Lets20Compress.exe
Token: SeDebugPrivilege	2380	Lets20Compress.exe
Token: SeAuditPrivilege	2380	Lets20Compress.exe
Token: SeSystemEnvironmentPrivilege	2380	Lets20Compress.exe
Token: SeChangeNotifyPrivilege	2380	Lets20Compress.exe
Token: SeRemoteShutdownPrivilege	2380	Lets20Compress.exe
Token: SeUndockPrivilege	2380	Lets20Compress.exe
Token: SeSyncAgentPrivilege	2380	Lets20Compress.exe
Token: SeEnableDelegationPrivilege	2380	Lets20Compress.exe
Token: SeManageVolumePrivilege	2380	Lets20Compress.exe
Token: SeImpersonatePrivilege	2380	Lets20Compress.exe
Token: SeCreateGlobalPrivilege	2380	Lets20Compress.exe
Token: SeCreateTokenPrivilege	2380	Lets20Compress.exe
Token: SeAssignPrimaryTokenPrivilege	2380	Lets20Compress.exe
Token: SeLockMemoryPrivilege	2380	Lets20Compress.exe
Token: SeIncreaseQuotaPrivilege	2380	Lets20Compress.exe
Token: SeMachineAccountPrivilege	2380	Lets20Compress.exe
Token: SeTcbPrivilege	2380	Lets20Compress.exe
Token: SeSecurityPrivilege	2380	Lets20Compress.exe
Token: SeTakeOwnershipPrivilege	2380	Lets20Compress.exe
Token: SeLoadDriverPrivilege	2380	Lets20Compress.exe
Token: SeSystemProfilePrivilege	2380	Lets20Compress.exe
Token: SeSystemtimePrivilege	2380	Lets20Compress.exe
Token: SeProfSingleProcessPrivilege	2380	Lets20Compress.exe
Token: SeIncBasePriorityPrivilege	2380	Lets20Compress.exe
Token: SeCreatePagefilePrivilege	2380	Lets20Compress.exe
Token: SeCreatePermanentPrivilege	2380	Lets20Compress.exe
Token: SeBackupPrivilege	2380	Lets20Compress.exe
Token: SeRestorePrivilege	2380	Lets20Compress.exe
Token: SeShutdownPrivilege	2380	Lets20Compress.exe
Token: SeDebugPrivilege	2380	Lets20Compress.exe
Token: SeAuditPrivilege	2380	Lets20Compress.exe
Token: SeSystemEnvironmentPrivilege	2380	Lets20Compress.exe
Token: SeChangeNotifyPrivilege	2380	Lets20Compress.exe
Token: SeRemoteShutdownPrivilege	2380	Lets20Compress.exe
Token: SeUndockPrivilege	2380	Lets20Compress.exe
Token: SeSyncAgentPrivilege	2380	Lets20Compress.exe
Token: SeEnableDelegationPrivilege	2380	Lets20Compress.exe
Token: SeManageVolumePrivilege	2380	Lets20Compress.exe
Token: SeImpersonatePrivilege	2380	Lets20Compress.exe
Token: SeCreateGlobalPrivilege	2380	Lets20Compress.exe
Token: SeCreateTokenPrivilege	2380	Lets20Compress.exe
Token: SeAssignPrimaryTokenPrivilege	2380	Lets20Compress.exe
Token: SeLockMemoryPrivilege	2380	Lets20Compress.exe
Token: SeIncreaseQuotaPrivilege	2380	Lets20Compress.exe
Token: SeMachineAccountPrivilege	2380	Lets20Compress.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2380	Lets20Compress.exe
3592	msiexec.exe
3592	msiexec.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 4144	1824	msiexec.exe	85
PID 1824 wrote to memory of 4144	1824	msiexec.exe	85
PID 1824 wrote to memory of 4144	1824	msiexec.exe	85
PID 2380 wrote to memory of 3592	2380	Lets20Compress.exe	86
PID 2380 wrote to memory of 3592	2380	Lets20Compress.exe	86
PID 2380 wrote to memory of 3592	2380	Lets20Compress.exe	86
PID 1824 wrote to memory of 4892	1824	msiexec.exe	89
PID 1824 wrote to memory of 4892	1824	msiexec.exe	89
PID 1824 wrote to memory of 4892	1824	msiexec.exe	89
PID 4892 wrote to memory of 3752	4892	MsiExec.exe	92
PID 4892 wrote to memory of 3752	4892	MsiExec.exe	92
PID 4892 wrote to memory of 3752	4892	MsiExec.exe	92
PID 4892 wrote to memory of 1308	4892	MsiExec.exe	101
PID 4892 wrote to memory of 1308	4892	MsiExec.exe	101
PID 4892 wrote to memory of 1308	4892	MsiExec.exe	101
PID 4892 wrote to memory of 4240	4892	MsiExec.exe	104
PID 4892 wrote to memory of 4240	4892	MsiExec.exe	104
PID 4892 wrote to memory of 4240	4892	MsiExec.exe	104
PID 4892 wrote to memory of 3680	4892	MsiExec.exe	107
PID 4892 wrote to memory of 3680	4892	MsiExec.exe	107
PID 4892 wrote to memory of 3680	4892	MsiExec.exe	107
PID 4892 wrote to memory of 3716	4892	MsiExec.exe	112
PID 4892 wrote to memory of 3716	4892	MsiExec.exe	112
PID 4892 wrote to memory of 3716	4892	MsiExec.exe	112
PID 1824 wrote to memory of 3536	1824	msiexec.exe	121
PID 1824 wrote to memory of 3536	1824	msiexec.exe	121
PID 1824 wrote to memory of 1940	1824	msiexec.exe	123
PID 1824 wrote to memory of 1940	1824	msiexec.exe	123
PID 1824 wrote to memory of 1940	1824	msiexec.exe	123
PID 1940 wrote to memory of 2236	1940	MsiExec.exe	124
PID 1940 wrote to memory of 2236	1940	MsiExec.exe	124
PID 1940 wrote to memory of 2236	1940	MsiExec.exe	124
PID 4892 wrote to memory of 3108	4892	MsiExec.exe	129
PID 4892 wrote to memory of 3108	4892	MsiExec.exe	129
PID 4892 wrote to memory of 3108	4892	MsiExec.exe	129

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\Lets20Compress.exe
"C:\Users\Admin\AppData\Local\Temp\Lets20Compress.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\Let's Compress 06052024.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Lets20Compress.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731872968 "
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3592

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CFCD417265C11CCFF071204F82A1F137 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4144
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1DB3B5E17D11B0439B688688D74A83BB C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA1C1.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA1BE.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA1BF.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA1C0.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3752
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC849.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC827.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC828.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC829.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1308
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssE0E7.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiE096.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrE097.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrE098.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4240
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssF465.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiF423.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrF424.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrF425.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC76.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC73.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC74.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC75.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3716
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss7C7B.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi7C68.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr7C69.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr7C7A.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3536
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BE740D728F1E8817D533DFD4189B475E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss5F06.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5EF4.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5EF5.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr5EF6.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2236

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5851a6.rbs

Filesize
22KB

MD5
057e02c5a50a9236a5ab0ff8414859a6

SHA1
72970c4fcbdc03b210dc6158b1ffa992db51805a

SHA256
3a9291a59347130d0457b6e0fd967e363d8305f6edf9d18446cb49d7cc083d04

SHA512
9fc7c27876e26fe655ee84f123a82ec6dbcd7bc38de4ee013cc707ef51ffc1e75866da34372c2b42bc55206ffaf910921be470484c34d91a91903d42fbf994af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_0874219B044A8B455E064D4219E8929B

Filesize
1KB

MD5
16d4da58a3b58f4db7a95e29666c2fc2

SHA1
bf69db6b9eb499b1e8bb85272032340e886f1e56

SHA256
ba9c8afbda994c10189533e0716fe42ea22bb71438545cb780cd4f373a176d29

SHA512
7d358e5c114d1db1a7990e65bff450165849c53330630b525c96cfc6d27fafda56f9d1b0d9f73bc36d1d0ec6da6cae7cd323ed529557b09385fc0066b4c0ac16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
4bb89695260668668f0c2320050afbd9

SHA1
68a662889f95110e81da0fcc5815e03d1c184e27

SHA256
219ee398212b3e55a4ec97e68e1cf50e9528a738b96da8dd60cc0c943ce57dcb

SHA512
d1549e03cd5bd2fdbed32a20099334f0835627b4337c1ba9d83acf3372336fe139f5c601f6bb2c1d67ba59082ba150a605b14599de9c01c56750373744548ba0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_0874219B044A8B455E064D4219E8929B

Filesize
536B

MD5
553cb60ec591039e64c187d0ec34ee7f

SHA1
28b8228801f83be8295df0dc0c87d6b77de0b361

SHA256
40646c2988c9904303c1a503187e80e3558fdaac0829a0b3abd4dc0426a2de4b

SHA512
6c48af4ba822a5ffea845cce3b4038c83eb0d6285cee8c505746c4f99f041eb04d57a7d40ee699ce5d78e35ee5f0072e2d9740cdf1088f93627e0091a8e6c21e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
ecdc7ad7a9bc43a49b9dffc208dcb462

SHA1
6fe359850aa3560820b9edc5ac156f30211db6cf

SHA256
ff5d0ced619d245eca1fd201b31acb44ecfa8f15b7ebee63b5450be9724ffae5

SHA512
cee6ca481bce95ce22e8c18233b1d6e1124ccb90729ba6f65dc641a9fb4a4259bc9423cfdc1fa0546af9d211b85ebc1de6a0410f51478c898844d8b66d6b357d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
74a0c40c4e2bd9cfac76970d0557a5d4

SHA1
809088957d92a603f2aaf0fca5b30168e5ed0dd3

SHA256
316285729dfec8a91b0c3fa76f4af643e7fe8627f3fb3fbe2ed45ac917439a47

SHA512
a8019212e2657b6f4ca5695de263ecb4efd01f137e9a50adaea4b22844af7081fe11982f03cfbeebe1a5bf14bf4d638a7b6c42413efbb87b12e8a4188ad2c93d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
ea3e61b3b40aa3998217531edc0b7821

SHA1
a4b19c592610b65f813826c97e002d79a67d98de

SHA256
9e91a1cb9e130a7ad38435c240803db7b74005078406045621b6b700b4f4dd96

SHA512
654e857e5baa60b1d8f8c2fc4ab465c3dddec1d4e061a00ec7d8512a486ad09d94e34e898d53efc09cb4b08aa8c4d751b14e0c9aa30e2a59a2a385a133284cc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
e33f16024f10d959d612616f68f591d4

SHA1
4460f18a1d69c309d445c953f3b4d226bfd2b428

SHA256
ec9ef3e6d5231b25e70f259ae70fb2ba8cf73df60281b7808ddd3c294e0d7ac9

SHA512
6be27d3a8b9523fabf302fc2fa12cdca0b8cbed392381e9d69e4ac6cc4fe2ad61d31082f1dfa287204ab835e8e9ae55e720ca6e5b03dfaf846a352b160e7babd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
739f1820f6cbfe621fbb999b5b7f9206

SHA1
7fd7234a3bfaabd63c764aeb4b66e959eb0c8ed2

SHA256
b3fd39ce019e6a574d56c25b9fb5ca49029a9f8e5d89a2cb14713f9d31e28f7f

SHA512
eab594fef01572cb54c04f8c0ab2eeb2e0bb8896ce32134200a599efce285e177eb83b5c204654a46a3d86ffde2bbf05f782e1dd02c6a26599af42c57ff80019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
04037bc9948ef84bbdf90b3d70e56989

SHA1
740e607b7145b580624e82b48b57e083b1c75b75

SHA256
b534a8f70ad7ea6c52e134b5151f9abfc8f7c8af9eccf197ad41b616412d3d7e

SHA512
4998ad3035163bd1d29e0f7ea35efaf7971821f84fd81745cd516fbe43fa22cdf8cb64e28309f69838bd416f0211a4c8c0f708ebadc96b462b278e0d675543a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9B85.tmp

Filesize
386KB

MD5
72b1c6699ddc2baab105d32761285df2

SHA1
fc85e9fb190f205e6752624a5231515c4ee4e155

SHA256
bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

SHA512
cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA1B5.tmp

Filesize
670KB

MD5
846afe3ed676561d5f2cb293177f6c03

SHA1
bd31e948dca976ab54f8a01b87cbd6920659dc92

SHA256
d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

SHA512
e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ProF466.tmp

Filesize
25B

MD5
1b43037b95cb93e3ecc6b8b52d222bbb

SHA1
bada46a26d7531bf320308f1ec9dee2257811ec1

SHA256
a12412aaafbe703d3cf088a104de212bcec0b1dda826957a18a093e1fd353037

SHA512
ae8c4c36081e29963b8d5d05db81f4dff5dc8a877df912e14bbe2f4d594004a747a8585c962dab33ec7a2e3c5769ff62321c5f764668c4e7a052de3e73f2768c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tt0qjwt3.4pz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\msiC827.txt

Filesize
202B

MD5
dc0deabc7403be926e4388180d04c50e

SHA1
1b8b9320419c3164ae1491587061d2632ff73cec

SHA256
884dcb3a49831d2fe08e9c6190b4821a927e5a327d0d73f6aef7cbbf6f448fc0

SHA512
681d991009e83844f75b9ffede5180650995acdfd935556705e8594385d3cac4109efaf4924d889e89f22cc7ac708c8f1a22ccdfbbb7baa083cf458833f9b4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssA1C1.ps1

Filesize
5KB

MD5
8f69da7a9f4b3c2d0f423583b262ed49

SHA1
b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

SHA256
dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

SHA512
71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssC76.ps1

Filesize
35KB

MD5
4a5e7ccc783aca1dadaf19400bb30243

SHA1
a65e5cab0569abe833b0201ebbc381753501a247

SHA256
d5660753ec720c3761c2df95279968257abed016b4aa890cb858a577cb8d5954

SHA512
b3e53c2ebc7f0ff8019e5afc1cd724143f1c3718a5a98c65b51da9666a3059c4836b950a9c438d45c68f8e731f4b3de27246bc22f45dd46593455ccdaa1dd931

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssC849.ps1

Filesize
35KB

MD5
921c1530f468a03721ad3b5778ff21c4

SHA1
92ec47a71e3a5dfcf4afef6a04087b50451ae46c

SHA256
c1fc70194720b6984284845817d40e54d51588156a0cc6a49fe888c1bba9bf0f

SHA512
90d33523b37014c3224312ae5a29c769eeb9505faa79e5fc286187916c8cc0e18a44c09a3b671a77972d97c473598039289764ef4beed3450b5691ebad1fd559

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssE0E7.ps1

Filesize
35KB

MD5
0791096e8b998a86a3a8d11256244059

SHA1
b38c9b06c02738db0182e806d766370ae5439362

SHA256
975cd5eb18dee3067e12bf7a0609ab53b3bb1e68c48337647b3112e20f9fb8e3

SHA512
5f6c7bcf95dc71d732c3bc89e37ca94795962715f8fe2d183e23f07215cf018c6a56d01dab2deab1707898385b3dc9f1b56281096132d5b927a1260b6b7ee3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssF465.ps1

Filesize
35KB

MD5
1771da38a05dbc54dedba7bb06b0c719

SHA1
9582f4cd02f7c17a4f30af5bb1ba94e3fc8df727

SHA256
e983eba5229fd09430d942005b6873aceb7910ce5378ca2ee5991be0f8905028

SHA512
92adec8d4837c4792f04a2c079b42a973da0a1d36da5846dbd4c24ed7286369623f16d753190c5deae945349e5b2c21b77b2a59d69d814d1b75ddc699e306aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrA1BF.ps1

Filesize
1KB

MD5
112071ff00de034a6d5a4738d0112015

SHA1
f4dadedefebb237a3da3a8d38fe7cd1890f5e999

SHA256
caeff8215d14706bb3de55f6fe8811f22ae36bde28a619f48480596ab93514e4

SHA512
a784445f14a20d5ff5cff5afc7f3bf2cc8a11dd752a728e3d09ff10282954eb0018d90ebd621b98a07ca8e022adbe63643c11a7e72455ce6b899c1d605016dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC74.ps1

Filesize
30KB

MD5
0aeaffae4dfae7a6881f9c4ebf793fff

SHA1
ce85584d4e97649681256f76b9fad523ab943eb6

SHA256
456620d70528f746a9d7f4dfe6de0a17b33b4f18606fb71a7dbcd2f275c63dd2

SHA512
0e10bff3cb045ec46ffe90b60579654970ccdfb1e333aa3372f8601bf5a8941587408b5249ba14680c4beb9e8f48f7b54db9fe85c580fd9ecaabaa4f96b3d8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrC828.ps1

Filesize
30KB

MD5
293c08e42d131f47adcb654164db8691

SHA1
b621e8a63a9dd801cb669e5ba11bb04f0de5407a

SHA256
83a430db3c56e3637873f292b90cb4e643479ee9d8fff8f4f00b40e9ebd3f606

SHA512
9d8f9d9896badb302ced635e658ef899fed4e1dfedaf14af075691e50f2682e25b27ae8d7210eb4129ea244335e55202d82d7e727cca5ea15293f06e1e4620e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrE097.ps1

Filesize
30KB

MD5
32a9a87385259b48bb0e1abd4208047b

SHA1
ccbbb91ba87b695cd1a8f9d3e41e617c41d17d0e

SHA256
bd9de559cbc14abbd1be0f514137a908e557eacd53b660f117bbf8cae05c0988

SHA512
3ed049eef080021a4b6f4e40ee08e1ab5c8bc0a4b209bd2e96431db0b9f0c18627ec98603da93915927df9dfd4876944786c280181c39609c0e42947048df132

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrF424.ps1

Filesize
30KB

MD5
849c1e53d083ba3303ffb0e452d5a3ba

SHA1
636df73cdc17565438fdcc1c83f412707ec6ac7b

SHA256
ed1db5eac86be404d164953f67c0fe49e1dbe773fcea1306a388ba9a69bde454

SHA512
045d22dd1a960705612b7c1c54e98dfa63e6bc47902cd21e71b911a49895f0b08540323f249c18cae152033032de83e0ba955ea21d4193899136811111c1d3dc

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\Let's Compress 06052024.msi

Filesize
2.9MB

MD5
6e0a0b2f7c7ecd3556ec495aedc3d2c3

SHA1
13e1b312e594a1b35602391e32334080dee68eaa

SHA256
f1fe9acd58595bc3c85275ac9ba790c7bee2e5d00c8e5b42298f77af00ed7e0e

SHA512
9513eea25c77bfa01eddb918c87234a9e1cf2fc753ff6078ea040408c7978519f896110a4b8446b3075f9390b6662bbd2a7fb794e064142006dc8238427f670b

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\translations\qt_ar.qm

Filesize
156KB

MD5
ced94831acb03de85d682ef997425446

SHA1
bdcb654b0b665e7e222343b24224c5e1620292ba

SHA256
eb09d3211567f7a0419738a8b29c8f8dffd33a72cc7826f8a06b04dd63e7b80d

SHA512
7731afa705de33543d0db78ae8a2b1368977abac302a005733be861b80f8f23acccb94c106d7f7006299689c506ea861877100647968d264225ce9c3d804b37e

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\util\7z.dll

Filesize
1.7MB

MD5
bbf51226a8670475f283a2d57460d46c

SHA1
6388883ced0ce14ede20c7798338673ff8d6204a

SHA256
73578f14d50f747efa82527a503f1ad542f9db170e2901eddb54d6bce93fc00e

SHA512
f68eb9c4ba0d923082107cff2f0e7f78e80be243b9d92cfab7298f59461fcca2c5c944d4577f161f11a2011c0958a3c32896eba4f0e89cd9f8aed97ab5bc74f9

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\util\7z.exe

Filesize
543KB

MD5
a0c70c70012ceeb9f530591b06afe301

SHA1
4f07a76400d351234c0608b1cf82e67aa0dd424f

SHA256
3ea06b3bb6df1917ae2c6721ccaf1af368acbeb560c4587025467a0865b66863

SHA512
13a1a91f702ab0e87044e318f0e6b5558c01eb231b411dd77597dacee72d8d75d9a0bb6293a7a16a1eb342aeb06e1033e144facaefc7073e20a248de352caff5

Download Submit
C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\decoder.dll

Filesize
206KB

MD5
9d45f2790dda55df2d99ef66dcb2019d

SHA1
f2a369c1b82476e2e0641f95394dd4dee8223f01

SHA256
9b7ff49f7e1d0a39826ec458c8004b20a65a4bd0592b083f38b01e2dbc2b510f

SHA512
9bef561ec6908dcd7e75f5f63cff8b1ec73e9be2b4e4aa5602182cde18d691cc28259b980c87246c5d27b4284bc783fba44d92a202f77b15f3e65c89dd3aa069

Download Submit
C:\Windows\Installer\MSI53BB.tmp

Filesize
544KB

MD5
40117f705bff008c3d96a73162dad044

SHA1
2735813836f36b5de83a745c47628053a0f61f66

SHA256
32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

SHA512
eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

Download Submit
memory/1308-150-0x00000000080F0000-0x00000000082B2000-memory.dmp

Filesize
1.8MB

Download
memory/1308-135-0x0000000005B60000-0x0000000005EB4000-memory.dmp

Filesize
3.3MB

Download
memory/1308-146-0x00000000067A0000-0x00000000067EC000-memory.dmp

Filesize
304KB

Download
memory/2236-491-0x0000000006230000-0x0000000006584000-memory.dmp

Filesize
3.3MB

Download
memory/2236-496-0x000000006E720000-0x000000006E76C000-memory.dmp

Filesize
304KB

Download
memory/2236-497-0x000000006EA90000-0x000000006EDE4000-memory.dmp

Filesize
3.3MB

Download
memory/2236-507-0x0000000007D80000-0x0000000007E23000-memory.dmp

Filesize
652KB

Download
memory/2236-508-0x0000000008020000-0x0000000008031000-memory.dmp

Filesize
68KB

Download
memory/3752-93-0x0000000005C30000-0x0000000005C4E000-memory.dmp

Filesize
120KB

Download
memory/3752-118-0x000000006E7C0000-0x000000006EB14000-memory.dmp

Filesize
3.3MB

Download
memory/3752-117-0x0000000007370000-0x0000000007394000-memory.dmp

Filesize
144KB

Download
memory/3752-116-0x0000000007340000-0x000000000736A000-memory.dmp

Filesize
168KB

Download
memory/3752-115-0x00000000071C0000-0x00000000071CA000-memory.dmp

Filesize
40KB

Download
memory/3752-114-0x00000000070E0000-0x0000000007183000-memory.dmp

Filesize
652KB

Download
memory/3752-113-0x0000000007060000-0x000000000707E000-memory.dmp

Filesize
120KB

Download
memory/3752-103-0x000000006E650000-0x000000006E69C000-memory.dmp

Filesize
304KB

Download
memory/3752-102-0x00000000070A0000-0x00000000070D2000-memory.dmp

Filesize
200KB

Download
memory/3752-100-0x0000000008240000-0x00000000088BA000-memory.dmp

Filesize
6.5MB

Download
memory/3752-99-0x0000000007610000-0x0000000007BB4000-memory.dmp

Filesize
5.6MB

Download
memory/3752-98-0x00000000061C0000-0x00000000061E2000-memory.dmp

Filesize
136KB

Download
memory/3752-97-0x0000000006150000-0x000000000616A000-memory.dmp

Filesize
104KB

Download
memory/3752-96-0x0000000006FC0000-0x0000000007056000-memory.dmp

Filesize
600KB

Download
memory/3752-94-0x0000000005C60000-0x0000000005CAC000-memory.dmp

Filesize
304KB

Download
memory/3752-92-0x0000000005680000-0x00000000059D4000-memory.dmp

Filesize
3.3MB

Download
memory/3752-82-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3752-81-0x00000000055A0000-0x0000000005606000-memory.dmp

Filesize
408KB

Download
memory/3752-80-0x0000000004C80000-0x0000000004CA2000-memory.dmp

Filesize
136KB

Download
memory/3752-79-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/3752-78-0x0000000000EA0000-0x0000000000ED6000-memory.dmp

Filesize
216KB

Download