Analysis
-
max time kernel
144s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 03:58
Static task
static1
Behavioral task
behavioral1
Sample
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Resource
win10v2004-20241007-en
General
-
Target
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
-
Size
40.6MB
-
MD5
4e0c73259e83e8d5f36be55d4a937307
-
SHA1
539d747d30c16f50ddf6b72da1426709edce5732
-
SHA256
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9
-
SHA512
eaca63ff0faafdd6014864517a9fb92e82d970c99084d6cbf5b493b0b0ca6372541493f4c11b426c09b160369fb4da07d928d74a20078ab3e0743b54e5be99b5
-
SSDEEP
786432:BxAq3kvG6v0/moop9AaRDEzVARzgsBBSs7ndpTp1Z4qaNrk+0/iClRu:cqUvL8/mfACxgUBSkdvAPy6CPu
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\DRIVERS\SET7002.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET7002.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\DsGtQhLH = "\"C:\\Program Files (x86)\\Common Files\\DsGtQhLH.lnk\"" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.8.0\\LetsPRO.exe\" /silent" LetsPRO.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: pYkYZuRh.exe File opened (read-only) \??\K: pYkYZuRh.exe File opened (read-only) \??\V: pYkYZuRh.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: pYkYZuRh.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: pYkYZuRh.exe File opened (read-only) \??\P: pYkYZuRh.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: pYkYZuRh.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: pYkYZuRh.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: pYkYZuRh.exe File opened (read-only) \??\Z: pYkYZuRh.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: pYkYZuRh.exe File opened (read-only) \??\N: pYkYZuRh.exe File opened (read-only) \??\O: pYkYZuRh.exe File opened (read-only) \??\T: pYkYZuRh.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: pYkYZuRh.exe File opened (read-only) \??\I: pYkYZuRh.exe File opened (read-only) \??\M: pYkYZuRh.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: pYkYZuRh.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Q: pYkYZuRh.exe File opened (read-only) \??\X: pYkYZuRh.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 1752 netsh.exe 2832 netsh.exe 2692 netsh.exe 2956 netsh.exe -
pid Process 1816 cmd.exe 1056 ARP.EXE -
Drops file in System32 directory 21 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5B.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5C.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e} DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\SET2A5B.tmp DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Annotations.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Csp.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Primitives.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ObjectModel.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\ja\System.Web.Services.Description.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\NuGet.Squirrel.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\ru\System.Web.Services.Description.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\ja\System.Web.Services.Description.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.MemoryMappedFiles.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Http.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.SecureString.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Pdb.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensionsAsync.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.DriveInfo.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\uninst.exe DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Json.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\arm64\WebView2Loader.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\zh-HK\LetsPRO.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.PerformanceCounter.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Serialization.Formatters.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XDocument.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native\e_sqlite3.dll DsGtQhLH.exe File created C:\Program Files (x86)\Common Files\DsGtQhLH.lnk msiexec.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Algorithms.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Pkcs.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Http.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Numerics.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\de\System.Web.Services.Description.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\zh-Hans\System.Web.Services.Description.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.PatchApi.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Handles.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.AccessControl.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.RegularExpressions.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\ru\LetsPRO.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86 DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.AppCenter.Crashes.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Annotations.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Pipes.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.Primitives.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-arm\native\e_sqlite3.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.StackTrace.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.IsolatedStorage.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Duplex.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.CodePages.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Log\20241122.log LetsPRO.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.SecureString.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\zh-MO DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.TypeConverter.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Tasks.Extensions.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\WindowsInput.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\ru DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.Registry.AccessControl.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XPath.dll DsGtQhLH.exe File created C:\Program Files (x86)\1 msiexec.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Timer.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.nativelibrary.dll DsGtQhLH.exe -
Drops file in Windows directory 25 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File created C:\Windows\Installer\f789aeb.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9E53.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.app.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\Installer\f789ae8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9E04.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA519.tmp msiexec.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIA0F3.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f789aeb.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f789ae8.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 7 IoCs
pid Process 1096 pYkYZuRh.exe 1616 DsGtQhLH.exe 3008 tapinstall.exe 1636 tapinstall.exe 2764 tapinstall.exe 2888 LetsPRO.exe 1652 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 1916 MsiExec.exe 1916 MsiExec.exe 1916 MsiExec.exe 1916 MsiExec.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 1616 DsGtQhLH.exe 2888 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe -
pid Process 1716 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 392 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 23 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DsGtQhLH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pYkYZuRh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 1464 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-4 = "Used to discover and locate other PCs, devices, and network infrastructure components on the network. Also used to determine network bandwidth." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e LetsPRO.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c6921900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c0400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a414000000010000001400000032eb929aff3596482f284042702036915c1785e61800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 LetsPRO.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 LetsPRO.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1184 msiexec.exe 1184 msiexec.exe 1096 pYkYZuRh.exe 1716 powershell.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1096 pYkYZuRh.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1096 pYkYZuRh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 392 msiexec.exe Token: SeIncreaseQuotaPrivilege 392 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeSecurityPrivilege 1184 msiexec.exe Token: SeCreateTokenPrivilege 392 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 392 msiexec.exe Token: SeLockMemoryPrivilege 392 msiexec.exe Token: SeIncreaseQuotaPrivilege 392 msiexec.exe Token: SeMachineAccountPrivilege 392 msiexec.exe Token: SeTcbPrivilege 392 msiexec.exe Token: SeSecurityPrivilege 392 msiexec.exe Token: SeTakeOwnershipPrivilege 392 msiexec.exe Token: SeLoadDriverPrivilege 392 msiexec.exe Token: SeSystemProfilePrivilege 392 msiexec.exe Token: SeSystemtimePrivilege 392 msiexec.exe Token: SeProfSingleProcessPrivilege 392 msiexec.exe Token: SeIncBasePriorityPrivilege 392 msiexec.exe Token: SeCreatePagefilePrivilege 392 msiexec.exe Token: SeCreatePermanentPrivilege 392 msiexec.exe Token: SeBackupPrivilege 392 msiexec.exe Token: SeRestorePrivilege 392 msiexec.exe Token: SeShutdownPrivilege 392 msiexec.exe Token: SeDebugPrivilege 392 msiexec.exe Token: SeAuditPrivilege 392 msiexec.exe Token: SeSystemEnvironmentPrivilege 392 msiexec.exe Token: SeChangeNotifyPrivilege 392 msiexec.exe Token: SeRemoteShutdownPrivilege 392 msiexec.exe Token: SeUndockPrivilege 392 msiexec.exe Token: SeSyncAgentPrivilege 392 msiexec.exe Token: SeEnableDelegationPrivilege 392 msiexec.exe Token: SeManageVolumePrivilege 392 msiexec.exe Token: SeImpersonatePrivilege 392 msiexec.exe Token: SeCreateGlobalPrivilege 392 msiexec.exe Token: SeBackupPrivilege 2856 vssvc.exe Token: SeRestorePrivilege 2856 vssvc.exe Token: SeAuditPrivilege 2856 vssvc.exe Token: SeBackupPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 2760 DrvInst.exe Token: SeLoadDriverPrivilege 2760 DrvInst.exe Token: SeLoadDriverPrivilege 2760 DrvInst.exe Token: SeLoadDriverPrivilege 2760 DrvInst.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe Token: SeTakeOwnershipPrivilege 1184 msiexec.exe Token: SeRestorePrivilege 1184 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 392 msiexec.exe 392 msiexec.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe 1652 LetsPRO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1096 pYkYZuRh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1916 1184 msiexec.exe 33 PID 1184 wrote to memory of 1096 1184 msiexec.exe 34 PID 1184 wrote to memory of 1096 1184 msiexec.exe 34 PID 1184 wrote to memory of 1096 1184 msiexec.exe 34 PID 1184 wrote to memory of 1096 1184 msiexec.exe 34 PID 1184 wrote to memory of 1616 1184 msiexec.exe 35 PID 1184 wrote to memory of 1616 1184 msiexec.exe 35 PID 1184 wrote to memory of 1616 1184 msiexec.exe 35 PID 1184 wrote to memory of 1616 1184 msiexec.exe 35 PID 1616 wrote to memory of 1716 1616 DsGtQhLH.exe 37 PID 1616 wrote to memory of 1716 1616 DsGtQhLH.exe 37 PID 1616 wrote to memory of 1716 1616 DsGtQhLH.exe 37 PID 1616 wrote to memory of 1716 1616 DsGtQhLH.exe 37 PID 1616 wrote to memory of 3008 1616 DsGtQhLH.exe 39 PID 1616 wrote to memory of 3008 1616 DsGtQhLH.exe 39 PID 1616 wrote to memory of 3008 1616 DsGtQhLH.exe 39 PID 1616 wrote to memory of 3008 1616 DsGtQhLH.exe 39 PID 1616 wrote to memory of 1636 1616 DsGtQhLH.exe 41 PID 1616 wrote to memory of 1636 1616 DsGtQhLH.exe 41 PID 1616 wrote to memory of 1636 1616 DsGtQhLH.exe 41 PID 1616 wrote to memory of 1636 1616 DsGtQhLH.exe 41 PID 1112 wrote to memory of 2104 1112 DrvInst.exe 45 PID 1112 wrote to memory of 2104 1112 DrvInst.exe 45 PID 1112 wrote to memory of 2104 1112 DrvInst.exe 45 PID 1616 wrote to memory of 2172 1616 DsGtQhLH.exe 48 PID 1616 wrote to memory of 2172 1616 DsGtQhLH.exe 48 PID 1616 wrote to memory of 2172 1616 DsGtQhLH.exe 48 PID 1616 wrote to memory of 2172 1616 DsGtQhLH.exe 48 PID 2172 wrote to memory of 1752 2172 cmd.exe 50 PID 2172 wrote to memory of 1752 2172 cmd.exe 50 PID 2172 wrote to memory of 1752 2172 cmd.exe 50 PID 2172 wrote to memory of 1752 2172 cmd.exe 50 PID 1616 wrote to memory of 1572 1616 DsGtQhLH.exe 51 PID 1616 wrote to memory of 1572 1616 DsGtQhLH.exe 51 PID 1616 wrote to memory of 1572 1616 DsGtQhLH.exe 51 PID 1616 wrote to memory of 1572 1616 DsGtQhLH.exe 51 PID 1572 wrote to memory of 2832 1572 cmd.exe 53 PID 1572 wrote to memory of 2832 1572 cmd.exe 53 PID 1572 wrote to memory of 2832 1572 cmd.exe 53 PID 1572 wrote to memory of 2832 1572 cmd.exe 53 PID 1616 wrote to memory of 1128 1616 DsGtQhLH.exe 54 PID 1616 wrote to memory of 1128 1616 DsGtQhLH.exe 54 PID 1616 wrote to memory of 1128 1616 DsGtQhLH.exe 54 PID 1616 wrote to memory of 1128 1616 DsGtQhLH.exe 54 PID 1128 wrote to memory of 2692 1128 cmd.exe 56 PID 1128 wrote to memory of 2692 1128 cmd.exe 56 PID 1128 wrote to memory of 2692 1128 cmd.exe 56 PID 1128 wrote to memory of 2692 1128 cmd.exe 56 PID 1616 wrote to memory of 2112 1616 DsGtQhLH.exe 57 PID 1616 wrote to memory of 2112 1616 DsGtQhLH.exe 57 PID 1616 wrote to memory of 2112 1616 DsGtQhLH.exe 57 PID 1616 wrote to memory of 2112 1616 DsGtQhLH.exe 57 PID 2112 wrote to memory of 2956 2112 cmd.exe 59 PID 2112 wrote to memory of 2956 2112 cmd.exe 59 PID 2112 wrote to memory of 2956 2112 cmd.exe 59 PID 2112 wrote to memory of 2956 2112 cmd.exe 59 PID 1616 wrote to memory of 2764 1616 DsGtQhLH.exe 60 PID 1616 wrote to memory of 2764 1616 DsGtQhLH.exe 60 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:392
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- UAC bypass
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A5F5DB85C086DB8117A7155C1738DE342⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1916
-
-
C:\Program Files (x86)\pYkYZuRh.exe"C:\Program Files (x86)\pYkYZuRh.exe"2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1096
-
-
C:\Program Files (x86)\DsGtQhLH.exe"C:\Program Files (x86)\DsGtQhLH.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1716
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
PID:3008
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Modifies system certificate store
PID:1636
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2832
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2692
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2956
-
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
PID:2764
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"4⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1652 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=15⤵
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set interface LetsTAP metric=16⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1464
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1056
-
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2644
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "0000000000000564"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2760
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4785cad3-e345-1789-9bad-3f4a3d8f383f}\oemvista.inf" "9" "6d14a44ff" "0000000000000574" "WinSta0\Default" "00000000000003DC" "208" "c:\program files (x86)\letsvpn\driver"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5c471caf-e6b1-16ef-f1bb-3b035b645212} Global\{367e1d7d-a35c-68f7-18f9-aa28a85b602c} C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{40ecb734-e9d0-4aeb-2a9a-3a2c306cfb3e}\tap0901.cat2⤵PID:2104
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000060" "0000000000000608"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1448
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "0000000000000574" "00000000000005FC" "0000000000000608"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2032
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:1668
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5KB
MD5e378f8903b614f0bf3477268917ef72d
SHA1baf28e5621b13557779e61d03ec59d771459c155
SHA256ae728743388e6c7905dacefabfd51f76868a7f5a92f8cb4a65c96c8c7dc20275
SHA5120fc187ca054f57ae73e8929903c8eb9a739298b588b6a3183a21a1e7ff6af270ab425feb37608d6fed70dd502234d82f74e060fcef09a0f7f51e803eb8c49653
-
Filesize
6.0MB
MD5a589ea47d27781243203497042014ee3
SHA102af54d118fdb181247e76a79a3acfbb074bf6ea
SHA256d25b465e1a59b452605512566d4417cb44a72d07b989f8cb276849bf4f66ac52
SHA512baed6eda05efb91f65812e117730bd3d6587166667dc3b7e2f1f3c802a713829b5b6c9c0287fe37267e4a4a5f941776aa49adcbe45ffa1da99e9b73c99b0a09e
-
Filesize
878B
MD520b022ca5682bad9fc77a100531b7b43
SHA10f0348527ffe70907e0189696ffee55547c88868
SHA2566fe31003727b98e901d31dd75309bc4d46dc2670e2315544b8e459bba41b5473
SHA512349af6776f2552935f4208c2f605f8348ee5b3e3ffda9dd25749f2337f190bae3c0d395991961a9776cbe5b8858df4f8c7eb00766e21bc5fcd1517c68e569311
-
Filesize
14.5MB
MD59c44be4ceac0c983a812fd8459511fd0
SHA1bd5aaad4acd523cd2855e8b50a8380365d81e041
SHA256b6750a3631413d71d7ea10292a11e5d0560afb6ccd4ad4baa75d7dc80842f153
SHA512372ddeb1045d49e8f98f17bccffb0e3edc2179e541f8a4493300517327e514c7bf64557250e0f84f7366310a3d7a58a8d5480596f9be075b3f5d9411a49b4d09
-
Filesize
412KB
MD5ed40615aa67499e2d2da8389ba9b331a
SHA109780d2c9d75878f7a9bb94599f3dc9386cf3789
SHA256cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d
SHA51247d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee
-
Filesize
756KB
MD5ef3e115c225588a680acf365158b2f4a
SHA1ecda6d3b4642d2451817833b39248778e9c2cbb0
SHA25625d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8
SHA512d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a
-
Filesize
1.4MB
MD538973dbbfad9619fde39fab919eb9a04
SHA109c0b7ec430092c41a576565d8cf8e9df40e12fe
SHA256e7806cd45b774d640bfd1f92e0893d28b87117a9dc25edb490da4449d57ca8ac
SHA512fed73ef38f0008ab93589a6f525866a3f73ce9b090e41482dc4933dadc6f1bce1a26990e8f44704e934528d71e6887d0d44bb38f8b5402cf4c9b2880f16eea67
-
Filesize
22KB
MD53b1d12693ee14f307d7e8b1f08ae23c0
SHA182719e54b457a4e5cc57b33714e67fc0305b6e90
SHA2560b2a37670105e8d30fe0c4aecfad876f669663834a6c91bc89e309fb609032b7
SHA512ac7b99e0fb2e7d656dfc8e5df1fad58e4446c854e6d1d05a48dbd5fe93ab4978c3b206d828d8bcfc874eff0981886be4ae72e063aaccf895959d7cd5456a5e95
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
19.4MB
MD59ff980feb6fccdb08ab3fe6fc5e428f1
SHA13c60d0fa914291da59a3cc883becd0ea26c1f26a
SHA256d0cdc6b3747195a88b6918926f488215396970aa342e14d6ea819919d274a381
SHA512989d76d721963f46386350c08b4e7a50a52e16d9fc92bc13c7f1fa20997a9aa35a8f144564af9f483b0e3f2fd32d436adfa84cb8638e9c408a79960b6da38618
-
Filesize
129KB
MD57ea6be30e745e9556c017439c5e83273
SHA14e36ae4f8bb1c6a438f8cc6952ec840415b5d9f2
SHA2565a3e4e68ffa8e8796ec0ff3d01473ceafa070dc533a1c268d073ee7abd6c8021
SHA5120a17f4e6e60932282cb28823a77c5ebef7a8c8ee472f00c9ef9eebb0481886647faa698f2c2e193db095c6467f6e41307aff96030fadd3072ba700c1e1e45724
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD550bbdd18853ba060a6b5e3ccc993f22b
SHA148cb1663cf0429db05c974970bff55670b296f04
SHA2569b960712d37bbda946ce840eeef2d299232b7e40c96b0a5e15f1db5e103f24d6
SHA512b462116da520298f6cddc6bcd8c1aca14e94ca354ace8017f9f3f49637acde562b0466215a52f92030be88deb9aa3d5b149bd96df1a4d80dfadde5b4b41ba394
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF
Filesize8KB
MD5c703871ed483fed1b9f8912f2cc6a918
SHA16584a63dba15d50f843e3415978792a1c89ae770
SHA256d47297606ef52d61be79e765e8606d67bfef363ee1745c7848ca148f4f36c5f9
SHA512b3ab7b37f40ac00d141edfc024a4c6b27fdbf2390f190da4f0e8644d5ffad069a1ca144bde1b00c7e71d20886b701186bd992e9cc283649e4c7887bf13c6f50c
-
Filesize
1.4MB
MD51effae4c5442cf75e7f1675525c74c46
SHA185d5256f13d88403e4b742b3ae4ec87b5395f70b
SHA256cdaaba5e4e2c97577a5c39160be5978ee61b4aad261f5db492ecfeb97114758a
SHA512da873b03035f0da64a35489cb39f8ff83d2b150e625406e543c308de4d041a6f99bca0d89c1078422ec8ab58ade340e8418ff16c591451017dc00f6b3a4cc34b
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
8KB
MD59c70c57bd0f63094ca036bb2b4c5ea2a
SHA16f26dd6be73f3f78ae5d8c89425351afbe967f55
SHA2562dae52e378374571ed09836122b04ba934dd6023c13051ecfe9ca06486a49d86
SHA51252bab7eb115f7e60a993d1593e112ca7ac580ffb656e8b7b5b40a2063e9be4ea14af2d17a9210f091bf026992f6e592f9ee002c4cb75c9b8f00432a1fb10db85
-
Filesize
30KB
MD5b1c405ed0434695d6fc893c0ae94770c
SHA179ecacd11a5f2b7e2d3f0461eef97b7b91181c46
SHA2564c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246
SHA512635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7
-
Filesize
9KB
MD54fee2548578cd9f1719f84d2cb456dbf
SHA13070ed53d0e9c965bf1ffea82c259567a51f5d5f
SHA256baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24
SHA5126bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49
-
Filesize
240KB
MD5ea9e2f517b1cc2dbe7f78302dd7fb593
SHA1cb326eeee062bfc20be4d07fa989b001811fc03c
SHA256b1037f963c91ab0f586349d5aede8e25686784f46f031dfc422e0d69a9939f48
SHA512d8d38e5243ff8f8e3f790c3587bf0360afd7dd185886da86ad7ad6111eed121e91eca18bac9563ea4e6984c46f88639f58a2073884567ca982383ec2cf32f0eb
-
Filesize
126KB
MD5d615a49b867921d097b87f5653d06da8
SHA19475f5bd2517a71d68388f04a247725814bb0a39
SHA256ca0a071afff810cae52cce1def9456d4ddb8ca1a165a4b0aae16951a6f337542
SHA5121986d66a9638d0cc998ee0534fe9443a41f8988aca226770934c5a9b7157931ec8c456ff0034ec63ef32da842d6bae31d97003ab5d65f3a7e51c2773dc758cbe
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094
-
Filesize
408KB
MD50901970c2066aed8a97d75aaf1fd3146
SHA1f0c700a4bfcebad9843e01a88bab71b5f38996d8
SHA25641f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773
SHA51200e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733