Analysis
-
max time kernel
36s -
max time network
40s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
21-05-2024 05:21
Static task
static1
General
-
Target
lets.exe
-
Size
42.0MB
-
MD5
8a3c7e3beb7fcb705d4ecf227918bec4
-
SHA1
10355d8fe4b431e3fcddd55df4521950907833ab
-
SHA256
e3a7b4653b6d2f1270192a01da0b71f7682c6689636a8aab28b82e7365de142f
-
SHA512
7b4926ed15801529a39ade6cd56db19784b734daae60c13deb3e77508a85ed8a0434737734caf210571e9290ef7af0e90740492d1b7b966bc4682c406f0da6ca
-
SSDEEP
786432:FDQhzq1UfvJNik9GKMCJo8vTWz1HcRVXbjP+1AjozPvDeiq9esxqmStk37WAU796:9yFBQa9MYowTm1AVnPC8MH6iq9dqmElS
Malware Config
Signatures
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\SETD3BB.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETD3BB.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\tap0901.sys DrvInst.exe -
Modifies Windows Firewall 2 TTPs 4 IoCs
pid Process 2968 netsh.exe 920 netsh.exe 1732 netsh.exe 376 netsh.exe -
Executes dropped EXE 7 IoCs
pid Process 4608 irsetup.exe 4468 upload.exe 4944 tmp.exe 2512 upload.exe 2312 tapinstall.exe 504 tapinstall.exe 4044 tapinstall.exe -
Loads dropped DLL 12 IoCs
pid Process 4608 irsetup.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe 4944 tmp.exe -
resource yara_rule behavioral1/files/0x000700000001ac78-54.dat upx behavioral1/memory/4468-56-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/2512-158-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/4468-645-0x0000000000400000-0x000000000053F000-memory.dmp upx behavioral1/memory/2512-999-0x0000000000400000-0x000000000053F000-memory.dmp upx -
resource yara_rule behavioral1/memory/4468-95-0x0000000003410000-0x0000000003E59000-memory.dmp vmprotect behavioral1/memory/4468-106-0x0000000003410000-0x0000000003E59000-memory.dmp vmprotect behavioral1/memory/2512-169-0x0000000001F80000-0x00000000029C9000-memory.dmp vmprotect behavioral1/memory/2512-176-0x0000000001F80000-0x00000000029C9000-memory.dmp vmprotect behavioral1/memory/4132-182-0x0000000010000000-0x0000000010A49000-memory.dmp vmprotect behavioral1/memory/4132-189-0x0000000010000000-0x0000000010A49000-memory.dmp vmprotect -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 17 IoCs
description ioc Process File created C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d} DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F8.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F6.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{66f954e4-726c-5944-aea8-436fd07dff4d}\SETD1F7.tmp DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.Primitives.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Syndication.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\runtimes tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\LetsPRO.exe.config tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Security.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.ReaderWriter.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\pt-BR\System.Web.Services.Description.resources.dll tmp.exe File created C:\Program Files\let'svp-n\Uninstall\uni929B.tmp irsetup.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensionsAsync.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensionsAsync.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.NameResolution.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.WebHeaderCollection.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\ToastNotifications.Messages.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\ja\System.Web.Services.Description.resources.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\pl\System.Web.Services.Description.resources.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Linq.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Duplex.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ValueTuple.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\it tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\runtimes\win-arm tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.CodeDom.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.NetTcp.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.CodeDom.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ValueTuple.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\zh-Hans\System.Web.Services.Description.resources.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\Microsoft.Expression.Interactions.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.Annotations.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Resources.ResourceManager.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Threading.Timer.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Web.Services.Description.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensions.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\SharpCompress.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Collections.Specialized.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ComponentModel.EventBasedAsync.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.ReaderWriter.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\es\System.Web.Services.Description.resources.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\SQLiteNetExtensions.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\x86\WebView2Loader.dll tmp.exe File opened for modification C:\Program Files (x86)\NetSarangX\upload.exe irsetup.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\SQLitePCLRaw.nativelibrary.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Diagnostics.Tracing.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Drawing.Common.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.Primitives.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.ServiceModel.Duplex.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Xml.XmlSerializer.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\x86\WebView2Loader.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Globalization.Extensions.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.IO.MemoryMappedFiles.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Linq.Expressions.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Net.IPNetwork.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.X509Certificates.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Text.RegularExpressions.dll tmp.exe File created C:\Program Files (x86)\letsvpn\LetsPRO.exe tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\packages\RELEASES tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\Microsoft.Win32.Registry.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Runtime.CompilerServices.VisualC.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.Algorithms.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\zh-MO tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Management.Automation.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\fr tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\LetsVPNDomainModel.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\PusherClient.dll tmp.exe File created C:\Program Files (x86)\letsvpn\app-3.5.2\System.Console.dll tmp.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.5.2\System.Security.Cryptography.Xml.dll tmp.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem3.PNF DrvInst.exe -
pid Process 4188 powershell.exe 2136 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 tapinstall.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID tapinstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Service DrvInst.exe -
Modifies data under HKEY_USERS 44 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4468 upload.exe 4468 upload.exe 4188 powershell.exe 4188 powershell.exe 4188 powershell.exe 4468 upload.exe 4468 upload.exe 4468 upload.exe 4468 upload.exe 2512 upload.exe 2512 upload.exe 2512 upload.exe 2512 upload.exe 4132 msiexec.exe 4132 msiexec.exe 2136 powershell.exe 2136 powershell.exe 2136 powershell.exe -
Suspicious use of AdjustPrivilegeToken 14 IoCs
description pid Process Token: SeDebugPrivilege 4188 powershell.exe Token: SeDebugPrivilege 2136 powershell.exe Token: SeAuditPrivilege 3156 svchost.exe Token: SeSecurityPrivilege 3156 svchost.exe Token: SeLoadDriverPrivilege 504 tapinstall.exe Token: SeRestorePrivilege 4248 DrvInst.exe Token: SeBackupPrivilege 4248 DrvInst.exe Token: SeLoadDriverPrivilege 4248 DrvInst.exe Token: SeLoadDriverPrivilege 4248 DrvInst.exe Token: SeLoadDriverPrivilege 4248 DrvInst.exe Token: SeShutdownPrivilege 4732 svchost.exe Token: SeCreatePagefilePrivilege 4732 svchost.exe Token: SeLoadDriverPrivilege 4732 svchost.exe Token: SeLoadDriverPrivilege 4732 svchost.exe -
Suspicious use of SetWindowsHookEx 13 IoCs
pid Process 4608 irsetup.exe 4608 irsetup.exe 4608 irsetup.exe 4608 irsetup.exe 4468 upload.exe 4468 upload.exe 4468 upload.exe 4944 tmp.exe 2512 upload.exe 2512 upload.exe 2312 tapinstall.exe 504 tapinstall.exe 4044 tapinstall.exe -
Suspicious use of WriteProcessMemory 49 IoCs
description pid Process procid_target PID 4424 wrote to memory of 4608 4424 lets.exe 73 PID 4424 wrote to memory of 4608 4424 lets.exe 73 PID 4608 wrote to memory of 4468 4608 irsetup.exe 75 PID 4608 wrote to memory of 4468 4608 irsetup.exe 75 PID 4608 wrote to memory of 4468 4608 irsetup.exe 75 PID 4608 wrote to memory of 4944 4608 irsetup.exe 76 PID 4608 wrote to memory of 4944 4608 irsetup.exe 76 PID 4608 wrote to memory of 4944 4608 irsetup.exe 76 PID 4944 wrote to memory of 4188 4944 tmp.exe 77 PID 4944 wrote to memory of 4188 4944 tmp.exe 77 PID 4944 wrote to memory of 4188 4944 tmp.exe 77 PID 2512 wrote to memory of 4132 2512 upload.exe 82 PID 2512 wrote to memory of 4132 2512 upload.exe 82 PID 2512 wrote to memory of 4132 2512 upload.exe 82 PID 2512 wrote to memory of 4132 2512 upload.exe 82 PID 4944 wrote to memory of 2136 4944 tmp.exe 83 PID 4944 wrote to memory of 2136 4944 tmp.exe 83 PID 4944 wrote to memory of 2136 4944 tmp.exe 83 PID 4944 wrote to memory of 2312 4944 tmp.exe 85 PID 4944 wrote to memory of 2312 4944 tmp.exe 85 PID 4944 wrote to memory of 504 4944 tmp.exe 87 PID 4944 wrote to memory of 504 4944 tmp.exe 87 PID 3156 wrote to memory of 2408 3156 svchost.exe 90 PID 3156 wrote to memory of 2408 3156 svchost.exe 90 PID 3156 wrote to memory of 4248 3156 svchost.exe 91 PID 3156 wrote to memory of 4248 3156 svchost.exe 91 PID 4944 wrote to memory of 4224 4944 tmp.exe 94 PID 4944 wrote to memory of 4224 4944 tmp.exe 94 PID 4944 wrote to memory of 4224 4944 tmp.exe 94 PID 4944 wrote to memory of 4472 4944 tmp.exe 97 PID 4944 wrote to memory of 4472 4944 tmp.exe 97 PID 4944 wrote to memory of 4472 4944 tmp.exe 97 PID 4472 wrote to memory of 920 4472 cmd.exe 99 PID 4472 wrote to memory of 920 4472 cmd.exe 99 PID 4472 wrote to memory of 920 4472 cmd.exe 99 PID 4944 wrote to memory of 1460 4944 tmp.exe 100 PID 4944 wrote to memory of 1460 4944 tmp.exe 100 PID 4944 wrote to memory of 1460 4944 tmp.exe 100 PID 1460 wrote to memory of 1732 1460 cmd.exe 102 PID 1460 wrote to memory of 1732 1460 cmd.exe 102 PID 1460 wrote to memory of 1732 1460 cmd.exe 102 PID 4944 wrote to memory of 4144 4944 tmp.exe 103 PID 4944 wrote to memory of 4144 4944 tmp.exe 103 PID 4944 wrote to memory of 4144 4944 tmp.exe 103 PID 4144 wrote to memory of 376 4144 cmd.exe 105 PID 4144 wrote to memory of 376 4144 cmd.exe 105 PID 4144 wrote to memory of 376 4144 cmd.exe 105 PID 4944 wrote to memory of 4044 4944 tmp.exe 106 PID 4944 wrote to memory of 4044 4944 tmp.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\lets.exe"C:\Users\Admin\AppData\Local\Temp\lets.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:5563250 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\lets.exe" "__IRCT:1" "__IRTSS:0" "__IRSID:S-1-5-21-160447019-1232603106-4168707212-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4608 -
C:\Program Files (x86)\NetSarangX\upload.exe"C:\Program Files (x86)\NetSarangX\upload.exe" /NOFOCUS /checkin3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4468
-
-
C:\Program Files\let'svp-n\lets\tmp.exe"C:\Program Files\let'svp-n\lets\tmp.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2136
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09014⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09014⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:504
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets4⤵PID:4224
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets5⤵
- Modifies Windows Firewall
PID:2968
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe4⤵
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe5⤵
- Modifies Windows Firewall
PID:920
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe5⤵
- Modifies Windows Firewall
PID:1732
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO5⤵
- Modifies Windows Firewall
PID:376
-
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09014⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:4044
-
-
-
-
C:\Program Files (x86)\NetSarangX\upload.exe"C:\Program Files (x86)\NetSarangX\upload.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
\??\c:\windows\sysWoW64\msiexec.exe"c:\windows\sysWoW64\msiexec.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4132
-
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{41560030-acf4-4142-8d06-504723712836}\oemvista.inf" "9" "4d14a44ff" "0000000000000174" "WinSta0\Default" "0000000000000178" "208" "c:\program files (x86)\letsvpn\driver"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2408
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oemvista.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000174"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4248
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3224
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5ed5ce3c2d78ace16956117ab67d77c2c
SHA1d9ba439f9e723c04bd12a33c6455d0eff70fc2ba
SHA256fffc1d2f822b8ddaba16e86ddd445b70fc5cb4d5a910d24b62f5d9c1ffaa2b22
SHA512b6f36640320ed463aa5fc1a2e7db727128f6fa235b3d6f0b4afce1ca475ebaa287ad547384560c441b9ee4d95299b37125c27e46b3a7f3e95739859a66be6dc2
-
Filesize
474KB
MD59050ac019b4c8dddbc5e250bb87cf9f2
SHA1241f50bf6100bd84a14bd927a28bba5bc7df30f3
SHA25683d225323c8783c84d70aee1da5b507dde1e717ab3233f784fbb1b749dba11b9
SHA5122d3a167bb8d5c06b371f1f0c82ffb25e2aabb2c518b062816ae324d4ed1916f7c2271a7bb220bd49079cc4e33162e27757f3d35b062576ee160de4c209aedbc3
-
Filesize
318B
MD5b34636a4e04de02d079ba7325e7565f0
SHA1f32c1211eac22409bb195415cb5a8063431f75cd
SHA256a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df
SHA5126eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f
-
Filesize
241KB
MD5a1a68d4eb068d5b2ce6aa93679c81f2b
SHA11e15a5057e5754661a6a10bb55a6dd09ee939418
SHA256a2e047058f5a9225339513ff26ecdfdb5af04d325211d58b47f0d31624ab2438
SHA512f3375e33ce7bcb703e2d43e07d24720de6331c5f61bea9b56de8c3c0e2f02d72cc16a34a93a0553f502ce5af3976ee79082ea642414500b7dedfc664a886289f
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
14.6MB
MD5e680b7e43f6fb7dab7fcd9a07f0b9367
SHA1e29c59617f8aafcde20e06542510c087ef1892a9
SHA256185b11b4952aa5a8bd4ab83b8feade5224ad5823f002ff2381f74e184b9f0a25
SHA512e7a10a5e14eb06da5634f847956edbd8a377e678648f5fe5deddfa30f4f69533d0f256ae046705ac7eefa48fe48c4c77bba2459831a59edc1c2b198da089abed
-
Filesize
5.9MB
MD581185e90f128ed274893d2fb749c7f6e
SHA1f21ae1050bb4da1e63ce448eb4632123327ee1f1
SHA256c5cf7f3e08f1bf838ca2d0d041a75a51b17a03759183d3d6d97e2d3f2a31adaf
SHA51211ed065dbb034f610349d45d27115c3bdd55ab21f9f0194316d1b016ff4d8568a481b5ae711139b47a92f37ef33cf5883a513a4aaf5726d4224164ca3fac2a18
-
Filesize
1KB
MD50f5cbdca905beb13bebdcf43fb0716bd
SHA19e136131389fde83297267faf6c651d420671b3f
SHA256a99135d86804f5cf8aaeb5943c1929bd1458652a3318ab8c01aee22bb4991060
SHA512a41d2939473cffcb6beb8b58b499441d16da8bcc22972d53b8b699b82a7dc7be0db39bcd2486edd136294eb3f1c97ddd27b2a9ff45b831579cba6896d1f776b0
-
Filesize
12KB
MD5b10399c009aa5ee9c60d2eb24023445d
SHA12260b80647e7f64ef5fc098c1610548146e8badd
SHA256567376eb173601ceaa5c6ce1dabd2a88fe88c048e4a8f6343460aa21e24103d7
SHA51268c11e42f4311e7a06e73e27a46ae0180c11386dbc856820e112070b7ecfe2ccc51033e1107b20c1102ae48c442f281ddc5b680c2b0de076199d895a08cf8cba
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
2KB
MD53220a6aefb4fc719cc8849f060859169
SHA185f624debcefd45fdfdf559ac2510a7d1501b412
SHA256988cf422cbf400d41c48fbe491b425a827a1b70691f483679c1df02fb9352765
SHA5125c45ea8f64b3cdfb262c642bd36b08c822427150d28977af33c9021a6316b6efed83f3172c16343fd703d351af3966b06926e5b33630d51b723709712689881d
-
Filesize
4.9MB
MD5d33dd57c830b9b52ec844d713ea1a1da
SHA151fc3d3316bb308e164a981d364181ae6cadbd1b
SHA256b4255a661c37f4bffcb74baf33d1860cf54f0bdaf68a7b172d4beef3e22729d3
SHA5129b28c9968f0fd1e908d696e363725c6278771c51ac11e52fc6e89081197b88e5f1153293d6e61ae706278b3a98ee70be5ea2765443492461bc5d2330e5c8a260
-
Filesize
329KB
MD552a0b3c36a01a89187342803bc11709d
SHA18f17c48ecfb5f798cfe565b8f370a86cf8efb091
SHA256af97caa9ff7fba485bdbc688ac1f9de451d38efd102b2bf18deeeed7bd1a30c0
SHA512830259b06dc26197eb5bff1d12cc490a2813bf15ce99b2eb8fa3a61586d0cf613f5ba81fe120be8350ac7f27841633c74a97add2c33591952a0060404249c89c
-
Filesize
6KB
MD5e39405e85e09f64ccde0f59392317dd3
SHA19c76db4b3d8c7972e7995ecfb1e3c47ee94fd14b
SHA256cfd9677e1c0e10b1507f520c4ecd40f68db78154c0d4e6563403d540f3bf829f
SHA5126733f330145b48d23c023c664090f4f240e9bbeb8368b486c8ee8682ec6a930b73275e24075648d1aa7e01db1ec7b7e259286917a006ba9af8fb7cba3439070a
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
Filesize
8KB
MD581563688bd15b095f45c1c4ce7041066
SHA1cb1122e20cda7e48b650e6d33c985b8b36aae076
SHA2563520fec40273e0e2a2fd1d7f080172b680a060b4c374665c2165cd2de04edf7f
SHA512df13e63e25c589bfdf53b9d16325f18ee5f39250fac9f53926ef221dcc2bd7790a4fb834b731bb29be6aa103616bedd0ccd5dfcf6df977c30c2b9a6970a7244e
-
Filesize
13KB
MD529b994bbbfa6110402d25849acd61baa
SHA1e3dae0632750d70cb38a1a7a741fc1a91f28580d
SHA256165c99b55b3dcc4844d5066e4f3beea3181320d7e6c647439c0fe3035a4695fe
SHA51298cc2abfb6904cffa82681b4f799a19f3bc9605cc2e17f1778cecc0b67d78c49ad7e08c9f2b606ffe8a572e0224a355cf9bb3b8d97dcc15e7d3a0841e423b889
-
Filesize
4B
MD567bf1f80834081fc794c6ed1f7c2fed5
SHA14d73fbec18037110be3248e97a555b7f9e458777
SHA25654fd2361602e82db016d6ea62fbadc3984b566399dfaac7e0a1181e4c70b90c2
SHA512fd08c52f7f712dc477ce548476cc2f2582b19f05dc03a814e93ea8464b9a4510375b26f2a39ec50057bd0b0bfc3bdd94eda1e814254a259f0b209da2358d3bae
-
Filesize
38KB
MD5c10ccdec5d7af458e726a51bb3cdc732
SHA10553aab8c2106abb4120353360d747b0a2b4c94f
SHA256589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253
SHA5127437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981
-
Filesize
10KB
MD5f73ac62e8df97faf3fc8d83e7f71bf3f
SHA1619a6e8f7a9803a4c71f73060649903606beaf4e
SHA256cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b
SHA512f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe
-
Filesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
Filesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
Filesize
6KB
MD53d366250fcf8b755fce575c75f8c79e4
SHA12ebac7df78154738d41aac8e27d7a0e482845c57
SHA2568bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6
SHA51267d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094