Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:40
Static task
static1
Behavioral task
behavioral1
Sample
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Resource
win7-20241010-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
31 signatures
150 seconds
General
-
Target
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
-
Size
40.6MB
-
MD5
4e0c73259e83e8d5f36be55d4a937307
-
SHA1
539d747d30c16f50ddf6b72da1426709edce5732
-
SHA256
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9
-
SHA512
eaca63ff0faafdd6014864517a9fb92e82d970c99084d6cbf5b493b0b0ca6372541493f4c11b426c09b160369fb4da07d928d74a20078ab3e0743b54e5be99b5
-
SSDEEP
786432:BxAq3kvG6v0/moop9AaRDEzVARzgsBBSs7ndpTp1Z4qaNrk+0/iClRu:cqUvL8/mfACxgUBSkdvAPy6CPu
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SET1B92.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET1B92.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsGtQhLH = "\"C:\\Program Files (x86)\\Common Files\\DsGtQhLH.lnk\"" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.8.0\\LetsPRO.exe\" /silent" LetsPRO.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: pYkYZuRh.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: pYkYZuRh.exe File opened (read-only) \??\O: pYkYZuRh.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\K: pYkYZuRh.exe File opened (read-only) \??\T: pYkYZuRh.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: pYkYZuRh.exe File opened (read-only) \??\L: pYkYZuRh.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: pYkYZuRh.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: pYkYZuRh.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: pYkYZuRh.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: pYkYZuRh.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: pYkYZuRh.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: pYkYZuRh.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: pYkYZuRh.exe File opened (read-only) \??\N: pYkYZuRh.exe File opened (read-only) \??\X: pYkYZuRh.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: pYkYZuRh.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: pYkYZuRh.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: pYkYZuRh.exe File opened (read-only) \??\V: pYkYZuRh.exe File opened (read-only) \??\W: pYkYZuRh.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\S: pYkYZuRh.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 4764 netsh.exe 1960 netsh.exe 4604 netsh.exe 2316 netsh.exe -
pid Process 4812 ARP.EXE 2676 cmd.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\SET19CD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\SET19AD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\SET19AD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\SET19CD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\SET19CE.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\SET19CE.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df}\tap0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{36530697-dbcd-e944-bda9-e6989c7fd8df} DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\libwin.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\log4net.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\microsoft.identitymodel.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-arm\native DsGtQhLH.exe File opened for modification C:\Program Files (x86)\Common Files\DsGtQhLH.lnk MsiExec.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.TraceSource.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Principal.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x64\native DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\packages\SquirrelTemp DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Rocks.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Data.Common.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\ToastNotifications.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\es\System.Web.Services.Description.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\it\System.Web.Services.Description.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.batteries_v2.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.Reader.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.AccessControl.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.AccessControl.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XmlDocument.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\MdXaml.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tracing.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.VisualC.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Cng.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\CommunityToolkit.Mvvm.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensions.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tracing.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\ru\System.Web.Services.Description.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-arm\native\e_sqlite3.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Wpf.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.NonGeneric.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\ToastNotifications.Messages.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ObjectModel.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.TextWriterTraceListener.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Drawing.Primitives.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\zh-TW DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.PerformanceCounter.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.AppContext.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.TypeConverter.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.Extensions.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Numerics.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Syndication.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceProcess.ServiceController.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\ToastNotifications.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\de\System.Web.Services.Description.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe.config DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.RuntimeInformation.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\zh-CN\LetsPRO.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.Concurrent.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Ping.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.ResourceManager.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Thread.dll DsGtQhLH.exe File created C:\Program Files (x86)\Common Files\~sGtQhLH.tmp msiexec.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\CommunityToolkit.Mvvm.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Contracts.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Drawing.Common.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Globalization.Calendars.dll DsGtQhLH.exe -
Drops file in Windows directory 16 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{3DF6BF22-E312-4270-9646-C64980167B87} msiexec.exe File opened for modification C:\Windows\Installer\MSIC786.tmp msiexec.exe File created C:\Windows\Installer\e57c573.msi msiexec.exe File opened for modification C:\Windows\Installer\e57c573.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC8FF.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\Installer\MSIC7B6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICA48.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File created C:\Windows\inf\oem3.inf DrvInst.exe -
Executes dropped EXE 7 IoCs
pid Process 3184 pYkYZuRh.exe 1124 DsGtQhLH.exe 1144 tapinstall.exe 4284 tapinstall.exe 3664 tapinstall.exe 3692 LetsPRO.exe 2708 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 3560 MsiExec.exe 3560 MsiExec.exe 3560 MsiExec.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 1124 DsGtQhLH.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe -
pid Process 4400 powershell.exe 3776 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4500 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DsGtQhLH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pYkYZuRh.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LetsPRO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz LetsPRO.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 4880 ipconfig.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 LetsPRO.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2 LetsPRO.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3696 msiexec.exe 3696 msiexec.exe 4400 powershell.exe 4400 powershell.exe 4400 powershell.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3776 powershell.exe 3776 powershell.exe 3776 powershell.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe 3184 pYkYZuRh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 pYkYZuRh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4500 msiexec.exe Token: SeIncreaseQuotaPrivilege 4500 msiexec.exe Token: SeSecurityPrivilege 3696 msiexec.exe Token: SeCreateTokenPrivilege 4500 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4500 msiexec.exe Token: SeLockMemoryPrivilege 4500 msiexec.exe Token: SeIncreaseQuotaPrivilege 4500 msiexec.exe Token: SeMachineAccountPrivilege 4500 msiexec.exe Token: SeTcbPrivilege 4500 msiexec.exe Token: SeSecurityPrivilege 4500 msiexec.exe Token: SeTakeOwnershipPrivilege 4500 msiexec.exe Token: SeLoadDriverPrivilege 4500 msiexec.exe Token: SeSystemProfilePrivilege 4500 msiexec.exe Token: SeSystemtimePrivilege 4500 msiexec.exe Token: SeProfSingleProcessPrivilege 4500 msiexec.exe Token: SeIncBasePriorityPrivilege 4500 msiexec.exe Token: SeCreatePagefilePrivilege 4500 msiexec.exe Token: SeCreatePermanentPrivilege 4500 msiexec.exe Token: SeBackupPrivilege 4500 msiexec.exe Token: SeRestorePrivilege 4500 msiexec.exe Token: SeShutdownPrivilege 4500 msiexec.exe Token: SeDebugPrivilege 4500 msiexec.exe Token: SeAuditPrivilege 4500 msiexec.exe Token: SeSystemEnvironmentPrivilege 4500 msiexec.exe Token: SeChangeNotifyPrivilege 4500 msiexec.exe Token: SeRemoteShutdownPrivilege 4500 msiexec.exe Token: SeUndockPrivilege 4500 msiexec.exe Token: SeSyncAgentPrivilege 4500 msiexec.exe Token: SeEnableDelegationPrivilege 4500 msiexec.exe Token: SeManageVolumePrivilege 4500 msiexec.exe Token: SeImpersonatePrivilege 4500 msiexec.exe Token: SeCreateGlobalPrivilege 4500 msiexec.exe Token: SeBackupPrivilege 4568 vssvc.exe Token: SeRestorePrivilege 4568 vssvc.exe Token: SeAuditPrivilege 4568 vssvc.exe Token: SeBackupPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeRestorePrivilege 3696 msiexec.exe Token: SeTakeOwnershipPrivilege 3696 msiexec.exe Token: SeDebugPrivilege 4400 powershell.exe Token: SeBackupPrivilege 764 srtasks.exe Token: SeRestorePrivilege 764 srtasks.exe Token: SeSecurityPrivilege 764 srtasks.exe Token: SeTakeOwnershipPrivilege 764 srtasks.exe Token: SeBackupPrivilege 764 srtasks.exe Token: SeRestorePrivilege 764 srtasks.exe Token: SeSecurityPrivilege 764 srtasks.exe Token: SeTakeOwnershipPrivilege 764 srtasks.exe Token: SeDebugPrivilege 3776 powershell.exe Token: SeAuditPrivilege 1600 svchost.exe Token: SeSecurityPrivilege 1600 svchost.exe Token: SeLoadDriverPrivilege 4284 tapinstall.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 4500 msiexec.exe 4500 msiexec.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe 2708 LetsPRO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3184 pYkYZuRh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3696 wrote to memory of 764 3696 msiexec.exe 99 PID 3696 wrote to memory of 764 3696 msiexec.exe 99 PID 3696 wrote to memory of 3560 3696 msiexec.exe 101 PID 3696 wrote to memory of 3560 3696 msiexec.exe 101 PID 3696 wrote to memory of 3560 3696 msiexec.exe 101 PID 3696 wrote to memory of 3184 3696 msiexec.exe 102 PID 3696 wrote to memory of 3184 3696 msiexec.exe 102 PID 3696 wrote to memory of 3184 3696 msiexec.exe 102 PID 3696 wrote to memory of 1124 3696 msiexec.exe 103 PID 3696 wrote to memory of 1124 3696 msiexec.exe 103 PID 3696 wrote to memory of 1124 3696 msiexec.exe 103 PID 1124 wrote to memory of 4400 1124 DsGtQhLH.exe 104 PID 1124 wrote to memory of 4400 1124 DsGtQhLH.exe 104 PID 1124 wrote to memory of 4400 1124 DsGtQhLH.exe 104 PID 1124 wrote to memory of 3776 1124 DsGtQhLH.exe 110 PID 1124 wrote to memory of 3776 1124 DsGtQhLH.exe 110 PID 1124 wrote to memory of 3776 1124 DsGtQhLH.exe 110 PID 1124 wrote to memory of 1144 1124 DsGtQhLH.exe 114 PID 1124 wrote to memory of 1144 1124 DsGtQhLH.exe 114 PID 1124 wrote to memory of 4284 1124 DsGtQhLH.exe 116 PID 1124 wrote to memory of 4284 1124 DsGtQhLH.exe 116 PID 1600 wrote to memory of 2040 1600 svchost.exe 119 PID 1600 wrote to memory of 2040 1600 svchost.exe 119 PID 1600 wrote to memory of 4728 1600 svchost.exe 121 PID 1600 wrote to memory of 4728 1600 svchost.exe 121 PID 1124 wrote to memory of 4048 1124 DsGtQhLH.exe 124 PID 1124 wrote to memory of 4048 1124 DsGtQhLH.exe 124 PID 1124 wrote to memory of 4048 1124 DsGtQhLH.exe 124 PID 4048 wrote to memory of 4764 4048 cmd.exe 126 PID 4048 wrote to memory of 4764 4048 cmd.exe 126 PID 4048 wrote to memory of 4764 4048 cmd.exe 126 PID 1124 wrote to memory of 4964 1124 DsGtQhLH.exe 127 PID 1124 wrote to memory of 4964 1124 DsGtQhLH.exe 127 PID 1124 wrote to memory of 4964 1124 DsGtQhLH.exe 127 PID 4964 wrote to memory of 1960 4964 cmd.exe 129 PID 4964 wrote to memory of 1960 4964 cmd.exe 129 PID 4964 wrote to memory of 1960 4964 cmd.exe 129 PID 1124 wrote to memory of 2564 1124 DsGtQhLH.exe 130 PID 1124 wrote to memory of 2564 1124 DsGtQhLH.exe 130 PID 1124 wrote to memory of 2564 1124 DsGtQhLH.exe 130 PID 2564 wrote to memory of 4604 2564 cmd.exe 132 PID 2564 wrote to memory of 4604 2564 cmd.exe 132 PID 2564 wrote to memory of 4604 2564 cmd.exe 132 PID 1124 wrote to memory of 220 1124 DsGtQhLH.exe 133 PID 1124 wrote to memory of 220 1124 DsGtQhLH.exe 133 PID 1124 wrote to memory of 220 1124 DsGtQhLH.exe 133 PID 220 wrote to memory of 2316 220 cmd.exe 135 PID 220 wrote to memory of 2316 220 cmd.exe 135 PID 220 wrote to memory of 2316 220 cmd.exe 135 PID 1124 wrote to memory of 3664 1124 DsGtQhLH.exe 136 PID 1124 wrote to memory of 3664 1124 DsGtQhLH.exe 136 PID 1124 wrote to memory of 3692 1124 DsGtQhLH.exe 138 PID 1124 wrote to memory of 3692 1124 DsGtQhLH.exe 138 PID 1124 wrote to memory of 3692 1124 DsGtQhLH.exe 138 PID 3692 wrote to memory of 2708 3692 LetsPRO.exe 139 PID 3692 wrote to memory of 2708 3692 LetsPRO.exe 139 PID 3692 wrote to memory of 2708 3692 LetsPRO.exe 139 PID 2708 wrote to memory of 2352 2708 LetsPRO.exe 151 PID 2708 wrote to memory of 2352 2708 LetsPRO.exe 151 PID 2708 wrote to memory of 2352 2708 LetsPRO.exe 151 PID 2708 wrote to memory of 2040 2708 LetsPRO.exe 157 PID 2708 wrote to memory of 2040 2708 LetsPRO.exe 157 PID 2708 wrote to memory of 2040 2708 LetsPRO.exe 157 PID 2040 wrote to memory of 4880 2040 cmd.exe 159 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4500
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- UAC bypass
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3696 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:764
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F7A9A10AF5F7E2C87344371F3223ABDC2⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3560
-
-
C:\Program Files (x86)\pYkYZuRh.exe"C:\Program Files (x86)\pYkYZuRh.exe"2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3184
-
-
C:\Program Files (x86)\DsGtQhLH.exe"C:\Program Files (x86)\DsGtQhLH.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4400
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1144
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4284
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1960
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4604
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2316
-
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3664
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"4⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2352
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4880
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:4812
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4568
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fc048f71-1ff9-214f-9a6a-7c5382e88424}\oemvista.inf" "9" "4d14a44ff" "0000000000000134" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\letsvpn\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2040
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000134"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4728
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:3624
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:540
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5eb6cf6324c836dc5d411065583b5b091
SHA1cc7c5962394afed3cab4d787ae9491059345b91d
SHA256cc62b59b1d49465b5772f3c281ed165fb7d95efa623624a727e878f7af6d607a
SHA5123db0345786c0f0e942d866b6c7cba2ccc8973d5b7bf927f2c7f828b4370ac11e168bff9a0a08ec9a8c2b14a4507aaa43d03546290d4a0ec036638b11fe519885
-
Filesize
6.0MB
MD5a589ea47d27781243203497042014ee3
SHA102af54d118fdb181247e76a79a3acfbb074bf6ea
SHA256d25b465e1a59b452605512566d4417cb44a72d07b989f8cb276849bf4f66ac52
SHA512baed6eda05efb91f65812e117730bd3d6587166667dc3b7e2f1f3c802a713829b5b6c9c0287fe37267e4a4a5f941776aa49adcbe45ffa1da99e9b73c99b0a09e
-
Filesize
943B
MD56ecb65d9a2fa0135b51f99e63b3b8774
SHA1fbd7bc512ac83ff3f4f89c38339ac7c148e2dd3b
SHA256d6c42f1ead5d94fe343b2903f2cd934a5e19e5d8e74cfd9a377272f247d3ab51
SHA512358446a6e83a2181a0c32e0dc3fb4ceb1da7eed08e75bb61a1a96018f1aad04dce591af0b987d5b689087622d926b76b8cea273e9fe124a46cd2db34a2915282
-
Filesize
898B
MD5a6706a76257e5442da75326b13592ca0
SHA1a361eafee6018e2ab3857bfb5e09b61107cdaee7
SHA256b6b9d601f99dd8b65fa6f00d50f0632a86b42665cc4c08916a832b2f14ebf1df
SHA512ffadcaa9f06a52c7afdc60c70d2ddc2382bb5099f0da59ab88215da9de3e09318af30d77d0e50d0965ff81d2ca0fc96b0a8ccbf9350283e7c29c45d282e5661e
-
Filesize
14.5MB
MD59c44be4ceac0c983a812fd8459511fd0
SHA1bd5aaad4acd523cd2855e8b50a8380365d81e041
SHA256b6750a3631413d71d7ea10292a11e5d0560afb6ccd4ad4baa75d7dc80842f153
SHA512372ddeb1045d49e8f98f17bccffb0e3edc2179e541f8a4493300517327e514c7bf64557250e0f84f7366310a3d7a58a8d5480596f9be075b3f5d9411a49b4d09
-
Filesize
318B
MD5b34636a4e04de02d079ba7325e7565f0
SHA1f32c1211eac22409bb195415cb5a8063431f75cd
SHA256a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df
SHA5126eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f
-
Filesize
240KB
MD5ea9e2f517b1cc2dbe7f78302dd7fb593
SHA1cb326eeee062bfc20be4d07fa989b001811fc03c
SHA256b1037f963c91ab0f586349d5aede8e25686784f46f031dfc422e0d69a9939f48
SHA512d8d38e5243ff8f8e3f790c3587bf0360afd7dd185886da86ad7ad6111eed121e91eca18bac9563ea4e6984c46f88639f58a2073884567ca982383ec2cf32f0eb
-
Filesize
1.4MB
MD538973dbbfad9619fde39fab919eb9a04
SHA109c0b7ec430092c41a576565d8cf8e9df40e12fe
SHA256e7806cd45b774d640bfd1f92e0893d28b87117a9dc25edb490da4449d57ca8ac
SHA512fed73ef38f0008ab93589a6f525866a3f73ce9b090e41482dc4933dadc6f1bce1a26990e8f44704e934528d71e6887d0d44bb38f8b5402cf4c9b2880f16eea67
-
Filesize
22KB
MD53b1d12693ee14f307d7e8b1f08ae23c0
SHA182719e54b457a4e5cc57b33714e67fc0305b6e90
SHA2560b2a37670105e8d30fe0c4aecfad876f669663834a6c91bc89e309fb609032b7
SHA512ac7b99e0fb2e7d656dfc8e5df1fad58e4446c854e6d1d05a48dbd5fe93ab4978c3b206d828d8bcfc874eff0981886be4ae72e063aaccf895959d7cd5456a5e95
-
Filesize
21KB
MD5aaf315462a2bfc476f2488349b629b09
SHA11957786412810c8200393f329925bf7f8fcb9fa0
SHA256af1328e99850c6a0f309b582c451e16aec5b8446a57617198c96f353f7ba60be
SHA512ff1b9590653e1333f3031456d70169e789bedf7a3a7b9c69f9076b99d080d6d6006e2812c831b603972445b097a1003f7fb84fc34cabf4ee97ba10cd09140b4b
-
Filesize
693KB
MD54aba39e3b609f3e927d4b4c850a1e9c2
SHA12fc88fdfe44f49567a4160fc7ceba175bbe851b3
SHA256abf8133f5bda0aa4700b7b4b9a8f4a6e2af8f9fc38def6ebbec7045fda493671
SHA512cdd79270d8e0e7999b899d32fc012e0450d65732b68eba982b91f213e6550d5568239eb29267adefbd61ea4e674c1096d04a1a6cbbf67fd51e6d8b8ab2770f07
-
Filesize
126KB
MD5d615a49b867921d097b87f5653d06da8
SHA19475f5bd2517a71d68388f04a247725814bb0a39
SHA256ca0a071afff810cae52cce1def9456d4ddb8ca1a165a4b0aae16951a6f337542
SHA5121986d66a9638d0cc998ee0534fe9443a41f8988aca226770934c5a9b7157931ec8c456ff0034ec63ef32da842d6bae31d97003ab5d65f3a7e51c2773dc758cbe
-
Filesize
3KB
MD528f9077c304d8c626554818a5b5f3b3a
SHA1a01f735fe348383795d61aadd6aab0cc3a9db190
SHA256746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90
SHA512485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e
-
Filesize
273KB
MD5e281f008a6d29ae21e0173c97e63ef93
SHA121004cd1d373563298738bdb70f66dca3865c0bd
SHA256146c386529e15c58ca7cb51927616b8310c7ca0855603bc22addbbcdd9502c11
SHA512b8cebc8bbf18aa03872dc74dbab9569682c64dd5c2ad3c07e542ba08bdb1cccfc5a956622daa1c9e218f8d54b9e26b8533091c378b6f386e25f3fccbdc201765
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
19.4MB
MD59ff980feb6fccdb08ab3fe6fc5e428f1
SHA13c60d0fa914291da59a3cc883becd0ea26c1f26a
SHA256d0cdc6b3747195a88b6918926f488215396970aa342e14d6ea819919d274a381
SHA512989d76d721963f46386350c08b4e7a50a52e16d9fc92bc13c7f1fa20997a9aa35a8f144564af9f483b0e3f2fd32d436adfa84cb8638e9c408a79960b6da38618
-
Filesize
412KB
MD5ed40615aa67499e2d2da8389ba9b331a
SHA109780d2c9d75878f7a9bb94599f3dc9386cf3789
SHA256cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d
SHA51247d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee
-
Filesize
756KB
MD5ef3e115c225588a680acf365158b2f4a
SHA1ecda6d3b4642d2451817833b39248778e9c2cbb0
SHA25625d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8
SHA512d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a
-
Filesize
129KB
MD57ea6be30e745e9556c017439c5e83273
SHA14e36ae4f8bb1c6a438f8cc6952ec840415b5d9f2
SHA2565a3e4e68ffa8e8796ec0ff3d01473ceafa070dc533a1c268d073ee7abd6c8021
SHA5120a17f4e6e60932282cb28823a77c5ebef7a8c8ee472f00c9ef9eebb0481886647faa698f2c2e193db095c6467f6e41307aff96030fadd3072ba700c1e1e45724
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
12KB
MD5e28afbcec43d714a297d677b635cbd2e
SHA1c00d8b51035317126e4a025e8eae41198a3fe391
SHA2566088778bcacdfa03f05b2c9e6ab3dbe2a29ea744a1203e122ea24bdf5643ea96
SHA512af62332c1dd0c0a27705eace10e7fec153aa0c4ef21fcf18abdea967d121c904a0345a16fc66a59f6f966ee934a614fd11d5bbf66e6c9f34770b7357960e8e15
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
Filesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094
-
Filesize
408KB
MD50901970c2066aed8a97d75aaf1fd3146
SHA1f0c700a4bfcebad9843e01a88bab71b5f38996d8
SHA25641f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773
SHA51200e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733
-
Filesize
24.1MB
MD59ce170bbdf5bb93b56370aa0dc2aed41
SHA18864fd89297812d1285aa12b83fefd183f27168e
SHA25624b15006664e7a9274538a28d7bf55604321009047dcc49dc34152bd1a52e0ca
SHA512d29cfdc8f8c0a61c84ffcba42e3783bb3e1f7045c50abd9b5c237fe9840fa5c7f5361a4acee2c83cd39cd7b98250ecd8169c9bd6c14ada7f1412e281bdf35fba
-
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d9cf0ba2-3f9a-464c-86fb-96f61067dccd}_OnDiskSnapshotProp
Filesize6KB
MD5e54f5db71c0478ca74de2d0ee474b917
SHA19001af88f7eb469792bd88be399acc05a3560526
SHA2568de7787e15d604f6d2730e0277c4a725be2f3746986dd71da452485dad3d92c9
SHA51283de39c0c35d1cd3bd43a9a084d7d553a7c11deaf56e1c5553ea77120147c818e3f6f7332b374b10c98b5c20183d11c6b1512678223b5e91e2f237c9bcaa4bc4
-
Filesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
Filesize
10KB
MD5f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe
