Analysis
-
max time kernel
145s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/11/2024, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi
Resource
win7-20241023-en
windows7-x64
36 signatures
150 seconds
Behavioral task
behavioral2
Sample
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
40 signatures
150 seconds
General
-
Target
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi
-
Size
51.3MB
-
MD5
7efb253def4f5980c8e7a4c95a96ce09
-
SHA1
e5f62d1b33eddca20e1b8cde7bf85205c411f058
-
SHA256
c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289
-
SHA512
5a3c05754d5d94a1549f7eb4a08a237e39b976c4994db0bb8e10687757d954d7a3cda5ea1ea432c85e5e9b643378b8a6ae15ec2e6ce17a292d8f4cbe70955f4d
-
SSDEEP
1572864:33j57EzJvxJXNywl4agZ9KsNhucJaV/Z/7h:33jWtv3dbl3bcJarzh
Malware Config
Signatures
-
Blackmoon family
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral2/memory/4416-120-0x0000000010000000-0x0000000010DFE000-memory.dmp family_blackmoon -
pid Process 2748 powershell.exe 2452 powershell.exe 760 powershell.exe 1216 powershell.exe 4344 powershell.exe 1268 powershell.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SET3BFA.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET3BFA.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nxNUrRUR.lnk msiexec.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GpZSDZUD.lnk msiexec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.0\\LetsPRO.exe\" /silent" LetsPRO.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Active Setup\Installed Components Explorer.Exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: TgwFTQMc.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: TgwFTQMc.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: TgwFTQMc.exe File opened (read-only) \??\Z: TgwFTQMc.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: TgwFTQMc.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: TgwFTQMc.exe File opened (read-only) \??\X: TgwFTQMc.exe File opened (read-only) \??\L: TgwFTQMc.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\I: TgwFTQMc.exe File opened (read-only) \??\J: TgwFTQMc.exe File opened (read-only) \??\N: TgwFTQMc.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: TgwFTQMc.exe File opened (read-only) \??\P: TgwFTQMc.exe File opened (read-only) \??\W: TgwFTQMc.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: TgwFTQMc.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: TgwFTQMc.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: TgwFTQMc.exe File opened (read-only) \??\O: TgwFTQMc.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: TgwFTQMc.exe File opened (read-only) \??\Y: TgwFTQMc.exe File opened (read-only) \??\D: Explorer.Exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 2848 netsh.exe 4736 netsh.exe 540 netsh.exe 1380 netsh.exe 1240 netsh.exe -
pid Process 5672 cmd.exe 5712 ARP.EXE -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wegame.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF tapinstall.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\tap0901.sys DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\SET39A9.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\SET39B9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\SET39BA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\SET39BA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\SET39A9.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\SET39B9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{53677600-f547-914a-baf0-f01409a24907}\tap0901.cat DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 4416 TgwFTQMc.exe 5028 TgwFTQMc.exe 4416 TgwFTQMc.exe 5028 TgwFTQMc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\mxewmGJk\User.ini TgwFTQMc.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.ObjectModel.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\runtimes GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\x64\WebView2Loader.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Net.Ping.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Net.WebSockets.Client.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Threading.Tasks.Extensions.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.IO.FileSystem.AccessControl.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.IO.Packaging.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Security.Cryptography.ProtectedData.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\x64\WebView2Loader.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\arm64\WebView2Loader.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\Microsoft.Win32.SystemEvents.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Reflection.Extensions.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Security.Claims.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Security.Cryptography.Pkcs.dll GxySSwAr.exe File created C:\Program Files (x86)\mxewmGJk\log.txt TgwFTQMc.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Runtime.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\zh-Hans GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\Microsoft.Win32.Registry.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.IO.Compression.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\zh-TW\LetsPRO.resources.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Diagnostics.PerformanceCounter.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.ValueTuple.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Xml.ReaderWriter.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\pl\System.Web.Services.Description.resources.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\zh-Hans\System.Web.Services.Description.resources.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Security.SecureString.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.ServiceModel.Syndication.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Threading.AccessControl.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\ru\System.Web.Services.Description.resources.dll GxySSwAr.exe File created C:\Program Files (x86)\mxewmGJk\1 msiexec.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\Microsoft.Web.WebView2.Wpf.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Data.SqlClient.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Security.Cryptography.Cng.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\x86 GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\FontAwesome.WPF.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Net.Primitives.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Runtime.Handles.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.ServiceModel.Security.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Threading.ThreadPool.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\ru\LetsPRO.resources.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\uninst.exe GxySSwAr.exe File created C:\Program Files (x86)\BJgxmmSq\msvcp140.dll msiexec.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Collections.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Diagnostics.StackTrace.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Runtime.Serialization.Json.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.IO.Compression.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Globalization.Calendars.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\runtimes\win-x86\native\e_sqlite3.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\zh-HK\LetsPRO.resources.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\zh-MO GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Buffers.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Globalization.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Security.AccessControl.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\log4net.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Threading.Overlapped.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Diagnostics.EventLog.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.IO.FileSystem.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.Runtime.CompilerServices.Unsafe.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\System.ServiceModel.NetTcp.dll GxySSwAr.exe File created C:\Program Files (x86)\letsvpn\app-3.11.0\System.Net.Ping.dll GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.11.0\runtimes\win-arm\native GxySSwAr.exe File opened for modification C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1 GxySSwAr.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e57bac4.msi msiexec.exe File opened for modification C:\Windows\Installer\e57bac4.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBCA9.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{460B56F0-8023-425C-BAC6-FD3D3755835B} msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe -
Executes dropped EXE 10 IoCs
pid Process 5028 TgwFTQMc.exe 1480 wegame.exe 4036 wegame.exe 4416 TgwFTQMc.exe 4996 GxySSwAr.exe 4796 tapinstall.exe 4192 tapinstall.exe 1780 tapinstall.exe 3732 LetsPRO.exe 2120 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 4036 wegame.exe 4036 wegame.exe 1480 wegame.exe 1480 wegame.exe 4036 wegame.exe 1480 wegame.exe 4036 wegame.exe 1480 wegame.exe 1480 wegame.exe 4036 wegame.exe 1480 wegame.exe 4036 wegame.exe 5028 TgwFTQMc.exe 5028 TgwFTQMc.exe 4416 TgwFTQMc.exe 5028 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 4996 GxySSwAr.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 392 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 26 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TgwFTQMc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wegame.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GxySSwAr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TgwFTQMc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Explorer.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Explorer.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 Explorer.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 Explorer.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 Explorer.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities Explorer.Exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 Explorer.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 Explorer.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities Explorer.Exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities Explorer.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wegame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wegame.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wegame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz wegame.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wegame.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LetsPRO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz LetsPRO.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2764 ipconfig.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU SearchApp.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lookup Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Locale Handler" SearchApp.exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "16000" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Locale Handler" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\L3082" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.Exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.Exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" SearchApp.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010007000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000fcc000000000000002000000e8070b004100720067006a00620065007800200033000a005600610067007200650061007200670020006e00700070007200660066000a000a00590072006700660047004e0043000a004100620020005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002400000074ae2078e323294282c1e41cb67d5b9c000000000000000000000000ccfe06ed903cdb0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e8070b004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000002500000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000a227a9ec903cdb0100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a0066000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000500000050003a005c00480066007200650066005c004e0071007a00760061005c004e006300630051006e0067006e005c005900620070006e0079005c005a00760070006500620066006200730067005c00420061007200510065007600690072005c00420061007200510065007600690072002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f50100000000000000000000e8070a00420061007200510065007600690072000a004100620067002000660076007400610072007100200076006100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000700000000000000000000000000000000000000000000000000000000000000ad2363c09918db0100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000075ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000081ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000082ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e8070a000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000083ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.Exe Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul - French (France)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lts Lexicon" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HW" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1036" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo - Italian (Italy)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\L1041" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\c1031.fe" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Stefan - German (Germany)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\lsr1040.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa - Italian (Italy)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Cosimo" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Spanish Phone Converter" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\r3082sr.lxa" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.Exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat.prev" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Haruka" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.11.0\\LetsPRO.exe\" \"%1\"" LetsPRO.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "C0A" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Zira - English (United States)" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{179F3D56-1B0B-42B2-A962-59B7EF59FE1B}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1033" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - Italian (Italy)" SearchApp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2 LetsPRO.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\tn1031.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "You have selected %1 as the default voice." SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ayumi - Japanese (Japan)" SearchApp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Program Files (x86)\\letsvpn\\app-3.11.0\\LetsPRO.exe" LetsPRO.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "en-US" SearchApp.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Hedda" SearchApp.exe Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech SW Voice Activation - German (Germany)" SearchApp.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 LetsPRO.exe Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2 LetsPRO.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2720 msiexec.exe 2720 msiexec.exe 1480 wegame.exe 1480 wegame.exe 2748 powershell.exe 2748 powershell.exe 5028 TgwFTQMc.exe 5028 TgwFTQMc.exe 5028 TgwFTQMc.exe 5028 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 2748 powershell.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 1216 powershell.exe 1216 powershell.exe 760 powershell.exe 760 powershell.exe 1268 powershell.exe 1268 powershell.exe 760 powershell.exe 4344 powershell.exe 4344 powershell.exe 1268 powershell.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe 4416 TgwFTQMc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4416 TgwFTQMc.exe -
Suspicious behavior: LoadsDriver 2 IoCs
pid Process 656 Process not Found 656 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 392 msiexec.exe Token: SeIncreaseQuotaPrivilege 392 msiexec.exe Token: SeSecurityPrivilege 2720 msiexec.exe Token: SeCreateTokenPrivilege 392 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 392 msiexec.exe Token: SeLockMemoryPrivilege 392 msiexec.exe Token: SeIncreaseQuotaPrivilege 392 msiexec.exe Token: SeMachineAccountPrivilege 392 msiexec.exe Token: SeTcbPrivilege 392 msiexec.exe Token: SeSecurityPrivilege 392 msiexec.exe Token: SeTakeOwnershipPrivilege 392 msiexec.exe Token: SeLoadDriverPrivilege 392 msiexec.exe Token: SeSystemProfilePrivilege 392 msiexec.exe Token: SeSystemtimePrivilege 392 msiexec.exe Token: SeProfSingleProcessPrivilege 392 msiexec.exe Token: SeIncBasePriorityPrivilege 392 msiexec.exe Token: SeCreatePagefilePrivilege 392 msiexec.exe Token: SeCreatePermanentPrivilege 392 msiexec.exe Token: SeBackupPrivilege 392 msiexec.exe Token: SeRestorePrivilege 392 msiexec.exe Token: SeShutdownPrivilege 392 msiexec.exe Token: SeDebugPrivilege 392 msiexec.exe Token: SeAuditPrivilege 392 msiexec.exe Token: SeSystemEnvironmentPrivilege 392 msiexec.exe Token: SeChangeNotifyPrivilege 392 msiexec.exe Token: SeRemoteShutdownPrivilege 392 msiexec.exe Token: SeUndockPrivilege 392 msiexec.exe Token: SeSyncAgentPrivilege 392 msiexec.exe Token: SeEnableDelegationPrivilege 392 msiexec.exe Token: SeManageVolumePrivilege 392 msiexec.exe Token: SeImpersonatePrivilege 392 msiexec.exe Token: SeCreateGlobalPrivilege 392 msiexec.exe Token: SeBackupPrivilege 1376 vssvc.exe Token: SeRestorePrivilege 1376 vssvc.exe Token: SeAuditPrivilege 1376 vssvc.exe Token: SeBackupPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2720 msiexec.exe Token: SeTakeOwnershipPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2720 msiexec.exe Token: SeTakeOwnershipPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2720 msiexec.exe Token: SeTakeOwnershipPrivilege 2720 msiexec.exe Token: SeRestorePrivilege 2720 msiexec.exe Token: SeTakeOwnershipPrivilege 2720 msiexec.exe Token: SeDebugPrivilege 2748 powershell.exe Token: SeBackupPrivilege 4012 srtasks.exe Token: SeRestorePrivilege 4012 srtasks.exe Token: SeSecurityPrivilege 4012 srtasks.exe Token: SeTakeOwnershipPrivilege 4012 srtasks.exe Token: SeBackupPrivilege 4012 srtasks.exe Token: SeRestorePrivilege 4012 srtasks.exe Token: SeSecurityPrivilege 4012 srtasks.exe Token: SeTakeOwnershipPrivilege 4012 srtasks.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1268 powershell.exe Token: SeDebugPrivilege 4344 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeAuditPrivilege 2032 svchost.exe Token: SeSecurityPrivilege 2032 svchost.exe Token: SeLoadDriverPrivilege 4192 tapinstall.exe Token: SeRestorePrivilege 3472 DrvInst.exe Token: SeBackupPrivilege 3472 DrvInst.exe -
Suspicious use of FindShellTrayWindow 60 IoCs
pid Process 392 msiexec.exe 392 msiexec.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe -
Suspicious use of SendNotifyMessage 30 IoCs
pid Process 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 2120 LetsPRO.exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe 5336 Explorer.Exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 4416 TgwFTQMc.exe 5476 StartMenuExperienceHost.exe 1476 SearchApp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 4012 2720 msiexec.exe 99 PID 2720 wrote to memory of 4012 2720 msiexec.exe 99 PID 2720 wrote to memory of 1480 2720 msiexec.exe 101 PID 2720 wrote to memory of 1480 2720 msiexec.exe 101 PID 2720 wrote to memory of 1480 2720 msiexec.exe 101 PID 2720 wrote to memory of 4036 2720 msiexec.exe 102 PID 2720 wrote to memory of 4036 2720 msiexec.exe 102 PID 2720 wrote to memory of 4036 2720 msiexec.exe 102 PID 2720 wrote to memory of 5028 2720 msiexec.exe 103 PID 2720 wrote to memory of 5028 2720 msiexec.exe 103 PID 2720 wrote to memory of 5028 2720 msiexec.exe 103 PID 2720 wrote to memory of 4416 2720 msiexec.exe 104 PID 2720 wrote to memory of 4416 2720 msiexec.exe 104 PID 2720 wrote to memory of 4416 2720 msiexec.exe 104 PID 2720 wrote to memory of 4996 2720 msiexec.exe 105 PID 2720 wrote to memory of 4996 2720 msiexec.exe 105 PID 2720 wrote to memory of 4996 2720 msiexec.exe 105 PID 4996 wrote to memory of 2748 4996 GxySSwAr.exe 107 PID 4996 wrote to memory of 2748 4996 GxySSwAr.exe 107 PID 4996 wrote to memory of 2748 4996 GxySSwAr.exe 107 PID 3732 wrote to memory of 1268 3732 cmd.exe 110 PID 3732 wrote to memory of 1268 3732 cmd.exe 110 PID 3016 wrote to memory of 760 3016 cmd.exe 112 PID 3016 wrote to memory of 760 3016 cmd.exe 112 PID 4996 wrote to memory of 2452 4996 GxySSwAr.exe 120 PID 4996 wrote to memory of 2452 4996 GxySSwAr.exe 120 PID 4996 wrote to memory of 2452 4996 GxySSwAr.exe 120 PID 4996 wrote to memory of 4796 4996 GxySSwAr.exe 124 PID 4996 wrote to memory of 4796 4996 GxySSwAr.exe 124 PID 4996 wrote to memory of 4192 4996 GxySSwAr.exe 126 PID 4996 wrote to memory of 4192 4996 GxySSwAr.exe 126 PID 2032 wrote to memory of 1648 2032 svchost.exe 130 PID 2032 wrote to memory of 1648 2032 svchost.exe 130 PID 2032 wrote to memory of 3472 2032 svchost.exe 131 PID 2032 wrote to memory of 3472 2032 svchost.exe 131 PID 4996 wrote to memory of 1948 4996 GxySSwAr.exe 134 PID 4996 wrote to memory of 1948 4996 GxySSwAr.exe 134 PID 4996 wrote to memory of 1948 4996 GxySSwAr.exe 134 PID 1948 wrote to memory of 4736 1948 cmd.exe 136 PID 1948 wrote to memory of 4736 1948 cmd.exe 136 PID 1948 wrote to memory of 4736 1948 cmd.exe 136 PID 4996 wrote to memory of 1612 4996 GxySSwAr.exe 137 PID 4996 wrote to memory of 1612 4996 GxySSwAr.exe 137 PID 4996 wrote to memory of 1612 4996 GxySSwAr.exe 137 PID 1612 wrote to memory of 540 1612 cmd.exe 139 PID 1612 wrote to memory of 540 1612 cmd.exe 139 PID 1612 wrote to memory of 540 1612 cmd.exe 139 PID 4996 wrote to memory of 1620 4996 GxySSwAr.exe 140 PID 4996 wrote to memory of 1620 4996 GxySSwAr.exe 140 PID 4996 wrote to memory of 1620 4996 GxySSwAr.exe 140 PID 1620 wrote to memory of 1380 1620 cmd.exe 142 PID 1620 wrote to memory of 1380 1620 cmd.exe 142 PID 1620 wrote to memory of 1380 1620 cmd.exe 142 PID 4996 wrote to memory of 1228 4996 GxySSwAr.exe 143 PID 4996 wrote to memory of 1228 4996 GxySSwAr.exe 143 PID 4996 wrote to memory of 1228 4996 GxySSwAr.exe 143 PID 1228 wrote to memory of 1240 1228 cmd.exe 145 PID 1228 wrote to memory of 1240 1228 cmd.exe 145 PID 1228 wrote to memory of 1240 1228 cmd.exe 145 PID 4996 wrote to memory of 3848 4996 GxySSwAr.exe 146 PID 4996 wrote to memory of 3848 4996 GxySSwAr.exe 146 PID 4996 wrote to memory of 3848 4996 GxySSwAr.exe 146 PID 3848 wrote to memory of 2848 3848 cmd.exe 148 PID 3848 wrote to memory of 2848 3848 cmd.exe 148 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c524dc37787eccb306a74bd058abd012b1b7edb25194a783ec2a49730cb50289.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:392
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Program Files (x86)\BJgxmmSq\wegame.exe"C:\Program Files (x86)\BJgxmmSq\wegame.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1480
-
-
C:\Program Files (x86)\BJgxmmSq\wegame.exe"C:\Program Files (x86)\BJgxmmSq\wegame.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4036
-
-
C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5028
-
-
C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"C:\Program Files (x86)\mxewmGJk\TgwFTQMc.exe"2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4416 -
C:\Windows\Explorer.Exe"C:\Windows\Explorer.Exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5336
-
-
-
C:\Program Files (x86)\mxewmGJk\GxySSwAr.exe"C:\Program Files (x86)\mxewmGJk\GxySSwAr.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2452
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4796
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4192
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4736
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:540
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1380
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1240
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsVPN3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsVPN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2848
-
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1780
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3732 -
C:\Program Files (x86)\letsvpn\app-3.11.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.11.0\LetsPRO.exe"4⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2120 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
PID:4748 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2764
-
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3912
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:5468 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:5532
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:5672 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:5712
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
C:\Windows\system32\cmd.execmd /c start powershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"1⤵
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1268
-
-
C:\Windows\system32\cmd.execmd /c start powershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"1⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"1⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy Bypass -Command "Add-MpPreference -ExclusionPath 'C:\Program Files (x86)'"1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4344
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{b4447e28-c74b-b04b-940e-bcfbe33ab5f0}\oemvista.inf" "9" "4d14a44ff" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "c:\program files (x86)\letsvpn\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1648
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "000000000000014C"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵PID:2148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:5564
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:5948
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Suspicious use of SetWindowsHookEx
PID:5476
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1476
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
4Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD508c3e9aa3e2b7534d474407150f56815
SHA12eeeb39a2b0c570f251665cfba033e34ac4a786d
SHA256d841c4b1b0499a991cc5ed97e38a2b9df717dbd86a20fd5d75483c07b9719057
SHA512dc539244aab17fab9c76450f45593b65bfdbe82f21f6034cde09e0d883f9e3b444737349e9995daa5a796feb4ea85a0294a5c5067033f05e59973eab135e7721
-
Filesize
546KB
MD50527df9bdaaea7250291efcb5b33b709
SHA11b6b3511c30aa66a0a0258578a4b695db2fbde36
SHA2567fa367a644670ed94a01bc0927996d93b82ea2658bb7d84c99c648f12b6a61f1
SHA512d8f49f954112e744b161246759aa0a6b106125a9b936e98c3f57c4535b1e7866adffe3e1699412ef8d549a84121f9492f67bb504b91fffd384bbc2e89611631b
-
Filesize
404KB
MD5d9f36ff27dc0d08fd384a99bb801a24a
SHA1886287b85e2b57e05e61ee582dd1595f7e620765
SHA25696aea19b11327ae4200396e84f06a4746a926f43b688c22e60b370ded1cf6d58
SHA512032f0f0e6200383dd9a4a7628e1ef5b67ea6fcfd3a872cd2fa0b952ccc3286b10550526c01e0294068e7d3995714efdf798607a51cf4681b8295b8d8493963dd
-
Filesize
1.5MB
MD5c83dd90d61bae5cf1d4b0620649726d6
SHA1cdb21af237425523d230a1738c4111776b3e8318
SHA256b5df19432f50ad434ca860173c9eb0dc6fdfaca48f75a3b416d038c213d089da
SHA512480cb660931eece9fee17fcb60b5c467ceb033d7d2f9fc0cf37b82dbc7443918935ba5a24aaeb8a284c95820eccab382e67342e6f0038c4d36b36f51d04dc412
-
Filesize
3.7MB
MD5856d1285704805940b8379e81b18f3eb
SHA1aae6852e7f86a8163ca5a63178a7cceb1c50ff67
SHA2562e21f70adcbe5fe3d51eb9236fc23e071e675c802bfeec2ca5c0a41eef35e9a2
SHA51250b61c980c176f2f32bd4e353187d5db9f3d3d7d01486105da95d7e7bf153386d2808dc94909b4998e05accebe6cc388ecad8246d236a89529f9a1274b34885c
-
Filesize
438KB
MD51fb93933fd087215a3c7b0800e6bb703
SHA1a78232c352ed06cedd7ca5cd5cb60e61ef8d86fb
SHA2562db7fd3c9c3c4b67f2d50a5a50e8c69154dc859780dd487c28a4e6ed1af90d01
SHA51279cd448e44b5607863b3cd0f9c8e1310f7e340559495589c428a24a4ac49beb06502d787824097bb959a1c9cb80672630dac19a405468a0b64db5ebd6493590e
-
Filesize
78KB
MD51b171f9a428c44acf85f89989007c328
SHA16f25a874d6cbf8158cb7c491dcedaa81ceaebbae
SHA2569d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c
SHA51299a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1
-
Filesize
1.4MB
MD5063af51c19f29bcdfd26c1bebdc9ace6
SHA1810817459e322ba44815df62702b9c8fe04b26fb
SHA256c6ef12669e1d0a3d0f54ad7cd516d5cf2ddf81edc350c3aafaa51c8ea9226a73
SHA5125ffff7f49b68004eb8f02522724b45d9c6cfa5cb45ff1c5f3cd93f1c65f0cadc322cc09a777b933c64650a7666c6204b67f9b1adf266ba2d1ce537c17f4a99a9
-
Filesize
318B
MD5b34636a4e04de02d079ba7325e7565f0
SHA1f32c1211eac22409bb195415cb5a8063431f75cd
SHA256a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df
SHA5126eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f
-
Filesize
240KB
MD5c3c999e2dc7326d8f4146c19ae1ebbb3
SHA1fcaef0e1869bbaa1394efcb491110fed2bfe89a5
SHA256ad3d15c467e45b9f1a1aa5072d21d5dd1fe2dc6bca1d67581dd494b42e9facb3
SHA5123aba266a809b2005385eef560ad5db388c5db946bb0a2fecb8c7a751a1fcc47bd2e52df39fa844fbd312eb5238b04ae612f7b213a31f7f4965ab715babbd5d24
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
13.9MB
MD5cdcf5affbeec34a7fc6823e9b2ef1907
SHA1a59c15b6b8e200802922ffffe710443eef0c82e8
SHA2561ba2d3db99e9f2da7359dd45c0a6c82cd0709bc922931e3e4b26566c5a880dad
SHA512b3d9e576d953167ed3011a2ddbab9dd60241b843e2a15f6fa0030dece17b267c032f02096d4f8c9dc8eec798060b151e226fbebb518af32d49a05fe286b99e9b
-
Filesize
14.7MB
MD5db7b54bd084d93ca25f33b9ebd68e45e
SHA1f2fc12ece7fb3e1d9dc4a02f28d306a6468c7f5c
SHA2560b3bbc7e664df0c6f35a4e9fa56af831c2be7fd168f585c287fa8c21439605a2
SHA51274cc7bbba5dba412d40a21c0bb3c4ae39c937f78a861d03c8282aa740c412e7067301cc15da6d2561855b23cdee8b8b9752ae6fe159405e8cec2a3a181dad03f
-
Filesize
129KB
MD533c56f904fe77363fd5e553f7498854e
SHA1e0cbe72715bda80c21a9cce8c6b3b76779ed71f3
SHA2563ee9676a50e1d314a942de5c1fc614f4e00a3143397316a5892daee41f0bac4d
SHA5128559df54856fc28b382b624a12201fb404a82c2cab7fbe095f8d3883a32177303bf633a14210de1f493fe015b97de5c10d7a10ae0b8561713a925020f840e812
-
Filesize
18.6MB
MD55acf6baf28a3b00119a4a5d487bf1796
SHA15b9017f63a52347cc07fecccf531b40ab539bfcf
SHA256fb6c0daa4a741a341692bbdabef54337ac6fa00b4278d8f939f3472209e7e2ff
SHA512111a86110af5f13305525802b3c87c9631bbf30f160880a76de517016c32d6e08f355b93d032930c7d051dcc2ed8643a6e431821a5f358eb8cc90fc014db971a
-
Filesize
412KB
MD5ed40615aa67499e2d2da8389ba9b331a
SHA109780d2c9d75878f7a9bb94599f3dc9386cf3789
SHA256cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d
SHA51247d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee
-
Filesize
756KB
MD5ef3e115c225588a680acf365158b2f4a
SHA1ecda6d3b4642d2451817833b39248778e9c2cbb0
SHA25625d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8
SHA512d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
11KB
MD54d6775467fdc170a3e64a3f873245528
SHA13b6fb66b42b462d5864c4684f74f87b098bb0cf2
SHA256274bdc7fe3f64d562562065e77a342100b7c715c06055c3e62c068519038e56e
SHA51211774c1879df555c0124e4e7b5f2786a4748c8712da8fbcb7fa71d117af2b014e4dbd38a3c32372001d96f0220078a8590fe162f33ccb4abaa15273428368e41
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133767207149080829.txt
Filesize75KB
MD5ddbe972715e8cd3bb7702456a5368cee
SHA1b79685c044dfd0262b20342a106ed107d318bfbf
SHA25677c934b453a91cc1b5e272959d1e4e3a1ded1f92bfc63cffe7c7a24df31b9b24
SHA512d6f3d1827a5f2368fbbacd399bec78a2af7ff8805686242364ac75d7e190b3953889d92760387011729beb69560549a13cb989b6bfc1d099e7b35edd74279263
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
Filesize
9KB
MD5b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA115ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA25689a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA5126467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8
-
Filesize
7KB
MD511092c1d3fbb449a60695c44f9f3d183
SHA1b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA2562cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize1KB
MD5ac35fb389d0b8018ad3e7f0442fd3a18
SHA1e0c38eec1a908717e233ae0119a9f623cefaa55b
SHA256625c09887b5da4f9fdc71f04dc3a49d19f365e879b492a788b2cd46d526168cc
SHA5121f25a509ce6fadf13a0db84318d48d652619b576d824b2423acefb1e13461c98d116f135823b2730a9ed6edf339b3ea85953e35a844117c9b46d8908194422e7
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
24.1MB
MD50f5084afdb35b7dfe6d3e81eeb11c3b9
SHA119f5cd35ea5282a2cdb80025e2dcb3c9e82b015b
SHA2564d8789bf710bda37f9e5fa746ffad0f97df40b740d09ab6739ee7015c05d3c79
SHA5121bfc6736cd1eb2adbfcf457f6673113f40bcc0df6f341ebb3f78d80b09067267527170d791a4ffe05e8cde625d72d6dcbfb030733830fc4b922776af655a312b
-
\??\Volume{77a2731a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7fcd4316-c3e0-45d0-b249-6b12bc465f3b}_OnDiskSnapshotProp
Filesize6KB
MD5a9eddf0adf153d95d543372d07a7b329
SHA1ff89315c602182a0fe5f55bff5d7d4d8193a843b
SHA2569263e2730ca0f87775ec5d4e5ad28af4c048cec56f2bbef3a81742b4bcaf24ff
SHA5120b8f5981f64a435202c853ead08b91d713228d6677536fe55b3007b575abb9495877d876c16ff48285f7b07aa8f0274bac9d93576c1bc25d0113568d34bae338
-
Filesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
Filesize
10KB
MD5f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe
