Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-11-2024 03:58
Static task
static1
Behavioral task
behavioral1
Sample
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Resource
win7-20241010-en
windows7-x64
29 signatures
150 seconds
Behavioral task
behavioral2
Sample
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
Resource
win10v2004-20241007-en
windows10-2004-x64
30 signatures
150 seconds
General
-
Target
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi
-
Size
40.6MB
-
MD5
4e0c73259e83e8d5f36be55d4a937307
-
SHA1
539d747d30c16f50ddf6b72da1426709edce5732
-
SHA256
10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9
-
SHA512
eaca63ff0faafdd6014864517a9fb92e82d970c99084d6cbf5b493b0b0ca6372541493f4c11b426c09b160369fb4da07d928d74a20078ab3e0743b54e5be99b5
-
SSDEEP
786432:BxAq3kvG6v0/moop9AaRDEzVARzgsBBSs7ndpTp1Z4qaNrk+0/iClRu:cqUvL8/mfACxgUBSkdvAPy6CPu
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" msiexec.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DsGtQhLH = "\"C:\\Program Files (x86)\\Common Files\\DsGtQhLH.lnk\"" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.8.0\\LetsPRO.exe\" /silent" LetsPRO.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: pYkYZuRh.exe File opened (read-only) \??\Q: pYkYZuRh.exe File opened (read-only) \??\W: pYkYZuRh.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: pYkYZuRh.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: pYkYZuRh.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: pYkYZuRh.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: pYkYZuRh.exe File opened (read-only) \??\Y: pYkYZuRh.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: pYkYZuRh.exe File opened (read-only) \??\O: pYkYZuRh.exe File opened (read-only) \??\P: pYkYZuRh.exe File opened (read-only) \??\Z: pYkYZuRh.exe File opened (read-only) \??\S: pYkYZuRh.exe File opened (read-only) \??\T: pYkYZuRh.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: pYkYZuRh.exe File opened (read-only) \??\R: pYkYZuRh.exe File opened (read-only) \??\V: pYkYZuRh.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: pYkYZuRh.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\N: pYkYZuRh.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: pYkYZuRh.exe File opened (read-only) \??\M: pYkYZuRh.exe File opened (read-only) \??\I: pYkYZuRh.exe File opened (read-only) \??\N: msiexec.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 2704 netsh.exe 1236 netsh.exe 4152 netsh.exe 2004 netsh.exe -
pid Process 392 ARP.EXE 3548 cmd.exe -
Drops file in System32 directory 16 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\SETDD8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF tapinstall.exe File created C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\SETDC7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\SETDC6.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\SETDC6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\SETDC7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{4040db3b-756d-3649-9a79-80c7bf7d3cda}\SETDD8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys DrvInst.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.FileVersionInfo.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\ru\LetsPRO.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\zh-HK\LetsPRO.resources.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1 DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe.config DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Web.WebView2.Core.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.StackTrace.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.Encoding.Extensions.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.Timer.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Collections.NonGeneric.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Reflection.Extensions.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.VisualC.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.Compression.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.RuntimeInformation.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Duplex.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Http.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.ResourceManager.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Pdb.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\SQLiteNetExtensions.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Primitives.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceProcess.ServiceController.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XDocument.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Diagnostics.Tracing.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\uninst.exe DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\Mono.Cecil.Mdb.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.Watcher.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Linq.Queryable.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.Encoding.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\es\System.Web.Services.Description.resources.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\DeltaCompressionDotNet.MsDelta.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\SQLitePCLRaw.core.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebHeaderCollection.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.Cryptography.X509Certificates.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\PusherClient.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Resources.Reader.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.InteropServices.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Text.RegularExpressions.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\WebSocket4Net.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.ReaderWriter.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\netstandard.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\runtimes\win-x86\native\e_sqlite3.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\Squirrel.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.EventBasedAsync.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.Numerics.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Security.AccessControl.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ComponentModel.Primitives.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Console.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.NetworkInformation.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.ServiceModel.Primitives.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Xml.XmlSerializer.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\LetsVPNDomainModel.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\SuperSocket.ClientEngine.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Net.WebSockets.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Runtime.CompilerServices.VisualC.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\zh-HK DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.Drawing.Primitives.dll DsGtQhLH.exe File created C:\Program Files (x86)\letsvpn\app-3.8.0\System.Threading.ThreadPool.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\Microsoft.Win32.SystemEvents.dll DsGtQhLH.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.8.0\System.IO.FileSystem.DriveInfo.dll DsGtQhLH.exe -
Drops file in Windows directory 15 IoCs
description ioc Process File opened for modification C:\Windows\Installer\e57bd35.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIBF2A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC2C6.tmp msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{3DF6BF22-E312-4270-9646-C64980167B87} msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\Installer\e57bd35.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIBEEB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC0D1.tmp msiexec.exe -
Executes dropped EXE 7 IoCs
pid Process 2188 pYkYZuRh.exe 4228 DsGtQhLH.exe 4716 tapinstall.exe 3016 tapinstall.exe 392 tapinstall.exe 3028 LetsPRO.exe 964 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 868 MsiExec.exe 868 MsiExec.exe 868 MsiExec.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 4228 DsGtQhLH.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe -
pid Process 4584 powershell.exe 5092 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 432 msiexec.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 22 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DsGtQhLH.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pYkYZuRh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 LetsPRO.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz LetsPRO.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2300 ipconfig.exe -
Modifies data under HKEY_USERS 42 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692 LetsPRO.exe Set value (data) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692\Blob = 030000000100000014000000329b78a5c9ebc2043242de90ce1b7c6b1ba6c69214000000010000001400000032eb929aff3596482f284042702036915c1785e60400000001000000100000002aa320982e00193fad3bd0ea5406e4cd0f0000000100000030000000a229d2722bc6091d73b1d979b81088c977cb028a6f7cbf264bb81d5cc8f099f87d7c296e48bf09d7ebe275f5498661a41900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c5c0000000100000004000000001000001800000001000000100000002aa1c05e2ae606f198c2c5e937c97aa24b0000000100000044000000420032004600410046003700360039003200460044003900460046004200440036003400450044004500330031003700450034003200330033003400420041005f0000002000000001000000730500003082056f30820457a003020102021048fc93b46055948d36a7c98a89d69416300d06092a864886f70d01010c0500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3231303532353030303030305a170d3238313233313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a38201123082010e301f0603551d23041830168014a0110a233e96f107ece2af29ef82a57fd030a4b4301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff30130603551d25040c300a06082b06010505070303301b0603551d200414301230060604551d20003008060667810c01040130430603551d1f043c303a3038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e636f6d6f646f63612e636f6d300d06092a864886f70d01010c0500038201010012bfa1ef8b749a9844b86946b5ab240a0ca48a67b83a81bf458a7d5207a88d1f4e218539a36b5e2d2086bf10b8ae793b53cdb4fbd844be06d95c6367d44016874486722ad63215f51283c2f9e15d114067f6422772c523e202381a4c20e2db01f7cd464f26a27c66c05136b6890254c7fc58fb6c00eefe98a62e95a10c53291f6fd819a64f9ef7ac09ea5d82c68baf80a7bd8148528431da32ec15e4a64c3d6c3973d40b853920e0851a68e1a74838a9d1362577c18d1916c5884c667d2f63ce98e869dfac3ca85d9dc91c5baed8f32f74cfb87ef6d7839d1196629aae4513da7fdc47fbdfc3529fe60655e99d8cf23a6251bcec240f29d4588084e4457b5ad8 LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2 LetsPRO.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2 LetsPRO.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5060 msiexec.exe 5060 msiexec.exe 4584 powershell.exe 4584 powershell.exe 4584 powershell.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 5092 powershell.exe 5092 powershell.exe 5092 powershell.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe 2188 pYkYZuRh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2188 pYkYZuRh.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 432 msiexec.exe Token: SeIncreaseQuotaPrivilege 432 msiexec.exe Token: SeSecurityPrivilege 5060 msiexec.exe Token: SeCreateTokenPrivilege 432 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 432 msiexec.exe Token: SeLockMemoryPrivilege 432 msiexec.exe Token: SeIncreaseQuotaPrivilege 432 msiexec.exe Token: SeMachineAccountPrivilege 432 msiexec.exe Token: SeTcbPrivilege 432 msiexec.exe Token: SeSecurityPrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeLoadDriverPrivilege 432 msiexec.exe Token: SeSystemProfilePrivilege 432 msiexec.exe Token: SeSystemtimePrivilege 432 msiexec.exe Token: SeProfSingleProcessPrivilege 432 msiexec.exe Token: SeIncBasePriorityPrivilege 432 msiexec.exe Token: SeCreatePagefilePrivilege 432 msiexec.exe Token: SeCreatePermanentPrivilege 432 msiexec.exe Token: SeBackupPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeShutdownPrivilege 432 msiexec.exe Token: SeDebugPrivilege 432 msiexec.exe Token: SeAuditPrivilege 432 msiexec.exe Token: SeSystemEnvironmentPrivilege 432 msiexec.exe Token: SeChangeNotifyPrivilege 432 msiexec.exe Token: SeRemoteShutdownPrivilege 432 msiexec.exe Token: SeUndockPrivilege 432 msiexec.exe Token: SeSyncAgentPrivilege 432 msiexec.exe Token: SeEnableDelegationPrivilege 432 msiexec.exe Token: SeManageVolumePrivilege 432 msiexec.exe Token: SeImpersonatePrivilege 432 msiexec.exe Token: SeCreateGlobalPrivilege 432 msiexec.exe Token: SeBackupPrivilege 2912 vssvc.exe Token: SeRestorePrivilege 2912 vssvc.exe Token: SeAuditPrivilege 2912 vssvc.exe Token: SeBackupPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeRestorePrivilege 5060 msiexec.exe Token: SeTakeOwnershipPrivilege 5060 msiexec.exe Token: SeDebugPrivilege 4584 powershell.exe Token: SeBackupPrivilege 1692 srtasks.exe Token: SeRestorePrivilege 1692 srtasks.exe Token: SeSecurityPrivilege 1692 srtasks.exe Token: SeTakeOwnershipPrivilege 1692 srtasks.exe Token: SeBackupPrivilege 1692 srtasks.exe Token: SeRestorePrivilege 1692 srtasks.exe Token: SeSecurityPrivilege 1692 srtasks.exe Token: SeTakeOwnershipPrivilege 1692 srtasks.exe Token: SeDebugPrivilege 5092 powershell.exe Token: SeAuditPrivilege 3620 svchost.exe Token: SeSecurityPrivilege 3620 svchost.exe Token: SeLoadDriverPrivilege 3016 tapinstall.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 432 msiexec.exe 432 msiexec.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe 964 LetsPRO.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2188 pYkYZuRh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5060 wrote to memory of 1692 5060 msiexec.exe 94 PID 5060 wrote to memory of 1692 5060 msiexec.exe 94 PID 5060 wrote to memory of 868 5060 msiexec.exe 96 PID 5060 wrote to memory of 868 5060 msiexec.exe 96 PID 5060 wrote to memory of 868 5060 msiexec.exe 96 PID 5060 wrote to memory of 2188 5060 msiexec.exe 97 PID 5060 wrote to memory of 2188 5060 msiexec.exe 97 PID 5060 wrote to memory of 2188 5060 msiexec.exe 97 PID 5060 wrote to memory of 4228 5060 msiexec.exe 98 PID 5060 wrote to memory of 4228 5060 msiexec.exe 98 PID 5060 wrote to memory of 4228 5060 msiexec.exe 98 PID 4228 wrote to memory of 4584 4228 DsGtQhLH.exe 100 PID 4228 wrote to memory of 4584 4228 DsGtQhLH.exe 100 PID 4228 wrote to memory of 4584 4228 DsGtQhLH.exe 100 PID 4228 wrote to memory of 5092 4228 DsGtQhLH.exe 103 PID 4228 wrote to memory of 5092 4228 DsGtQhLH.exe 103 PID 4228 wrote to memory of 5092 4228 DsGtQhLH.exe 103 PID 4228 wrote to memory of 4716 4228 DsGtQhLH.exe 107 PID 4228 wrote to memory of 4716 4228 DsGtQhLH.exe 107 PID 4228 wrote to memory of 3016 4228 DsGtQhLH.exe 109 PID 4228 wrote to memory of 3016 4228 DsGtQhLH.exe 109 PID 3620 wrote to memory of 1436 3620 svchost.exe 112 PID 3620 wrote to memory of 1436 3620 svchost.exe 112 PID 3620 wrote to memory of 2036 3620 svchost.exe 113 PID 3620 wrote to memory of 2036 3620 svchost.exe 113 PID 4228 wrote to memory of 1968 4228 DsGtQhLH.exe 115 PID 4228 wrote to memory of 1968 4228 DsGtQhLH.exe 115 PID 4228 wrote to memory of 1968 4228 DsGtQhLH.exe 115 PID 1968 wrote to memory of 4152 1968 cmd.exe 117 PID 1968 wrote to memory of 4152 1968 cmd.exe 117 PID 1968 wrote to memory of 4152 1968 cmd.exe 117 PID 4228 wrote to memory of 2332 4228 DsGtQhLH.exe 118 PID 4228 wrote to memory of 2332 4228 DsGtQhLH.exe 118 PID 4228 wrote to memory of 2332 4228 DsGtQhLH.exe 118 PID 2332 wrote to memory of 2004 2332 cmd.exe 120 PID 2332 wrote to memory of 2004 2332 cmd.exe 120 PID 2332 wrote to memory of 2004 2332 cmd.exe 120 PID 4228 wrote to memory of 3736 4228 DsGtQhLH.exe 121 PID 4228 wrote to memory of 3736 4228 DsGtQhLH.exe 121 PID 4228 wrote to memory of 3736 4228 DsGtQhLH.exe 121 PID 3736 wrote to memory of 2704 3736 cmd.exe 123 PID 3736 wrote to memory of 2704 3736 cmd.exe 123 PID 3736 wrote to memory of 2704 3736 cmd.exe 123 PID 4228 wrote to memory of 228 4228 DsGtQhLH.exe 124 PID 4228 wrote to memory of 228 4228 DsGtQhLH.exe 124 PID 4228 wrote to memory of 228 4228 DsGtQhLH.exe 124 PID 228 wrote to memory of 1236 228 cmd.exe 126 PID 228 wrote to memory of 1236 228 cmd.exe 126 PID 228 wrote to memory of 1236 228 cmd.exe 126 PID 4228 wrote to memory of 392 4228 DsGtQhLH.exe 127 PID 4228 wrote to memory of 392 4228 DsGtQhLH.exe 127 PID 4228 wrote to memory of 3028 4228 DsGtQhLH.exe 129 PID 4228 wrote to memory of 3028 4228 DsGtQhLH.exe 129 PID 4228 wrote to memory of 3028 4228 DsGtQhLH.exe 129 PID 3028 wrote to memory of 964 3028 LetsPRO.exe 130 PID 3028 wrote to memory of 964 3028 LetsPRO.exe 130 PID 3028 wrote to memory of 964 3028 LetsPRO.exe 130 PID 964 wrote to memory of 1968 964 LetsPRO.exe 134 PID 964 wrote to memory of 1968 964 LetsPRO.exe 134 PID 964 wrote to memory of 1968 964 LetsPRO.exe 134 PID 964 wrote to memory of 3288 964 LetsPRO.exe 136 PID 964 wrote to memory of 3288 964 LetsPRO.exe 136 PID 964 wrote to memory of 3288 964 LetsPRO.exe 136 PID 3288 wrote to memory of 2300 3288 cmd.exe 138 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\10152bc59a780129df651a3363b3b1cdecec8df442c8442808824a80564f6be9.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:432
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- UAC bypass
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5060 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C625F8525820A42AA978DBDA296C893B2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:868
-
-
C:\Program Files (x86)\pYkYZuRh.exe"C:\Program Files (x86)\pYkYZuRh.exe"2⤵
- Enumerates connected drives
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Program Files (x86)\DsGtQhLH.exe"C:\Program Files (x86)\DsGtQhLH.exe"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4584
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4716
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3016
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4152
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2004
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1236
-
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:392
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.8.0\LetsPRO.exe"4⤵
- Adds Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1968
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2300
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:3548 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:392
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2912
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3620 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{26845b8a-5f6e-354c-aad4-34674c2e99bf}\oemvista.inf" "9" "4d14a44ff" "0000000000000134" "WinSta0\Default" "0000000000000158" "208" "c:\program files (x86)\letsvpn\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1436
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000134"2⤵
- Checks SCSI registry key(s)
PID:2036
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman1⤵
- Modifies data under HKEY_USERS
PID:4596
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3424
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Installer Packages
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify System Firewall
1Disable or Modify Tools
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD54c522434ea4137bb356ec2fcf8e80e01
SHA150505658e8dd47609684dd35294af0afa5f0a287
SHA256c39870f600a34060b9efa1ab9739629507acfd70e5fc91c74ae5b70cb7c878d6
SHA5122c0499623487eef5a25f3029111bde549989154763e3584d5782081c148a49a9e00297021d286b2bdc358bc2feb5e3861af9ef1c97334c14a668d569d0cd305e
-
Filesize
6.0MB
MD5a589ea47d27781243203497042014ee3
SHA102af54d118fdb181247e76a79a3acfbb074bf6ea
SHA256d25b465e1a59b452605512566d4417cb44a72d07b989f8cb276849bf4f66ac52
SHA512baed6eda05efb91f65812e117730bd3d6587166667dc3b7e2f1f3c802a713829b5b6c9c0287fe37267e4a4a5f941776aa49adcbe45ffa1da99e9b73c99b0a09e
-
Filesize
943B
MD5b6f59657ee96050c5aad98a653fe2133
SHA138b276bc07dfabe9bccf8ffdb6e8e18692135710
SHA256bb1f6c58ba9b0b2fb519310d9ccbb4d8d493d7ea359b6df566dd39dfc023f164
SHA512623d0c22c052ee3bbec6eafeb411a3a43d694c58b4143fef83446f21f4a645fbc2f2763f315299516b0f9b27402f74903ebf6c8ac754262d8b55b5909c1e1d2c
-
Filesize
898B
MD5eea77b8f53ae7b0034c4ca11c539b652
SHA1399a7618e65ca3b2cb1faf8d32036a3418ee0872
SHA2563b75466e6b8e18156d2e6caf5ff6354b5090b0c8b20202cdc9016c787840565a
SHA512573ac044208714c5d10efefc8b6925e65d7dbf678e6bd5ab6ace446a6d97fed0da2c5c0e9ce2bda807e3b55aaa00b725553919cf5246ee529cdba6892f3bfa0c
-
Filesize
14.5MB
MD59c44be4ceac0c983a812fd8459511fd0
SHA1bd5aaad4acd523cd2855e8b50a8380365d81e041
SHA256b6750a3631413d71d7ea10292a11e5d0560afb6ccd4ad4baa75d7dc80842f153
SHA512372ddeb1045d49e8f98f17bccffb0e3edc2179e541f8a4493300517327e514c7bf64557250e0f84f7366310a3d7a58a8d5480596f9be075b3f5d9411a49b4d09
-
Filesize
412KB
MD5ed40615aa67499e2d2da8389ba9b331a
SHA109780d2c9d75878f7a9bb94599f3dc9386cf3789
SHA256cd28daeda3c8731030e2077e6eccbb609e2098919b05ff310bef8dce1dce2d8d
SHA51247d94c5f4829a0f901b57084c22b24adefb4aec2f7b8df9ea838e485dbc607aa837ed6d3c7186159499c44a3ff488fb04f770c624649a406854d82cd3baf72ee
-
Filesize
756KB
MD5ef3e115c225588a680acf365158b2f4a
SHA1ecda6d3b4642d2451817833b39248778e9c2cbb0
SHA25625d1cc5be93c7a0b58855ad1f4c9df3cfb9ec87e5dc13db85b147b1951ac6fa8
SHA512d51f51336b7a34eb6c8f429597c3d685eb53853ee5e9d4857c40fc7be6956f1b8363d8d34bebad15ccceae45a6eb69f105f2df6a672f15fb0e6f8d0bb1afb91a
-
Filesize
318B
MD5b34636a4e04de02d079ba7325e7565f0
SHA1f32c1211eac22409bb195415cb5a8063431f75cd
SHA256a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df
SHA5126eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f
-
Filesize
240KB
MD5ea9e2f517b1cc2dbe7f78302dd7fb593
SHA1cb326eeee062bfc20be4d07fa989b001811fc03c
SHA256b1037f963c91ab0f586349d5aede8e25686784f46f031dfc422e0d69a9939f48
SHA512d8d38e5243ff8f8e3f790c3587bf0360afd7dd185886da86ad7ad6111eed121e91eca18bac9563ea4e6984c46f88639f58a2073884567ca982383ec2cf32f0eb
-
Filesize
109KB
MD5983f5c1a6f9f50046521d5e393db6527
SHA180da035f9d297d541e76ef2ec888e337c1a1291c
SHA2564cdd18ea19e997bd83ac7af716f7e371a84814cb631a5271e3ffad7c08b83080
SHA5128792e61bdacacd49dbb42cba5f1da33e92dc3aecfe9ce06727833565e570c3025dec08d94d88088a8002d73d401de61d9c1ee9cf2752024696853c5e0e01419f
-
Filesize
1.4MB
MD538973dbbfad9619fde39fab919eb9a04
SHA109c0b7ec430092c41a576565d8cf8e9df40e12fe
SHA256e7806cd45b774d640bfd1f92e0893d28b87117a9dc25edb490da4449d57ca8ac
SHA512fed73ef38f0008ab93589a6f525866a3f73ce9b090e41482dc4933dadc6f1bce1a26990e8f44704e934528d71e6887d0d44bb38f8b5402cf4c9b2880f16eea67
-
Filesize
22KB
MD53b1d12693ee14f307d7e8b1f08ae23c0
SHA182719e54b457a4e5cc57b33714e67fc0305b6e90
SHA2560b2a37670105e8d30fe0c4aecfad876f669663834a6c91bc89e309fb609032b7
SHA512ac7b99e0fb2e7d656dfc8e5df1fad58e4446c854e6d1d05a48dbd5fe93ab4978c3b206d828d8bcfc874eff0981886be4ae72e063aaccf895959d7cd5456a5e95
-
Filesize
21KB
MD5aaf315462a2bfc476f2488349b629b09
SHA11957786412810c8200393f329925bf7f8fcb9fa0
SHA256af1328e99850c6a0f309b582c451e16aec5b8446a57617198c96f353f7ba60be
SHA512ff1b9590653e1333f3031456d70169e789bedf7a3a7b9c69f9076b99d080d6d6006e2812c831b603972445b097a1003f7fb84fc34cabf4ee97ba10cd09140b4b
-
Filesize
693KB
MD54aba39e3b609f3e927d4b4c850a1e9c2
SHA12fc88fdfe44f49567a4160fc7ceba175bbe851b3
SHA256abf8133f5bda0aa4700b7b4b9a8f4a6e2af8f9fc38def6ebbec7045fda493671
SHA512cdd79270d8e0e7999b899d32fc012e0450d65732b68eba982b91f213e6550d5568239eb29267adefbd61ea4e674c1096d04a1a6cbbf67fd51e6d8b8ab2770f07
-
Filesize
126KB
MD5d615a49b867921d097b87f5653d06da8
SHA19475f5bd2517a71d68388f04a247725814bb0a39
SHA256ca0a071afff810cae52cce1def9456d4ddb8ca1a165a4b0aae16951a6f337542
SHA5121986d66a9638d0cc998ee0534fe9443a41f8988aca226770934c5a9b7157931ec8c456ff0034ec63ef32da842d6bae31d97003ab5d65f3a7e51c2773dc758cbe
-
Filesize
3KB
MD528f9077c304d8c626554818a5b5f3b3a
SHA1a01f735fe348383795d61aadd6aab0cc3a9db190
SHA256746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90
SHA512485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e
-
Filesize
273KB
MD5e281f008a6d29ae21e0173c97e63ef93
SHA121004cd1d373563298738bdb70f66dca3865c0bd
SHA256146c386529e15c58ca7cb51927616b8310c7ca0855603bc22addbbcdd9502c11
SHA512b8cebc8bbf18aa03872dc74dbab9569682c64dd5c2ad3c07e542ba08bdb1cccfc5a956622daa1c9e218f8d54b9e26b8533091c378b6f386e25f3fccbdc201765
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
19.4MB
MD59ff980feb6fccdb08ab3fe6fc5e428f1
SHA13c60d0fa914291da59a3cc883becd0ea26c1f26a
SHA256d0cdc6b3747195a88b6918926f488215396970aa342e14d6ea819919d274a381
SHA512989d76d721963f46386350c08b4e7a50a52e16d9fc92bc13c7f1fa20997a9aa35a8f144564af9f483b0e3f2fd32d436adfa84cb8638e9c408a79960b6da38618
-
Filesize
129KB
MD57ea6be30e745e9556c017439c5e83273
SHA14e36ae4f8bb1c6a438f8cc6952ec840415b5d9f2
SHA2565a3e4e68ffa8e8796ec0ff3d01473ceafa070dc533a1c268d073ee7abd6c8021
SHA5120a17f4e6e60932282cb28823a77c5ebef7a8c8ee472f00c9ef9eebb0481886647faa698f2c2e193db095c6467f6e41307aff96030fadd3072ba700c1e1e45724
-
Filesize
1KB
MD533b19d75aa77114216dbc23f43b195e3
SHA136a6c3975e619e0c5232aa4f5b7dc1fec9525535
SHA256b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2
SHA512676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821
-
Filesize
12KB
MD554687e41cc8f3950a64cce1bf67ba3f6
SHA17964701932e187601dc9b6c649f48661c7a4290b
SHA256ec99b9618e6c70ad30df062f82396f38d6226a9db50486f7af53b24c9335f00a
SHA512d13f5bef8c9e12c8b7f0fd4c7ee1133a4821c7eaab3a4697babba66c495112ca50771d427fe414e62e1340ea0c46205aff0c5c50199ec99acb56089ca0bae653
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
Filesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094
-
Filesize
408KB
MD50901970c2066aed8a97d75aaf1fd3146
SHA1f0c700a4bfcebad9843e01a88bab71b5f38996d8
SHA25641f827e6addfc71d68cd4758336edf602349fb1230256ec135121f95c670d773
SHA51200e12fd2d752a01dfa75550ffaf3a2f337171cec93cd013083c37137a455e93bebd72e7d8487ec3e1de5fe22994f058829a6597765612278c20d601192cbe733
-
Filesize
24.1MB
MD50094a32ee83bffe8bdd2289cf24051d1
SHA1d89e67315365bc5b5d678d6cd879c9300e39b218
SHA25607cab087bdc39201c02a584fb309eff2da1200f334ce689bb15716777a8be4cd
SHA512b67af792f3c82b4624bc97d540ce1435f894cd56c43f74c4c0c32df849f2779ab1432880ae9fcfd69eba7b1bc905aa865b1f63df117d70cc06049da847c06686
-
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0e117936-65a8-4c1b-b2f1-f87e24cd78a8}_OnDiskSnapshotProp
Filesize6KB
MD5cd153a02674779cfcab5ee38b82af75b
SHA1df1970d8acf1fc712ab2131c52d32674068dbfc8
SHA2562992ec593927c05b20024e67c3b58706b5559080f51c0a81f36ba6afe4b57ab8
SHA5128073b3ac6d6ec2db3971a8e0dc903219ab1fe79e511a377853b126cc4058e2aeb1b79c4b17aae6282dc6373bd9d4a26a7a9dbd77269fc75589d2be53d9ee90e3
-
Filesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
Filesize
10KB
MD5f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe
