gh0strat | 55f23b3a54b6b43338997ad5554f046e205042fd00a81a8e04f9bd6a8dcc8c07

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-10-2022 07:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a.msi
Size

13.7MB
MD5

afb73daab97a1a8fb156ed34715a01ca
SHA1

ecb0ea164d1d1ceea4a0fb0d06f61345f4a65ac3
SHA256

4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a
SHA512

35dec58a6525f91f6edb2cd9ef3e53f76cbee700ac7e489cda85a443835d210cbef4d369eb3084cb4ad8f5a06a281ea35908249ff6a4f566623c99d7c94487e9
SSDEEP

393216:w3Bp4yJDyaxkvEIeg/sczcezXEbpFS+zYeOPuet:WBy0Gax2fbDlzEbpFfzYeO

Score

10^/10

gh0strat purplefox discovery evasion rat rootkit trojan vmprotect

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/2036-95-0x0000000010000000-0x0000000010192000-memory.dmp	purplefox_rootkit
behavioral1/memory/2036-101-0x0000000000400000-0x00000000006A8000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2036-95-0x0000000010000000-0x0000000010192000-memory.dmp	family_gh0strat
behavioral1/memory/2036-101-0x0000000000400000-0x00000000006A8000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

Processes:

DrvInst.exe

description	ioc	process
File opened for modification	C:\Windows\system32\DRIVERS\SET48E3.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET48E3.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Executes dropped EXE 8 IoCs

Processes:

MSIAFB3.tmpkk.exeletsvpn.exeact.exelsp.exetapinstall.exetapinstall.exetapinstall.exe

pid process

1588 MSIAFB3.tmp
904 kk.exe
1892 letsvpn.exe
1632 act.exe
2036 lsp.exe
2004 tapinstall.exe
1336 tapinstall.exe
1724 tapinstall.exe
Modifies Windows Firewall 1 TTPs 4 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

1104 netsh.exe
844 netsh.exe
1692 netsh.exe
2024 netsh.exe

pid	process
1104	netsh.exe
844	netsh.exe
1692	netsh.exe
2024	netsh.exe

VMProtect packed file 20 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Windows\Installer\MSIAFB3.tmp	vmprotect
behavioral1/memory/1588-59-0x0000000000400000-0x0000000001DFA000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
behavioral1/memory/904-65-0x0000000000400000-0x0000000000437000-memory.dmp	vmprotect
\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect
behavioral1/memory/904-67-0x0000000000400000-0x0000000000437000-memory.dmp	vmprotect
behavioral1/memory/1588-75-0x0000000000400000-0x0000000001DFA000-memory.dmp	vmprotect
C:\Users\Public\Pictures\14809\act.exe	vmprotect
\Users\Public\Pictures\14809\act.exe	vmprotect
behavioral1/memory/1632-79-0x000000013FC70000-0x000000013FCF0000-memory.dmp	vmprotect
behavioral1/memory/1632-82-0x000000013FC70000-0x000000013FCF0000-memory.dmp	vmprotect
\Users\Public\Videos\lsp.exe	vmprotect
C:\Users\Public\Videos\lsp.exe	vmprotect
\Users\Public\Videos\lsp.exe	vmprotect
C:\Users\Public\Videos\lsp.exe	vmprotect
behavioral1/memory/2036-93-0x0000000000400000-0x00000000006A8000-memory.dmp	vmprotect
behavioral1/memory/2036-101-0x0000000000400000-0x00000000006A8000-memory.dmp	vmprotect
behavioral1/memory/1632-102-0x000000013FC70000-0x000000013FCF0000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\kk.exe	vmprotect

Loads dropped DLL 23 IoCs

Processes:

MSIAFB3.tmpletsvpn.exekk.exe

pid	process
1588	MSIAFB3.tmp
1588	MSIAFB3.tmp
1588	MSIAFB3.tmp
1892	letsvpn.exe
1892	letsvpn.exe
904	kk.exe
904	kk.exe
904	kk.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe
1892	letsvpn.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 21 IoCs

Processes:

DrvInst.exetapinstall.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\SET5BA8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\SET5BA9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\SET5BA8.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_5a1fec2fbbccefcc\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\SET5BA9.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\SET5BBA.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\SET5BBA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_5a1fec2fbbccefcc\oemvista.PNF	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe

Drops file in Program Files directory 64 IoCs

Processes:

letsvpn.exe

description	ioc	process
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.ComponentModel.EventBasedAsync.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.ComponentModel.Primitives.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Data.Common.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.NetworkInformation.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\log4net.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\DeltaCompressionDotNet.MsDelta.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\DeltaCompressionDotNet.PatchApi.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.Expressions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.Queryable.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.WebSockets.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\zh-MO\LetsPRO.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\ICSharpCode.AvalonEdit.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\Microsoft.AppCenter.Crashes.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\Mono.Cecil.Mdb.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\Mono.Cecil.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.ComponentModel.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.Tools.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.Requests.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Runtime.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Threading.Tasks.Parallel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Threading.Timer.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\runtimes\win-x64\native	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\uninst.exe	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\FontAwesome.WPF.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.AppContext.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.StackTrace.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.IO.Compression.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Memory.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.ObjectModel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Security.SecureString.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\runtimes\win-x64\native\e_sqlite3.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\Microsoft.Web.WebView2.WinForms.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.WebSockets.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\runtimes\win-x86\native\e_sqlite3.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\Microsoft.Web.WebView2.Wpf.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.TraceSource.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Diagnostics.Tracing.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.IO.FileSystem.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.IO.IsolatedStorage.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.IO.Pipes.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.WebHeaderCollection.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Reflection.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\zh-SG\LetsPRO.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\Microsoft.AppCenter.Analytics.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.ComponentModel.EventBasedAsync.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Reflection.Extensions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Reflection.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Security.Cryptography.Csp.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\libwin.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\View\Assets\notification_icon.png	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.IPNetwork.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Net.Sockets.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Resources.Reader.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Text.RegularExpressions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.AppContext.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Globalization.Calendars.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Security.Principal.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Threading.Tasks.Parallel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Xml.XPath.XDocument.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\driver\tap0901.cat	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\SQLiteNetExtensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.2.8\System.Linq.Queryable.dll	letsvpn.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exeDrvInst.exeDrvInst.exeDrvInst.exetapinstall.exeDrvInst.exe

description	ioc	process
File created	C:\Windows\Installer\6cabbb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6cabbb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE69.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFB3.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\6cabbd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\6cabbd.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

SCHTASKS.exe

pid process

1644 SCHTASKS.exe

pid	process
1644	SCHTASKS.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDrvInst.exeDrvInst.exeDrvInst.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32008 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services."	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

tapinstall.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exekk.exeact.exe

pid	process
2040	msiexec.exe
2040	msiexec.exe
904	kk.exe
904	kk.exe
904	kk.exe
904	kk.exe
904	kk.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe
1632	act.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exetapinstall.exe

description	pid	process
Token: SeShutdownPrivilege	1204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1204	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeCreateTokenPrivilege	1204	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1204	msiexec.exe
Token: SeLockMemoryPrivilege	1204	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1204	msiexec.exe
Token: SeMachineAccountPrivilege	1204	msiexec.exe
Token: SeTcbPrivilege	1204	msiexec.exe
Token: SeSecurityPrivilege	1204	msiexec.exe
Token: SeTakeOwnershipPrivilege	1204	msiexec.exe
Token: SeLoadDriverPrivilege	1204	msiexec.exe
Token: SeSystemProfilePrivilege	1204	msiexec.exe
Token: SeSystemtimePrivilege	1204	msiexec.exe
Token: SeProfSingleProcessPrivilege	1204	msiexec.exe
Token: SeIncBasePriorityPrivilege	1204	msiexec.exe
Token: SeCreatePagefilePrivilege	1204	msiexec.exe
Token: SeCreatePermanentPrivilege	1204	msiexec.exe
Token: SeBackupPrivilege	1204	msiexec.exe
Token: SeRestorePrivilege	1204	msiexec.exe
Token: SeShutdownPrivilege	1204	msiexec.exe
Token: SeDebugPrivilege	1204	msiexec.exe
Token: SeAuditPrivilege	1204	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1204	msiexec.exe
Token: SeChangeNotifyPrivilege	1204	msiexec.exe
Token: SeRemoteShutdownPrivilege	1204	msiexec.exe
Token: SeUndockPrivilege	1204	msiexec.exe
Token: SeSyncAgentPrivilege	1204	msiexec.exe
Token: SeEnableDelegationPrivilege	1204	msiexec.exe
Token: SeManageVolumePrivilege	1204	msiexec.exe
Token: SeImpersonatePrivilege	1204	msiexec.exe
Token: SeCreateGlobalPrivilege	1204	msiexec.exe
Token: SeBackupPrivilege	1536	vssvc.exe
Token: SeRestorePrivilege	1536	vssvc.exe
Token: SeAuditPrivilege	1536	vssvc.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	556	DrvInst.exe
Token: SeLoadDriverPrivilege	556	DrvInst.exe
Token: SeLoadDriverPrivilege	556	DrvInst.exe
Token: SeLoadDriverPrivilege	556	DrvInst.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	1336	tapinstall.exe
Token: SeRestorePrivilege	1336	tapinstall.exe
Token: SeRestorePrivilege	1336	tapinstall.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1204 msiexec.exe
1204 msiexec.exe

pid	process
1204	msiexec.exe
1204	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMSIAFB3.tmpkk.exeletsvpn.exeDrvInst.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 1588	2040	msiexec.exe	MSIAFB3.tmp
PID 2040 wrote to memory of 1588	2040	msiexec.exe	MSIAFB3.tmp
PID 2040 wrote to memory of 1588	2040	msiexec.exe	MSIAFB3.tmp
PID 2040 wrote to memory of 1588	2040	msiexec.exe	MSIAFB3.tmp
PID 1588 wrote to memory of 904	1588	MSIAFB3.tmp	kk.exe
PID 1588 wrote to memory of 904	1588	MSIAFB3.tmp	kk.exe
PID 1588 wrote to memory of 904	1588	MSIAFB3.tmp	kk.exe
PID 1588 wrote to memory of 904	1588	MSIAFB3.tmp	kk.exe
PID 1588 wrote to memory of 1892	1588	MSIAFB3.tmp	letsvpn.exe
PID 1588 wrote to memory of 1892	1588	MSIAFB3.tmp	letsvpn.exe
PID 1588 wrote to memory of 1892	1588	MSIAFB3.tmp	letsvpn.exe
PID 1588 wrote to memory of 1892	1588	MSIAFB3.tmp	letsvpn.exe
PID 904 wrote to memory of 1632	904	kk.exe	act.exe
PID 904 wrote to memory of 1632	904	kk.exe	act.exe
PID 904 wrote to memory of 1632	904	kk.exe	act.exe
PID 904 wrote to memory of 1632	904	kk.exe	act.exe
PID 904 wrote to memory of 2036	904	kk.exe	lsp.exe
PID 904 wrote to memory of 2036	904	kk.exe	lsp.exe
PID 904 wrote to memory of 2036	904	kk.exe	lsp.exe
PID 904 wrote to memory of 2036	904	kk.exe	lsp.exe
PID 904 wrote to memory of 1644	904	kk.exe	SCHTASKS.exe
PID 904 wrote to memory of 1644	904	kk.exe	SCHTASKS.exe
PID 904 wrote to memory of 1644	904	kk.exe	SCHTASKS.exe
PID 904 wrote to memory of 1644	904	kk.exe	SCHTASKS.exe
PID 1892 wrote to memory of 2004	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 2004	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 2004	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 2004	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 1336	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 1336	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 1336	1892	letsvpn.exe	tapinstall.exe
PID 1892 wrote to memory of 1336	1892	letsvpn.exe	tapinstall.exe
PID 1996 wrote to memory of 1984	1996	DrvInst.exe	rundll32.exe
PID 1996 wrote to memory of 1984	1996	DrvInst.exe	rundll32.exe
PID 1996 wrote to memory of 1984	1996	DrvInst.exe	rundll32.exe
PID 1892 wrote to memory of 588	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 588	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 588	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 588	1892	letsvpn.exe	cmd.exe
PID 588 wrote to memory of 1104	588	cmd.exe	netsh.exe
PID 588 wrote to memory of 1104	588	cmd.exe	netsh.exe
PID 588 wrote to memory of 1104	588	cmd.exe	netsh.exe
PID 588 wrote to memory of 1104	588	cmd.exe	netsh.exe
PID 1892 wrote to memory of 1788	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1788	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1788	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1788	1892	letsvpn.exe	cmd.exe
PID 1788 wrote to memory of 844	1788	cmd.exe	netsh.exe
PID 1788 wrote to memory of 844	1788	cmd.exe	netsh.exe
PID 1788 wrote to memory of 844	1788	cmd.exe	netsh.exe
PID 1788 wrote to memory of 844	1788	cmd.exe	netsh.exe
PID 1892 wrote to memory of 1300	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1300	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1300	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1300	1892	letsvpn.exe	cmd.exe
PID 1300 wrote to memory of 1692	1300	cmd.exe	netsh.exe
PID 1300 wrote to memory of 1692	1300	cmd.exe	netsh.exe
PID 1300 wrote to memory of 1692	1300	cmd.exe	netsh.exe
PID 1300 wrote to memory of 1692	1300	cmd.exe	netsh.exe
PID 1892 wrote to memory of 1972	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1972	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1972	1892	letsvpn.exe	cmd.exe
PID 1892 wrote to memory of 1972	1892	letsvpn.exe	cmd.exe
PID 1972 wrote to memory of 2024	1972	cmd.exe	netsh.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4f5a8b7ca30c757f4cfcbd338d79dd06ebb6db62451845d7b53f38c54ad7da7a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1204

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Installer\MSIAFB3.tmp
"C:\Windows\Installer\MSIAFB3.tmp"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588

C:\Users\Admin\AppData\Local\Temp\kk.exe
C:\Users\Admin\AppData\Local\Temp\kk.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Public\Pictures\14809\act.exe
C:\Users\Public\Pictures\14809\act.exe 6 23321 fds01234fs56789123afds
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1632

C:\Users\Public\Videos\lsp.exe
C:\Users\Public\Videos\lsp.exe
4⤵
- Executes dropped EXE
PID:2036

C:\Windows\SysWOW64\SCHTASKS.exe
SCHTASKS /Create /SC ONLOGON /TN active /F /RL HIGHEST /TR C:\Users\Public\Pictures\14809\ttvip.exe
4⤵
- Creates scheduled task(s)
PID:1644

C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1892

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
4⤵
- Executes dropped EXE
PID:2004

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1336

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=lets
4⤵
- Suspicious use of WriteProcessMemory
PID:588

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=lets
5⤵
- Modifies Windows Firewall
PID:1104

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=lets.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=lets.exe
5⤵
- Modifies Windows Firewall
PID:844

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
4⤵
- Suspicious use of WriteProcessMemory
PID:1300

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=LetsPRO.exe
5⤵
- Modifies Windows Firewall
PID:1692

C:\Windows\SysWOW64\cmd.exe
cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
4⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall Delete rule name=LetsPRO
5⤵
- Modifies Windows Firewall
PID:2024

C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
4⤵
- Executes dropped EXE
PID:1724

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:556

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{39311e5e-6083-6e6e-3045-6161bbd1c450}\oemvista.inf" "9" "6d14a44ff" "0000000000000580" "WinSta0\Default" "00000000000003C0" "208" "c:\program files (x86)\letsvpn\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{534e38e3-e61f-662e-c9f3-1b47bac0ac6a} Global\{0b35f05c-f8cb-7b2d-5457-fd2b29854f78} C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\tap0901.cat
2⤵
PID:1984

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000060" "00000000000005D8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:1724

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.0.0.9:tap0901" "6d14a44ff" "0000000000000580" "00000000000005BC" "00000000000005D8"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:288

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\letsvpn\driver\OemVista.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
C:\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
Filesize
12.3MB

MD5
8834ec8d35669dd623ba5c6986ff2748

SHA1
1a475633f1ea1ab47edb1c030ce2ea933c0a934c

SHA256
addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

SHA512
00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\letsvpn.exe
Filesize
12.3MB

MD5
8834ec8d35669dd623ba5c6986ff2748

SHA1
1a475633f1ea1ab47edb1c030ce2ea933c0a934c

SHA256
addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

SHA512
00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{39311e5e-6083-6e6e-3045-6161bbd1c450}\oemvista.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{39311e5e-6083-6e6e-3045-6161bbd1c450}\tap0901.cat
Filesize
10KB

MD5
0365c95d5be2b3d314dcc019380c0e11

SHA1
c269cee763f580e890d2eae42a8e98116e04a232

SHA256
6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

SHA512
9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{39311~1\tap0901.sys
Filesize
39KB

MD5
3c32ff010f869bc184df71290477384e

SHA1
9dec39ca0d13cd4aadf4120de29665c426be9f2b

SHA256
55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

SHA512
2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

Download Submit
C:\Users\Public\Pictures\14809\act.exe
Filesize
225KB

MD5
2948e1979ceb27384ea7f04348a7ecf1

SHA1
5dd956e1c15e86ec9ca3f9d6c317ad76a2f20eb9

SHA256
e875be898d622c1d03a383ca8fed987e34bd8b47effee0044a38cc68012b49c1

SHA512
bf2168d807570e910f33b8bec9d64feceaef340f65aa3face2b5ed848977931bf9392bf4f326294638729907a6dc0ab453cee99fcbc3f691388252b50dbd978b

Download Submit
C:\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
C:\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
C:\Windows\INF\oem2.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Windows\Installer\MSIAFB3.tmp
Filesize
13.5MB

MD5
527111c6ff1bed78302d2a59a772bebe

SHA1
94dcdb1aa606356a613584e016d201fe9246e0f3

SHA256
97935af097104cb5cbafefb482f1e748613eeb6dadf80bc95c88fcc2aac6580c

SHA512
12c30789892746c02478ac9f920f3b6eeb37de2d36b432ba3aa4e13980eeffa869cf0be381c9a50f80dabbdfdd5d61a0a36c53dcf55ecf37b6b50690f4dae6e8

Download Submit
C:\Windows\System32\DRIVER~1\FILERE~1\OEMVIS~1.INF\tap0901.sys
Filesize
39KB

MD5
3c32ff010f869bc184df71290477384e

SHA1
9dec39ca0d13cd4aadf4120de29665c426be9f2b

SHA256
55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

SHA512
2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_5a1fec2fbbccefcc\oemvista.PNF
Filesize
8KB

MD5
e4e1e8f495c9fa419d4519868f7dc24b

SHA1
96f2632f3a226175142e8fe25c46fea8d81d4965

SHA256
5fd94972d90e19f0724d786af469e4b877075c46b2afe8bd573e229d51fcacde

SHA512
61b0bbcc56b9edfc1a48c8772ddc7bae3f5decacf0592e332c850dc7d8079e0dc9691abeff268d995ae91c0e6f5b1bb042233d91fb3bc7ee7d54634d108d0c9a

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1
Filesize
1.4MB

MD5
d2ae52d906896a5c90f95d598fa8c474

SHA1
52c62d77c00e00158652a7578342a840c267e010

SHA256
2e16e5a31fc4aeb07d4531859b9ac8230f70f2ec431297def270aaef86bd2dea

SHA512
e1cb170765a24c7109d6ecbb7613faa300dd3c58ab0f937b9772157ce634861cc1bcd742de9e6d2e27f4b001977a157d39277d5d90c2fe9dbda4a638e81634f2

Download Submit
C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\oemvista.inf
Filesize
7KB

MD5
b6aada0cbed06889053a05b66f146979

SHA1
823025f02b355b37df7d7657b0f2b4d3584891a5

SHA256
a6e72b88e42d2b478615c5a16bbedb3fd02b0dd3def3a79840fc6a5df8312707

SHA512
9f8a6b0ad5ae4ea4c14043d663fd5aca2f1884ece0975b13c0533eb93103eb89120c1884121d71c8f9d09f5d210926fdba3b29fc6cf87f601bbc0f359c31d4ad

Download Submit
C:\Windows\System32\DriverStore\Temp\{471c6ec1-3628-0000-4a19-3536301eaa0f}\tap0901.cat
Filesize
10KB

MD5
0365c95d5be2b3d314dcc019380c0e11

SHA1
c269cee763f580e890d2eae42a8e98116e04a232

SHA256
6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

SHA512
9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

Download Submit
\??\PIPE\samr
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys
Filesize
39KB

MD5
3c32ff010f869bc184df71290477384e

SHA1
9dec39ca0d13cd4aadf4120de29665c426be9f2b

SHA256
55cfcec7f026c6e2e96a2fbe846ab513bb12bb0348735274fe1b71af019c837b

SHA512
2443368fa5b93ebe112a169d1fff625a9a1a26f206dfeb6b85b4a2f9acec6ccfc7e821d15b69e93848cbad58b86c83114c83338162ea0fedd1a0798fab1700ff

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat
Filesize
10KB

MD5
0365c95d5be2b3d314dcc019380c0e11

SHA1
c269cee763f580e890d2eae42a8e98116e04a232

SHA256
6f997d53abfc991e23f08256fbde3eb21a1680af2e504b7accfef0f1d8909503

SHA512
9acfc1ce0b46d3edc9708c16ae39a0707dcfc86fc6ba66f7e1712c383babde4c4cfb25338abe511429b67c39f2c2e30e0eb4c94e9987a7919e9b5cae53b4d24c

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe
Filesize
241KB

MD5
d7feeb6db9035951f1acf6f42dff28af

SHA1
433043803f701d2a98af13144c0dbc55b8102fcf

SHA256
7619a4e0d6d4c3c26da4285c6abc69974b4754017fae530768a288e153520be0

SHA512
22785e6f7207c3b6b9ab6fa2f15e78d7fba396eff6ab7e268284bd6379f3b8c7c8ab64ec802d306435d795122ccc5be858895f5ef2a30d5080bfa4ad832dacd8

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe
Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
\Users\Admin\AppData\Local\Temp\kk.exe
Filesize
75KB

MD5
6050e96866489fe27ed9babad1857036

SHA1
64f2bbb3e24a665b119fed0aea149eda7723ca24

SHA256
7b1e8fe7a9f17c6225df8151506724c6ad2d7e469593bb4095427ee430b617ad

SHA512
ce528812778066db7323e0ebce59ec350574713260abd8e9cfbabbff94ec6dad2c6beeb8998c2e7fcb62938a57a3e13596ea23407551563ab22624f7a89cd809

Download Submit
\Users\Admin\AppData\Local\Temp\letsvpn.exe
Filesize
12.3MB

MD5
8834ec8d35669dd623ba5c6986ff2748

SHA1
1a475633f1ea1ab47edb1c030ce2ea933c0a934c

SHA256
addd2cd8d45632e65f49b6ce71614af32332741307be5a02f16015af13090cf2

SHA512
00b3578f4e79a5af041dc2364b2cbcc73930c5d1893b3646d8eb652c89573773abc9dc9bf1de2aff05053942a1615cbe17c0ed6ce0e019b649f0b11301cbcf4e

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\System.dll
Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsDialogs.dll
Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsExec.dll
Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Admin\AppData\Local\Temp\nseCA15.tmp\nsProcess.dll
Filesize
4KB

MD5
f0438a894f3a7e01a4aae8d1b5dd0289

SHA1
b058e3fcfb7b550041da16bf10d8837024c38bf6

SHA256
30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11

SHA512
f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

Download Submit
\Users\Public\Pictures\14809\act.exe
Filesize
225KB

MD5
2948e1979ceb27384ea7f04348a7ecf1

SHA1
5dd956e1c15e86ec9ca3f9d6c317ad76a2f20eb9

SHA256
e875be898d622c1d03a383ca8fed987e34bd8b47effee0044a38cc68012b49c1

SHA512
bf2168d807570e910f33b8bec9d64feceaef340f65aa3face2b5ed848977931bf9392bf4f326294638729907a6dc0ab453cee99fcbc3f691388252b50dbd978b

Download Submit
\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
\Users\Public\Videos\lsp.exe
Filesize
1.0MB

MD5
95f15e5ca91150a6caf86ada3023cc58

SHA1
6254bb5d18d7ccff4c698ec771c9bed56653d117

SHA256
2a013ff275babc22d4a7041cb52dbd641aa918227cf4943a6ec927d89f9fccad

SHA512
bcf827c2aae0bb58f2c10e25767b89b957d4ef00f4f83ef73d02609d6359037f3f11f683838319f6d39e0db6eadea9ae7f4f5f08f0fd8efa1bf52c77094f7f40

Download Submit
memory/588-134-0x0000000000000000-mapping.dmp

Download
memory/844-139-0x0000000000000000-mapping.dmp

Download
memory/904-125-0x0000000003180000-0x0000000003428000-memory.dmp

Filesize
2.7MB

Download
memory/904-90-0x0000000003180000-0x0000000003428000-memory.dmp

Filesize
2.7MB

Download
memory/904-83-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/904-92-0x0000000003180000-0x0000000003428000-memory.dmp

Filesize
2.7MB

Download
memory/904-81-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/904-62-0x0000000000000000-mapping.dmp

Download
memory/904-65-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/904-67-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/904-126-0x0000000003180000-0x0000000003428000-memory.dmp

Filesize
2.7MB

Download
memory/1104-135-0x0000000000000000-mapping.dmp

Download
memory/1204-54-0x000007FEFB741000-0x000007FEFB743000-memory.dmp

Filesize
8KB

Download
memory/1300-142-0x0000000000000000-mapping.dmp

Download
memory/1336-113-0x0000000000000000-mapping.dmp

Download
memory/1588-75-0x0000000000400000-0x0000000001DFA000-memory.dmp

Filesize
26.0MB

Download
memory/1588-56-0x0000000000000000-mapping.dmp

Download
memory/1588-58-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

Filesize
8KB

Download
memory/1588-66-0x0000000000220000-0x0000000000257000-memory.dmp

Filesize
220KB

Download
memory/1588-59-0x0000000000400000-0x0000000001DFA000-memory.dmp

Filesize
26.0MB

Download
memory/1632-102-0x000000013FC70000-0x000000013FCF0000-memory.dmp

Filesize
512KB

Download
memory/1632-79-0x000000013FC70000-0x000000013FCF0000-memory.dmp

Filesize
512KB

Download
memory/1632-82-0x000000013FC70000-0x000000013FCF0000-memory.dmp

Filesize
512KB

Download
memory/1632-77-0x0000000000000000-mapping.dmp

Download
memory/1644-89-0x0000000000000000-mapping.dmp

Download
memory/1692-143-0x0000000000000000-mapping.dmp

Download
memory/1724-151-0x0000000000000000-mapping.dmp

Download
memory/1788-138-0x0000000000000000-mapping.dmp

Download
memory/1892-69-0x0000000000000000-mapping.dmp

Download
memory/1972-146-0x0000000000000000-mapping.dmp

Download
memory/1984-121-0x0000000000000000-mapping.dmp

Download
memory/2004-109-0x0000000000000000-mapping.dmp

Download
memory/2024-147-0x0000000000000000-mapping.dmp

Download
memory/2036-95-0x0000000010000000-0x0000000010192000-memory.dmp

Filesize
1.6MB

Download
memory/2036-86-0x0000000000000000-mapping.dmp

Download
memory/2036-101-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download
memory/2036-93-0x0000000000400000-0x00000000006A8000-memory.dmp

Filesize
2.7MB

Download