5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 12:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi
Size

31.4MB
MD5

44e80380964f2ccbc6bc7b14ad4ffd3f
SHA1

c1b9a5cf8b8b63860fab7b3e8094fb0f58892596
SHA256

5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395
SHA512

93a9935aa0b14b99b8d74ecc9870a782907afd540a21759f56cc837fab72b33ce5386b7c6623987596fad15594848e47da36efed60d1553a566e2bc54c90647d
SSDEEP

786432:FPmtdVFmEvj9/DRTZVb2kZDJkj4BZELqx4LIsUtC1dQ+8eQfH2oPFQx:APVAW9Ff2kZaUBKLquL1UtCY+8x22FC

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET47BA.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SET47BA.tmp	DrvInst.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
708	netsh.exe
1480	netsh.exe
2192	netsh.exe
1432	netsh.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2264	ARP.EXE
296	cmd.exe

Drops file in System32 directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	LetsPRO.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEED7C5D2183A1352C6D421D65F131F0	LetsPRO.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\SET1C18.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\SET1C1A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\SET1C1A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\SET1C18.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\SET1C19.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\SET1C19.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Utils.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Algorithms.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Xml.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.AppCenter.Analytics.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Collections.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.MemoryMappedFiles.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Drawing.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Permissions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\WpfAnimatedGif.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Expression.Interactions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Newtonsoft.Json.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Drawing.Common.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\ja\System.Web.Services.Description.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\x86\WebView2Loader.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Log\20241027.log	LetsPRO.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\CommunityToolkit.Mvvm.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\ICSharpCode.AvalonEdit.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.AppContext.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceModel.NetTcp.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\WpfAnimatedGif.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Data.OleDb.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\pt-BR\System.Web.Services.Description.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-x64\native\e_sqlite3.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Diagnostics.TraceSource.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ObjectModel.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Log\Lets.log	LetsPRO.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.WebSockets.dll	letsvpn.exe
File created	C:\Program Files\InnovateGraciousSupplier\XjPDFEditCore.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.NetworkInformation.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceProcess.ServiceController.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Collections.Concurrent.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Globalization.Calendars.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.FileSystem.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Expression.Interactions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-x86\native\e_sqlite3.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\log4net.config	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.Handles.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceModel.NetTcp.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.Tasks.Parallel.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Cng.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceModel.Http.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Xml.XPath.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\PusherClient.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.Compression.ZipFile.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Reflection.Primitives.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Text.Encoding.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\netstandard.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Win32.SystemEvents.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Data.SqlClient.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Memory.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\pt-BR\System.Web.Services.Description.resources.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.UnmanagedMemoryStream.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.Serialization.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Encoding.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Management.Automation.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.WebSockets.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.Serialization.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Utils.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\LetsVPNDomainModel.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\MdXaml.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Web.WebView2.Wpf.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ValueTuple.dll	letsvpn.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e85d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76e85c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e85c.msi	msiexec.exe
File created	C:\Windows\Installer\f76e85d.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76e85f.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE9A4.tmp	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
1388	ckhjghacCGCf.exe
1696	OqmnhpUgthmZ.exe
3004	letsvpn.exe
2848	tapinstall.exe
2688	tapinstall.exe
956	tapinstall.exe
2040	LetsPRO.exe
2876	LetsPRO.exe

Loads dropped DLL 64 IoCs

pid	Process
3004	letsvpn.exe
3004	letsvpn.exe
1696	OqmnhpUgthmZ.exe
1696	OqmnhpUgthmZ.exe
1696	OqmnhpUgthmZ.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
3004	letsvpn.exe
2040	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1448	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1736	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OqmnhpUgthmZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckhjghacCGCf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2984	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-672 = "AUS Eastern Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-522 = "N. Central Asia Standard Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\account = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e200000000020000000000106600000001000020000000f385b8045a52469abdaccf8fa01bf0a743883cf58a9d9664be0ffcfc978d1077000000000e800000000200002000000036b9cf6038182ff8039160e2c7d7439206fa856b786625ca33dc5300bab2c68d50000000cdac0b755498bd7eb5d70cb4bec0721e53cedc3bfc6f4563661def65090297cb39acc6c32a424b03bef05d55a46ae81089a224e40e1103cd914a9a0955af74ef31925d2e009a111829f355fea7c8b7b940000000c5c7b98ebbe9bf687e8857c98ba23b5071a84d0b80e927964750539a1d627d3878121b16b4378145fd96378907ff92b3476f15a725a930ea2a4630bd24c2adf7	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-22 = "Cape Verde Standard Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\userHabit = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e2000000000200000000001066000000010000200000003b76cb80eee0f82f432703ec2d207c4ebab135d999efe4848c9b3e557b119eb5000000000e8000000002000020000000a653b20615a8665dd4bbf7cc0af52073bc61d1c0248e250e2e1308007ce32c8a7000000096435a1f9c92e008d8e675cd0f03d58681c37db9de22d2d125ddc64de63b7775d50660f874ffba8c80163bfa384a54f0d35a7c04baadc178de77ac24858bd618e9682a568fdb3380714e7de9e39bccecec3c9aa1a0eda8b438bc60b764203f93b60740019caa034220dd8897eb1185cb40000000eb3e19b6f6a086bdc5f0415db99a34305810c4bc4fe069979c54738f97a8b8c2a113fed29579bd21ac3a0d3b910e2f70cdd6c31ab7b4567fcbd8e02ef6f1dd77	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%systemroot%\system32\rascfg.dll,-32010 = "Provides the abilitiy to connect a host to a Remote Access Concentrator that supports RFC2516."	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\userHabit = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e200000000020000000000106600000001000020000000ece72b312115690cba7acfa7cd332794fd773f1ef18e851772539acc9eb49761000000000e800000000200002000000059aef7724481018b2c368430230fc7c4534adb8b7882c3c3ec728d6584dbf397900200000bd3bc4e64325e01bb932eae8fe18658eb6113cfd224233d0279373cb40465950b0a971966b11277e5b99aad38e62e1289f54342ce6ff6e153d18ea1f19a22d925d0f81cbd9cb5e1b18416051b048630b6b0c10d0f131ef2472b51cffc72fd53ff39bc5dde82234a2899662ce5f61cb270d829b2dbb0307b380e491589fd135e2cf0c3d63cbbb49493cf934907b500e51a8bd37473c6c89a6c92d4eb8aeb9c5dc483a0e82a5792317f1895fae7502d5b76eb171844e0e30bae10d80bc29f94b996f397886b639b09d376365c0e0614bd50af05821a6b9384d352f9841e1383c293b7f353b9333ff1aaf52bf28a4727ca3c5100fa1c2601c6e04e2ef26dcf735bccca47219eda551ad9185738c68c436e3374c6aaf435e284cf1899e96f110ae393608976155839324d8e8853f35431e0ed7b2eaa059c979a02c065fcefd4cb180ddfb140f6a2f6d966c7f560425ef46e04af6d142729c6e0cf507301cf4b80e3ff93176f5d692e3127501dc3dc709c82ba9def64de2bd4559d6ea2fd328e9443f7ab6faeb8922966470036b278d78f6d76444a9ded88a421276b717986bc81f8b66cc402a63a05bb3bf89b58ad9a18426ab76a52182cf2734dc8a5d2adf6ee21eb2e8b31970b841dc02d4b0c454a4cfbf909a8fcd28a04584aafc784cc241999e20a613414ddf6280c1ed1c4891b4ec0ae2d322eba4f6f4b67b76d688a3b01f469eaad626f6584189dbaacf7f692123120252a3e32f83bf568e8ee3c7c85ca17114d615c66f1b52931fbcf3e147dc8762e2c34d3781688a817ff523340ed40053a850d430188da7697087f9a3d93230e4a1545ba06f36110f023803ce8c67c349f7340bb8b8d654d96f507084c3094d7187ea2e1bf4c222377bed672c46a701e51a4ed031d02335e5fe427e83bfe401840000000319d0483ae97e9a6690d17dbb01951885b38eece9f275c07e55b7b6918ecd77b6e2f88a8a4ff39c9f3911d968f0d4cb464532edf237a123019287197dfa0b82d	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e200000000020000000000106600000001000020000000cf0812ef3763b8916b7dc3b1b9ef2e2ff6f7780c38b0564ac54a1da1c3684c1d000000000e80000000020000200000002927ec945d5eae838e311e506682632c11eb8514c6481a6f95c6523ad78f07cd30030000e4758b54242874dd619dfa6cd624e801b198cfa16dc5258f1dfbdfe3a2b606481896d950fe2d48472c1d13238b763ec75414b0aef0033d73e46058843a6a3cd13f1863494183f00126dc1cbe6da34c37230e6c9ebf15a7abab9a0cd805a450d51b1b5b6acfe35ecbb6a14576e6c0e0d0a925e9ba646c1513bc0296cdb526e885f1659351309b886e2896e6f25bc1686ba931c1018e45c4a50540ba11737fdcd4340bebaaa6c118c26c2b2b4579be1ca2d7a6bf26823e0e5aa92f16e3bc6f5f766168e975c0a4530515361da1c92d66ec6856981ef23d2d41990405e95ecec1737eb96564c217fa5bfe6863c6184fe8b610f8fde6715106475bbd35b12dc878b9822a0257c41299db3b40a225277ecdf1774e65f0c082ccee82c97007f39d402d88f99e07cacc4f5c0885a48d6af131a137fdd75ff6f7e5b345646defe02cb6d019fb23e3052c0405f30224a6bbcd235f07f696392789d66aff97ee59bbbdf0cbf9dd4012e8101349ba0584407261673460b9b838aba902c272b7719a22b4b573e1a645a1383ebac7e4706382c491d8ec1cb36fccc3d233d3bd447ca58129cc19d37fb725e376f6f73f53d77e18546d3cda222ba7ac13c6c9d50040f11902749075d2a3a4825bf79d7cae84e12950f967dfb2c9cc4fb6dd2062a32a0045e7ae5adeea3ad81e931aa71a33667f056290f1b78ddfb72e48e61e5552a5fdc3fcd8a928bf18541ff39d6d31cbe786bd2ca12c4ca72341455d987db9d8b151d385c0ed21a07df52fdc390ec336e47ddc076dcc6bda47553003b0091fb55648f2c95723b60daf2f8381d2e6eff74bfe1411867fff0c1911bece57e177a70483cca4f6730792f5300b5810ce0b09b2f96522085c3aa68b8e8c51bdfa4f31ef2cdc1843538a74f3d6d3cc73cb3f720f69b78e1294e24d2c43da99c5e507809aa3a1848ecb82ff767fc574ab260c1bfa654a91f914e6259d8bd91e61b5533adbb6d7b634ca3fcb70019b81e2c1dd13401e9498ff41970fd9e2ea1bc7f49514751b6bd9f494b52c2c59479f2e7e569b95beb670322f61245a3ca9139d759c7b046327c1923f7d0ffbe1b83e4f2d9a1002f1c230276f0b06e533acdeffd41553dbe73424b40ce9e84ff7b4fb3afde7de0ce14acff82040000000bfc2657d80233a22726fafe03130d4a4fffd23f32c7731b4bdb7cc741a506e93e785f14920745cfe94519fd15730f099e0d8088ed4ce35b750e4dc57460ad9a2	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-1411 = "Syria Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-1042 = "Ulaanbaatar Standard Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 809154cf6a28db01	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-51 = "Greenland Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	tapinstall.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000408850d66a28db01	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e20000000002000000000010660000000100002000000020834e14cf5174a4dae4eaab3da2312b1dc6af93fc82fd72a75c7250de813d96000000000e800000000200002000000027ebb1b47f81f1c5e68ea457ab6a8f961eaba8a75bff0df64d19de313b1edccb60030000f9462fc70ba2c47b006158a7a362939b78299e34775dc29d38750695c68e3b994fc36a9ff66a4106d8fd10d89a926550e9c721bf25007b8259064030d9e02ea66bd0ba988957623f0753d301d8a1b82efea0226327993a0791f857d21fac3a3dddaba367284acbd64a785844734a76a68731d872032ffd628a2242eaa627093dca5abaa9704a9e7eefdc30dc4c87ee660878825cf204e269c039752d46d429ee3bc121972c78edeba4b38b2a9bfabc30286b3a43d933414aabf54848863f34f9cd6452c6fb4442f006eecdf2b0ee12dbcde89c17b1f040e31841bb440bede98e2c78712accf494199cabb303c22af3a647667012d9bd25d85e9dcb1266669589b607840a9e9ce67a356bf26509bd21a9c6e192b488155a3b8d8b3b00ace48f2d17be04a6c6b58255e591bcdbe1ae6a9e7d5593e9c482484b68d0c119c34c90668e63852b9c48e67dd09b4823d6c39bb1fb4766865f6d0003e907ae862c001d0cb6953ec383c86f21c721da830304c47af6243ffa4316b5c3dad9db6a15d8059d62cce9417d815f63c0813b1bb4f0c575e6b9dca14db366337cb9bf65cf4a631c0ee203c2f1c50dcc6505dd4227687261b991688c62226ec4c375b975ce0d6a801e9312e9ef125888c6d52a20d97d0c33cb5afb25f2dd684465bc025e3d9734bffd14738a2496daad1b3ff7565bea70046059e4d8d7bd9e480c2857c12113c472bf4a164087d46a94f35b4ebc0d5bd57100f7cdc9e6626b4f28e754f0589dac645d6ea73fb2ca87c1469ce25b338523340599e7552541e013b4c37bb65cf8fe67cfb8724c4c3b3eede2bb2cefd493b7e3fc94699c3e72ec9b6499dc278b43333f5a8be2282b9732bc4e247f283c79fe61eada3fcc9abd435a1b3e16a495458a195be82960ac3872e79ee1144707018b116d6f6ed573321767dd3606ce392fd220dafed0bc7d52a115bd11a10cc9bbc4ebbbb38e1dd28309344882e6e83c077f033170d919feab59d6ff56a741fac5b945a0c0b50d4f1c976e470a3cfa1cc6bc0db4e73c3baa995066a593d650e25b35c33f6ed0a37a392f9be33c90036c6f0da43cd942d4ea26ee678dd0b7758e8e26ce96a8671824206862068081db101b0b4d7546554ee13e1cbc59ea2dc83acbe6b37aa82ee300b7669936f1259687e4b1b54c19bcb3d2b090444e7b54b7fda8c6aaa1636891f1f40669161dd36bbd0f340c40000000e138cd0dec06e9fae7246291aac8f2df426f1789d1fd061df8e79cd5ad6921b2ceba57640c18cb767107c5c86b4bf5b6e54faee6e3e4cccb95392202c727307a	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.10.2\\LetsPRO.exe\" /silent"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-511 = "Central Asia Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-1412 = "Syria Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-391 = "Arab Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\recordInfo = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e2000000000200000000001066000000010000200000000acd036723f2aa1d7d8024b9a6345406b59366dc92bf5d8bdb5d364e0bfd2e49000000000e8000000002000020000000d5327b1d522170c17b870e7aedc3543939cc91dbfa2ad99673033bb1d30c63aa3000000046dda6c9d2f90944103a4bbb61cf84575a5d27c3f843fb8d7b3af28dae0822597d3918608a46a03e631080532f79d664400000009b6bc983ea48814c30bba11c1f7791e68c72e10350bb5ccd77a842453cab8350877ef8db982caaa6e48e8a4bb21a62482e9f99fce0883d7041dbea8f9b47e3bc	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-692 = "Tasmania Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-351 = "FLE Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\userHabit = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e2000000000200000000001066000000010000200000003bfff3b627b7f31e498eb474784e4a4647d6b3466a3462d18d9a0fcc38ff1d1c000000000e80000000020000200000005f81d0977bf576496846bf5ec84944551a323d2acd71ca6555d13737a735789f90020000f50ba21755c40b58fe231012e9ac0e1886064089c60591c1444bff27a211047545f07179ecbdcdeea33f0f9ae43e3d5cbce7f29e5d99502c009916c8d97d9161af8268d4b5658a599ee2f4b0b7b1e671250890b3251ec6c082b0ce6912f435fe23e116a3be06d1f7b7fba81c42b5a7762676fba4adab58535302c24dada4b879b41ec3d5938da968cbeb8f4a38119d09837875a8fee9dacb3922ee7bfe7b76069f99c43b0670b1e7b9df3b2a89a304de4b963257503b21fef4cca2987b253c43e0585fb280f7f755e924da86888a580d8fd42c66190cf82e40bd6aac539d668114ab2b22b3dcb102c2689b785a75bc3a5a5fa91abad37f5c17af83e4af435535d5fa483b8f681be27ec1795b649ec9c5cfe6e2b2855d834ad9fc5fce206debf13254e72ecb6746779dc978c045ec5d8900e807830a18f2078e0a69180eb3fedc743dbf8e3122988db99724aeb6456ddb693c9fdfc98ccf64618b7407658fa73fe7ecd13a91a2f941c153542a07be7482eb6dd80c6f156a6815b2cc6f5b63bb3fe952978a215c6f07b770c21c04e245395bac5e9b952488e3d584bff499f69c6562826bafb340cd82d231f58de60cb820034623f07265149c43b5a473dba9d1f704e11afe681f60af2fa3cea4ac6a072489f1c37dc75c84c04e02b8c2fc428d0d7700634d1e6b806f9916912d12bb48aeae323e1da68702238df1649107a8eeea7f194a8f3b465852b8146154429e4487dfb22ac432e08686d2441ad14b23923de5b30b28e55f0aae9e488019b39203f8cd3d2ea3c34f36f3108aed4a8a6877e6c3f6a68450e80d9c51601d3c5184f91da35e35981b6587218a5c98e7dbb4221856bb4481e1ac1a215d11dd73b3a5757b76230f0167ea52a4b2494322eb17df967fe4c46ea3983f5afc68fa675c5866e2400000008c85b11b92426fa2df156574d36f84dd5d70958fde8de200077a797d29e404c04021efdcfe31d4c79734d269064c3745c7fd87121487510510dae79ea122b187	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\PackageName = "5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2619D19EF59FE20499FA406415DA3C59\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\ProductName = "InnovateGraciousSupplier"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\PackageCode = "C77F9DB5C75184D43A75CFB1C0847EF1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\58FC6756EF1B4C747BC43E3A7ABA54B6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\58FC6756EF1B4C747BC43E3A7ABA54B6\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Version = "50331649"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Media\1 = ";"	msiexec.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2044	msiexec.exe
2044	msiexec.exe
1696	OqmnhpUgthmZ.exe
1448	powershell.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeCreateTokenPrivilege	1736	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1736	msiexec.exe
Token: SeLockMemoryPrivilege	1736	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1736	msiexec.exe
Token: SeMachineAccountPrivilege	1736	msiexec.exe
Token: SeTcbPrivilege	1736	msiexec.exe
Token: SeSecurityPrivilege	1736	msiexec.exe
Token: SeTakeOwnershipPrivilege	1736	msiexec.exe
Token: SeLoadDriverPrivilege	1736	msiexec.exe
Token: SeSystemProfilePrivilege	1736	msiexec.exe
Token: SeSystemtimePrivilege	1736	msiexec.exe
Token: SeProfSingleProcessPrivilege	1736	msiexec.exe
Token: SeIncBasePriorityPrivilege	1736	msiexec.exe
Token: SeCreatePagefilePrivilege	1736	msiexec.exe
Token: SeCreatePermanentPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	1736	msiexec.exe
Token: SeRestorePrivilege	1736	msiexec.exe
Token: SeShutdownPrivilege	1736	msiexec.exe
Token: SeDebugPrivilege	1736	msiexec.exe
Token: SeAuditPrivilege	1736	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1736	msiexec.exe
Token: SeChangeNotifyPrivilege	1736	msiexec.exe
Token: SeRemoteShutdownPrivilege	1736	msiexec.exe
Token: SeUndockPrivilege	1736	msiexec.exe
Token: SeSyncAgentPrivilege	1736	msiexec.exe
Token: SeEnableDelegationPrivilege	1736	msiexec.exe
Token: SeManageVolumePrivilege	1736	msiexec.exe
Token: SeImpersonatePrivilege	1736	msiexec.exe
Token: SeCreateGlobalPrivilege	1736	msiexec.exe
Token: SeBackupPrivilege	2596	vssvc.exe
Token: SeRestorePrivilege	2596	vssvc.exe
Token: SeAuditPrivilege	2596	vssvc.exe
Token: SeBackupPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2812	DrvInst.exe
Token: SeLoadDriverPrivilege	2812	DrvInst.exe
Token: SeLoadDriverPrivilege	2812	DrvInst.exe
Token: SeLoadDriverPrivilege	2812	DrvInst.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	1388	ckhjghacCGCf.exe
Token: 35	1388	ckhjghacCGCf.exe
Token: SeSecurityPrivilege	1388	ckhjghacCGCf.exe
Token: SeSecurityPrivilege	1388	ckhjghacCGCf.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1736	msiexec.exe
1736	msiexec.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe
2876	LetsPRO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2744	2044	msiexec.exe	35
PID 2044 wrote to memory of 2744	2044	msiexec.exe	35
PID 2044 wrote to memory of 2744	2044	msiexec.exe	35
PID 2044 wrote to memory of 2744	2044	msiexec.exe	35
PID 2044 wrote to memory of 2744	2044	msiexec.exe	35
PID 2744 wrote to memory of 1388	2744	MsiExec.exe	36
PID 2744 wrote to memory of 1388	2744	MsiExec.exe	36
PID 2744 wrote to memory of 1388	2744	MsiExec.exe	36
PID 2744 wrote to memory of 1388	2744	MsiExec.exe	36
PID 2744 wrote to memory of 1696	2744	MsiExec.exe	38
PID 2744 wrote to memory of 1696	2744	MsiExec.exe	38
PID 2744 wrote to memory of 1696	2744	MsiExec.exe	38
PID 2744 wrote to memory of 1696	2744	MsiExec.exe	38
PID 2744 wrote to memory of 3004	2744	MsiExec.exe	39
PID 2744 wrote to memory of 3004	2744	MsiExec.exe	39
PID 2744 wrote to memory of 3004	2744	MsiExec.exe	39
PID 2744 wrote to memory of 3004	2744	MsiExec.exe	39
PID 3004 wrote to memory of 1448	3004	letsvpn.exe	40
PID 3004 wrote to memory of 1448	3004	letsvpn.exe	40
PID 3004 wrote to memory of 1448	3004	letsvpn.exe	40
PID 3004 wrote to memory of 1448	3004	letsvpn.exe	40
PID 3004 wrote to memory of 2848	3004	letsvpn.exe	42
PID 3004 wrote to memory of 2848	3004	letsvpn.exe	42
PID 3004 wrote to memory of 2848	3004	letsvpn.exe	42
PID 3004 wrote to memory of 2848	3004	letsvpn.exe	42
PID 3004 wrote to memory of 2688	3004	letsvpn.exe	44
PID 3004 wrote to memory of 2688	3004	letsvpn.exe	44
PID 3004 wrote to memory of 2688	3004	letsvpn.exe	44
PID 3004 wrote to memory of 2688	3004	letsvpn.exe	44
PID 2140 wrote to memory of 1280	2140	DrvInst.exe	48
PID 2140 wrote to memory of 1280	2140	DrvInst.exe	48
PID 2140 wrote to memory of 1280	2140	DrvInst.exe	48
PID 3004 wrote to memory of 1316	3004	letsvpn.exe	51
PID 3004 wrote to memory of 1316	3004	letsvpn.exe	51
PID 3004 wrote to memory of 1316	3004	letsvpn.exe	51
PID 3004 wrote to memory of 1316	3004	letsvpn.exe	51
PID 1316 wrote to memory of 2192	1316	cmd.exe	53
PID 1316 wrote to memory of 2192	1316	cmd.exe	53
PID 1316 wrote to memory of 2192	1316	cmd.exe	53
PID 1316 wrote to memory of 2192	1316	cmd.exe	53
PID 3004 wrote to memory of 2160	3004	letsvpn.exe	54
PID 3004 wrote to memory of 2160	3004	letsvpn.exe	54
PID 3004 wrote to memory of 2160	3004	letsvpn.exe	54
PID 3004 wrote to memory of 2160	3004	letsvpn.exe	54
PID 2160 wrote to memory of 1432	2160	cmd.exe	56
PID 2160 wrote to memory of 1432	2160	cmd.exe	56
PID 2160 wrote to memory of 1432	2160	cmd.exe	56
PID 2160 wrote to memory of 1432	2160	cmd.exe	56
PID 3004 wrote to memory of 1164	3004	letsvpn.exe	57
PID 3004 wrote to memory of 1164	3004	letsvpn.exe	57
PID 3004 wrote to memory of 1164	3004	letsvpn.exe	57
PID 3004 wrote to memory of 1164	3004	letsvpn.exe	57
PID 1164 wrote to memory of 708	1164	cmd.exe	59
PID 1164 wrote to memory of 708	1164	cmd.exe	59
PID 1164 wrote to memory of 708	1164	cmd.exe	59
PID 1164 wrote to memory of 708	1164	cmd.exe	59
PID 3004 wrote to memory of 1864	3004	letsvpn.exe	60
PID 3004 wrote to memory of 1864	3004	letsvpn.exe	60
PID 3004 wrote to memory of 1864	3004	letsvpn.exe	60
PID 3004 wrote to memory of 1864	3004	letsvpn.exe	60
PID 1864 wrote to memory of 1480	1864	cmd.exe	62
PID 1864 wrote to memory of 1480	1864	cmd.exe	62
PID 1864 wrote to memory of 1480	1864	cmd.exe	62
PID 1864 wrote to memory of 1480	1864	cmd.exe	62

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding E9D7C029AD1C335274F1B254055CC185 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe
    "C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe" x "C:\Program Files\InnovateGraciousSupplier\gAyPsguYXDsMcEThACGI" -o"C:\Program Files\InnovateGraciousSupplier\" -pgeAZLqCXgLqbCiVjQrQI -y
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1388
- - C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe
    "C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe" -number 164 -file file3 -mode mode3 -flag flag3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
- - C:\Program Files\InnovateGraciousSupplier\letsvpn.exe
    "C:\Program Files\InnovateGraciousSupplier\letsvpn.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1448
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
      4⤵
      Executes dropped EXE
      PID:2848
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=lets
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1316
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=lets
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=lets.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=lets.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1432
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=LetsPRO.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1864
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=LetsPRO
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1480
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
      4⤵
      Executes dropped EXE
      PID:956
  - - C:\Program Files (x86)\letsvpn\LetsPRO.exe
      "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2040
    - - C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe
        
        "C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe"
        5⤵
        Drops file in System32 directory
        Drops file in Program Files directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:2876
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:868
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2984
      - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh interface ipv4 set interface LetsTAP metric=1
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:296
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:2264

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "00000000000004BC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2b8f6df5-c182-4886-9b3d-961782c18648}\oemvista.inf" "9" "6d14a44ff" "00000000000004BC" "WinSta0\Default" "00000000000005D8" "208" "c:\program files (x86)\letsvpn\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1c13e5ab-8abd-0fa6-7b04-754cb2b2a905} Global\{1eae3fcb-58b1-030d-d78c-3104bbdf722e} C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{4deb4379-d40e-4cb4-b179-494511c0a33e}\tap0901.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1280

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "00000000000005EC" "00000000000005A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2492

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "00000000000004BC" "00000000000005F8" "00000000000005FC"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2860

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e85e.rbs

Filesize
7KB

MD5
cf830a15e2171d2d0fd2bd2f050b0258

SHA1
43971b899199ae6b76b51b5f882631b6793f7a5f

SHA256
d6003e02efe074a1cf929970b42d69d72bf2409c787c662d737b0be2e9bd52df

SHA512
1ccdcdbf9a4b3633df931aeb96eaa2d4f3eac34db832b7bd521eacdfd1c1aa447c185491150a5945e3d654d6ae6d0f1d30ea90df07bd8f6a888e0b11b3217cb3

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe

Filesize
1.5MB

MD5
cc8594dbaf16443f0d92fbdac4dc2797

SHA1
047e926a7d3e0e7a1fa6219af32b531ed3574487

SHA256
afeb1c6108ef4f2b241ffbdf0bd138ada0fb2af2381b068f2af397c761c76890

SHA512
e4a8390a60fd42f21ce89e79ec5bea6629359d2c4629810aec7069234f423058f8271b1d61d7342a623edca7a65abdda701149494709c88c8431a61c352d108e

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe.config

Filesize
22KB

MD5
ebaeca4375f9cc819ff3835ba62717de

SHA1
819d4ad83729d709a3ed6172e2c608af70de3d03

SHA256
a12e73eb35a51a227afd1318edb824a77cbe60d2fbf67e1463404c0673e42d9c

SHA512
311d6aa1a8608b327bfa97cb77e4e21a44946438f60c6c2fc9e0bf9ef97434138d0136ca1d55c7d836d72a03cebec63beefd974219ab8ea580eddf3e23e76d3f

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\Newtonsoft.Json.dll

Filesize
693KB

MD5
a051afcfeff1f630188c5785f7ea3273

SHA1
9312b0a42b4ffbdad365c4938a081c9abc870074

SHA256
97e46c96938851c462a59eaa43bca65ed3a0b0a385e2b87ae959acf3bfa6ba75

SHA512
0a4ba46ea22021f467e97a4f68dd1473187c7af213dda9f0a9fcb683891bb804b27b45d9760aa02a3ce8eb0287efa67b8b4690ce1908aab0004d548183015cb9

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\log4net.config

Filesize
3KB

MD5
28f9077c304d8c626554818a5b5f3b3a

SHA1
a01f735fe348383795d61aadd6aab0cc3a9db190

SHA256
746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90

SHA512
485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe

Filesize
2.9MB

MD5
c0332d95acdfc46fb60f3f1d9dd6b92d

SHA1
2863f05a42637d22a354e7c39cd17f8497c447ad

SHA256
0975d859e5a7b56faaf48ba8e50c800156b8cff927f3bd01f564aa6f18eac2e7

SHA512
7fdab98bdb7012cc87af60d3bbe1bfcd42ce536f75aca56981b1a2d7121bca7d9c8f5091fea7902a9e5c688c7d30613c3f99c07dc166faf58e6c230dac53d09d

Download Submit
C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\InnovateGraciousSupplier\gAyPsguYXDsMcEThACGI

Filesize
2.1MB

MD5
6bb89d170132b6a2df5920a5243ed390

SHA1
94a1a99e6d0bfd8d4458daafe56b3f9e36caa18d

SHA256
1cf0546651767e50b1ccd478dffb5afd00ca9af6316ec3bc1349f0a2573bc070

SHA512
67bb4e5fafa4a95ada5f0df6c669f3bd85c5efd0446ae199f277d2f0075ec8e5c0b47fde4a84df2158eb49c198e1676143b91c888ddcc9f75055486c64f83070

Download Submit
C:\Program Files\InnovateGraciousSupplier\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AE2.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B05.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A70.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyEF9D.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Windows\Installer\f76e85c.msi

Filesize
31.4MB

MD5
44e80380964f2ccbc6bc7b14ad4ffd3f

SHA1
c1b9a5cf8b8b63860fab7b3e8094fb0f58892596

SHA256
5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395

SHA512
93a9935aa0b14b99b8d74ecc9870a782907afd540a21759f56cc837fab72b33ce5386b7c6623987596fad15594848e47da36efed60d1553a566e2bc54c90647d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e15d201fed2f571fdb2b71312fe5b9d

SHA1
ba1cfeb76649f725af34d1ce6d217c8ef723d653

SHA256
dfb9bc326ffba5cf048dbc58485254c23e29de881068b86b2ad9b71e74491f50

SHA512
0edf18d00c61318f9415530687ebb9e4d0f4c3c8b4d5167b078ab85ae19ca41ceb6a502d7c0d1480dd6fe711ec4e8c70421751ae06e737f0bba162e044f5e900

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee4d69d28b398289ca82186015266ac1

SHA1
58d01e90c80114abc41d1f01e325e32fe2b840e1

SHA256
cbfb2a348d65d98dc06d5f8480f7967f4d526a61edc26510628578e82b72f9be

SHA512
cf63abde569a80e7ff646ba83c9ea249e886a3f8a2f1520e6c11e6c6d8ebf5fdab5326a7c4cdb646b28eaa4ad2f2ca5a0ee9350aa7fcb232f9b191c18ee06793

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d011fdf623cfd25dcf6b48388d51b5ca

SHA1
8ffd72f83656bb3c89fd5e0ed7ac225805d9dd75

SHA256
7889ee409e3edf1b35e429cc5ef465c21a436780d492ad67c5a130e8afb247e8

SHA512
c24a64e044d186e8aea0d416879910e2e5155ca9a1f65cb1240a86ab5d3737ee2d4f43a3a2b968394bc9ad5353cbf81ce683b8fd1c2943055a2a3dc1b8b1722e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1388baf27a14522857d9c37c357caa0

SHA1
c478dd3db59bfcbe6ac11f16143d49262230445a

SHA256
122d5afd60ecf5a6fd9c95d1c2355f5ca4c9840aa933415aea929444df829101

SHA512
b5c2f978596ff98360a39e8247fa09b6e2669f3a1fd998c2c6b76fb19a44a0ffa2ad04a65d20069b441637104f66a1e1a74d2002466edd53148c8525f4e1b37f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03d388b77633d588ef5dd55ef26540b8

SHA1
53eb3be403c5e81252a72dde622f7badb00ae593

SHA256
8e6016afc9cf0521343923c701b4a795ff55db6a4f1e4709239a7ac87b0b1a82

SHA512
4f6340a600f7cb40eea2512b0c1cd80d7931a05067efe12b7cff2f7cf8f93c15235020f07d0d2cd410393ebf3bc62b901f61296c9278017a61bb27a7bff4ea2a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
262c3feaf269d21b770e1dee5035f560

SHA1
9e5bc18032c60d04d469600ce9fec99dfd45dfbd

SHA256
23c1d7d9347e4646088d1c1dcf7960f06c9ed5ae96f8ce814829c114e748d379

SHA512
591aa54f0348799721f2f10e94cb9d83557bfd17145571f0d56a9d226f5f3d8d71d3a310a569add544dc3e86cfc9d175ae09a87ee9245798bb6bc1196d4d104b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
273dafd60f9389a44831c22d82f30609

SHA1
31a0750d36afd383d5ba2e4d5e14c407439db477

SHA256
d9d72bfe3bb524779b0c661c01f59cb1fa66150f1499732cd700b9a34076f9f7

SHA512
0e6b8dcc72fbb1c483f63286f81f6b4ab57f643dafe81443a2c85447bbfcfaddf68b4419911d85c4a83e6dc841f37bab0a241b1bd4f5a51c9070fa8fb59f9212

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
200229b8404a685d3749fbd58ad8b3db

SHA1
8471ff8f1900d6c9f8885d4478a4118b5787b946

SHA256
3b36d712f12fefd25ab7442d0dee43890cebfb4bcec5402aa8aa447aa1bb0841

SHA512
3869806c61d3534a58369b28e5a9e4977721584b897b4df981b39505f04bbe36b7033201d81a0b3891b43780f8bd9b52158e53dcf07062003fe4c2f211d6073b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4dbe2a1b7a1c7d0c3aec40cc498a0096

SHA1
aa6ef31c9e13ea29db411b79701e78fad612f890

SHA256
f3bfafb6146c7fc4743397a71008b81ec74e19378b62f827ec62888c8dabe884

SHA512
f9446a1a60d7df19e9273c5eebcca669515c99f0fa5e9d0176f4432050d54cd39a5c345036eb9e1133772959cc22b9cfa89e8aeb5a30651ccb270d312c4524ba

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8edc89fd64493719b1bf58731cda45e7

SHA1
cb63e3b300a2dad4eeecea0f49768d9d936570a4

SHA256
07e0876dbbbcc4b0763a63a42f759847b1309b9b7c27b0ca8bf2db29ffb79e40

SHA512
70a7f3ce74a2a86983026af0f72bbe7492ed91ca21cdb0f7bf0f2fa09006e760cfa58ba1e0cfbc86248041d374833eb114bd713d3471b82af97883981a074773

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb57d05a14604fa4d45e5e01c9d473d7

SHA1
ec37ae09dcd9f6789d77a992afe2a000bf4f8cd7

SHA256
084defc469e7993e120507a55737497be43bb3ac934cc9296cb4b0fa923d5fab

SHA512
97bcb739c4006a8946ce2364ee88f8f570dd13138d696d14444d0750719f642d42039b605abc3789b69dc7d79986bf06ea7c3d915759c9834f27e84eb1c47622

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
87d2d6bffb5522053eee678b20dfdfe9

SHA1
9cc4f01148ba58081efe1caa1e163c38dab359c6

SHA256
7f0797ced7cf1ff38cd41b90cbd82a8a3186030bb646e4e41503cf34da13d443

SHA512
c82377c75cdfe1bfff8203b44dc9b0d66fa558ff3db1da477bae400fd1f74ba58492af3984222f634107c360a6a2ed372eb45571960323ab1db3cd0c8b939979

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF

Filesize
8KB

MD5
5fa9abd54f16bd885970de6f1251f595

SHA1
b6e26f2dde99f98ef2905349e33b501363e5833a

SHA256
2d2a9c21f17fa3a5a878e0ad59f14c29ff62ad85cde5ce9c2f6382732e9ab396

SHA512
4283400c6fea45408eb4b25a75a14bc93e39c4ff889f8a56f7f12edf33db2af30bf979822a259f41bc69817035848788819b041a0f5020945b6ecd10b17c76d9

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
b756d59ff5d3804a108a2e838a7ec0d9

SHA1
0192bb58036f976d38fa26bf287a14644848b6da

SHA256
573f492209f51fbe2a13041de3dc17a5f8a1808faa2548065507fbf1a06eb761

SHA512
bbd938e99d2ba3e5b8d18b339ad40a52959f20321c4112cde8e027241e48584713143db37bce3bd9555bff68677d583705cef85b0ca718e22825400f552990db

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
47fe2d003e3eb17365021d77e976389c

SHA1
a702f32244296b38c1a0048f697a26e4c8b0d340

SHA256
9c9a462eead925b3121a9333ec8344089411ecfe455bb9cc675de5e2b01ad9d8

SHA512
fbe2bfa664f25b4b136bad52bd7345838d1a941a47f04c8f37c89cac225088e819d46a359f5630000b3e57857a9b461f5f71c6257e8a4144d5db98ccf520d1c0

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

Filesize
30KB

MD5
b1c405ed0434695d6fc893c0ae94770c

SHA1
79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

SHA256
4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

SHA512
635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
9KB

MD5
4fee2548578cd9f1719f84d2cb456dbf

SHA1
3070ed53d0e9c965bf1ffea82c259567a51f5d5f

SHA256
baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

SHA512
6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
5c418c95fad150290b99fd115838f2a9

SHA1
1af87b13df4f52fa458152821fa7c51c75a772f3

SHA256
7bcd5e4b4771172d4a66f3d1eefd74d94755e929fe4012295d6651ca15277a88

SHA512
4a3bb2a01e48c2be67dcae15c1e9e7255fafccb8a3270b77484f72c939b92a18cb80b4b5ed579511d6eba42482ae5e8528e8270a7a06d19463044b20f709f775

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\LetsVPNDomainModel.dll

Filesize
21KB

MD5
4aa9b59fc32caa6d74293cc4ff4234a9

SHA1
3ed90204d89217a19b1078eb8718202932f4282a

SHA256
2aa48a6078e2ef1c4954b507c3da13bea8ee3e4c38a4131621adf98fc8da265e

SHA512
dad298b8430ffcb3d7c44283f3b85892773a288eff1e071860839ed39725e8696f2dae6f9562377bddcdbcfde83f164fb753d36501e2b9c215d0fb2d93cb2ee2

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\Utils.dll

Filesize
126KB

MD5
0b0e7270f14d5dec664787ef680ab980

SHA1
4c5c9f4385423d083d2693585056363853727ca0

SHA256
35288ce35fb77395a2f55244e30f7f8aa2131fa3ebac9c85ea58979e7276ec3e

SHA512
d45c34602a49c75e9f0beb4f473ebb851e17c1a342308984ecf5666be93d615f75655a0ea723aa4bd3fd24208e8ab384223f888a0f2baa9d36c96150098fd801

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\log4net.dll

Filesize
273KB

MD5
6c4e61362d16c7c0b3731b0e2a84f911

SHA1
3c89a13ab980e3d9ea515470c9d53bb30ac746cb

SHA256
5245b084cfd79eb3627caf4ddac63096ef89046093dcb0e00e2b96cf74c24fb6

SHA512
ac1a941200787971d154b99211fa5c7d7a3ba83132be505de2a7ea2682e8be87e668fb0264de94dc6cedce85750b214159c797ce5b1fcfde1e229875215ae458

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEF9D.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEF9D.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nsyEF9D.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/2744-12-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2860-781-0x0000000000BC0000-0x0000000000BE6000-memory.dmp

Filesize
152KB

Download
memory/2876-855-0x0000000004D60000-0x0000000004D6A000-memory.dmp

Filesize
40KB

Download
memory/2876-858-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/2876-862-0x0000000006100000-0x0000000006112000-memory.dmp

Filesize
72KB

Download
memory/2876-873-0x000000000EB00000-0x000000000EB1E000-memory.dmp

Filesize
120KB

Download
memory/2876-859-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/2876-856-0x0000000005680000-0x00000000056A6000-memory.dmp

Filesize
152KB

Download
memory/2876-857-0x0000000004EB0000-0x0000000004EC0000-memory.dmp

Filesize
64KB

Download
memory/2876-854-0x0000000004AB0000-0x0000000004ABA000-memory.dmp

Filesize
40KB

Download
memory/2876-853-0x0000000004990000-0x000000000499A000-memory.dmp

Filesize
40KB

Download
memory/2876-998-0x000000002F0A0000-0x000000002F0A8000-memory.dmp

Filesize
32KB

Download
memory/2876-1000-0x000000002F230000-0x000000002F244000-memory.dmp

Filesize
80KB

Download
memory/2876-999-0x000000002F210000-0x000000002F222000-memory.dmp

Filesize
72KB

Download
memory/2876-1001-0x000000002F0B0000-0x000000002F0B8000-memory.dmp

Filesize
32KB

Download
memory/2876-1004-0x000000002F2C0000-0x000000002F2D0000-memory.dmp

Filesize
64KB

Download
memory/2876-1005-0x000000002F430000-0x000000002F446000-memory.dmp

Filesize
88KB

Download
memory/2876-1006-0x000000002F3E0000-0x000000002F3F0000-memory.dmp

Filesize
64KB

Download
memory/2876-1007-0x0000000032440000-0x000000003249C000-memory.dmp

Filesize
368KB

Download
memory/2876-1008-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1021-0x0000000005B50000-0x0000000005B5A000-memory.dmp

Filesize
40KB

Download
memory/2876-1028-0x0000000002310000-0x0000000002342000-memory.dmp

Filesize
200KB

Download
memory/2876-852-0x0000000002170000-0x0000000002178000-memory.dmp

Filesize
32KB

Download
memory/2876-851-0x0000000004960000-0x0000000004986000-memory.dmp

Filesize
152KB

Download
memory/2876-850-0x0000000004940000-0x000000000494A000-memory.dmp

Filesize
40KB

Download
memory/2876-849-0x0000000004550000-0x000000000456A000-memory.dmp

Filesize
104KB

Download
memory/2876-1173-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-848-0x0000000002350000-0x000000000236E000-memory.dmp

Filesize
120KB

Download
memory/2876-847-0x00000000049F0000-0x0000000004AA2000-memory.dmp

Filesize
712KB

Download
memory/2876-837-0x0000000000630000-0x0000000000676000-memory.dmp

Filesize
280KB

Download
memory/2876-1318-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1319-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-843-0x00000000005C0000-0x00000000005CA000-memory.dmp

Filesize
40KB

Download
memory/2876-833-0x0000000000280000-0x00000000002A4000-memory.dmp

Filesize
144KB

Download
memory/2876-829-0x00000000003F0000-0x0000000000574000-memory.dmp

Filesize
1.5MB

Download
memory/2876-1468-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1470-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1471-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1472-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1473-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download
memory/2876-1474-0x000000006C4D0000-0x000000006CF38000-memory.dmp

Filesize
10.4MB

Download