5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
27-10-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi
Size

31.4MB
MD5

44e80380964f2ccbc6bc7b14ad4ffd3f
SHA1

c1b9a5cf8b8b63860fab7b3e8094fb0f58892596
SHA256

5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395
SHA512

93a9935aa0b14b99b8d74ecc9870a782907afd540a21759f56cc837fab72b33ce5386b7c6623987596fad15594848e47da36efed60d1553a566e2bc54c90647d
SSDEEP

786432:FPmtdVFmEvj9/DRTZVb2kZDJkj4BZELqx4LIsUtC1dQ+8eQfH2oPFQx:APVAW9Ff2kZaUBKLquL1UtCY+8x22FC

Score

8^/10

discovery evasion execution persistence privilege_escalation

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\SETEA8E.tmp	DrvInst.exe
File created	C:\Windows\system32\DRIVERS\SETEA8E.tmp	DrvInst.exe
File opened for modification	C:\Windows\system32\DRIVERS\tap0901.sys	DrvInst.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1332	netsh.exe
448	netsh.exe
2944	netsh.exe
1532	netsh.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1276	cmd.exe
2204	ARP.EXE

Drops file in System32 directory 34 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\SETBF59.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstor.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\SETBF5B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEED7C5D2183A1352C6D421D65F131F0	LetsPRO.exe
File created	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\SETBF5A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infpub.dat	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\SETBF5A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\infstrng.dat	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\SETBF5B.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0	LetsPRO.exe
File created	C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\SETBF59.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\INFCACHE.0	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	LetsPRO.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe.config	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Diagnostics.PerformanceCounter.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Linq.Queryable.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceModel.NetTcp.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-x86\native\e_sqlite3.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\packages	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\LetsVPNInfraStructure.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.ThreadPool.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.Timer.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\netstandard.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Diagnostics.Process.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Reflection.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.Thread.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\tr\System.Web.Services.Description.resources.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Mono.Cecil.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\SQLitePCLRaw.batteries_v2.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.Compression.ZipFile.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Encoding.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Permissions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Newtonsoft.Json.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.Sockets.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.WebSockets.Client.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\View\Assets\notification_icon.png	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\FontAwesome.WPF.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Text.Encoding.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\WebSocket4Net.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\WpfAnimatedGif.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\zh-Hant\System.Web.Services.Description.resources.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Bcl.AsyncInterfaces.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ComponentModel.TypeConverter.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.Timer.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Xml.XmlSerializer.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Win32.Registry.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\SQLitePCLRaw.nativelibrary.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Globalization.Calendars.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\zh-SG\LetsPRO.resources.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Data.Odbc.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.Http.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Xml.XPath.XDocument.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\DeltaCompressionDotNet.PatchApi.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Expression.Interactions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Console.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.Pipes.AccessControl.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ObjectModel.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.Numerics.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.ThreadPool.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceModel.Http.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Dynamic.Runtime.dll	letsvpn.exe
File opened for modification	C:\Program Files\InnovateGraciousSupplier	OqmnhpUgthmZ.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Web.WebView2.WinForms.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\SharpCompress.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Data.OleDb.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Diagnostics.Tools.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\de\System.Web.Services.Description.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ	ckhjghacCGCf.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ComponentModel.Primitives.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.WebSockets.Client.dll	letsvpn.exe

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f768894.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\oem2.inf	DrvInst.exe
File created	C:\Windows\INF\oem2.PNF	DrvInst.exe
File created	C:\Windows\Installer\f768891.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f768891.msi	msiexec.exe
File created	C:\Windows\Installer\f768892.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI898A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f768892.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\INF\oem2.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev2	DrvInst.exe

Executes dropped EXE 8 IoCs

pid	Process
1648	ckhjghacCGCf.exe
1244	OqmnhpUgthmZ.exe
1692	letsvpn.exe
1572	tapinstall.exe
2160	tapinstall.exe
2196	tapinstall.exe
2504	LetsPRO.exe
1756	LetsPRO.exe

Loads dropped DLL 64 IoCs

pid	Process
1692	letsvpn.exe
1692	letsvpn.exe
1244	OqmnhpUgthmZ.exe
1244	OqmnhpUgthmZ.exe
1244	OqmnhpUgthmZ.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
1692	letsvpn.exe
2504	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1260	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2824	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckhjghacCGCf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OqmnhpUgthmZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1692	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 00687fa26b28db01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-242 = "Samoa Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	letsvpn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e200000000020000000000106600000001000020000000bd59fa4623d35ff91281d8df8342c9a86ae981de0a2ca7b271245751a1a40db8000000000e80000000020000200000000bab76767e117840204ea28094c63c6e908edbb649297d74a7e98f4ba9137115b0020000cc7b7765497ab3f531381adc5f413625de57c98d48f986bf5cf58559602559362dea213b766ac6bf75529bf276d8babf75548223182dbd28c5c4466856e2a1d80d901a22875de94c7abbc05a7e47fda9e549ee586f739df28a962189ae69df4e44c98d034f16be64eea94742aa45b254aac237ed20f2fcd485a2c0ffba7a991c36748003dc966021884cdf010763e84e9d29d738ac221559f879c898f0ee8af859cb0e1496b1a301024a982b362470ac08c9db0c7294f2cf47a8a7fd51b7face46476343b2359aa9ce1931f553c5b09c97373301ab84e4a066fd1835de99a3208ae09eb07b30abf47c6cb5002904c580554e2c8f11a1288c2466d6eef796f06f969d03b51b24e8baa8727f150a57690138297f4946bcf7400fc902a469ce0f544c906af26ce46f662bc4f2c46bf740d72fd094932e6ddaaa20d43fbc72bda127ba0178738c67bfd25dd83603fa8e9b9015739b266d694826a46231c06342d933933197a417c7c11a4ec54a5fbc873f3e0d93362deb8e9271af7b638f1f481b9d1ba69989428ecd6734d43f1cb5c1c8d578d28c10c27214805886299a8d049c4460094ae7746bfc8f39224a76eeb71ba3807b0911d19f649e4f9208abbbd4c21568e580542dd5f76ef1e88794145d6142d0dde5136bb5d851be139619ee490ce3a6b4d14bc1519d1bcc8f5ed113118c02b5aedcb3d6e9d8bd5a5a6efc76353e08e3cc993e62cb377877bf8277822919f01dce550e6f57036ad8af00722d1320272f4d32fc0e8b8760c3918b9f3860cb30d35b4ef628a2193e0d936bc9186d3eb9b77ab9a4b32cdf080e7adf3645ecd1b8cc92f5b392c597e88731276859f980c48799e1e56fd791b94e44293a7cc7ff7b9b29c3b0172a673106567c444964dd8346d3d3967599e3e3d1e1570ee7885ac02d6435729707b7f29eacc656db0e316b24d187ff8c899619e8464fd85e96a741400000009f0b0d08f287c538ecc22f8398624380f648abaa7deabb945512d89dc9c92702b4c92ef279298e63cf75fe3325d43d83c34695a7223d123569684caf8356fe05	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	letsvpn.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-602 = "Taipei Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\userHabit = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e20000000002000000000010660000000100002000000050728b489cd1be4dfdf0ebfdecef27f1a46bdb9073faf04461eacea95a218d94000000000e8000000002000020000000e9a3403f8a4bc5f8b66cf5c9f3e219d904a0bf3c9d203eb7d42f240f5d2d8218800000006495bfe1294a87ccf14c6b928dd2e3ef2cf47d6c654a26438e546abcfffdf235a69a3c34c339d8b9b52f0365ed6417236334d4ec6a84edfe08658422cde6614ecd6100816399778a9ea07669abf653de516aa97a566183d07e498982305b08ccf43a99b1bcc1a54314dff67ad05e3415a75247e56105c4f46cdbdff0637dd0f940000000d332742bfb21617123d892d3f96e5355aa95f5435077b04c920bc5d205cf4f3b9518376a6fd3157c667f2344fa0a901c1f3df42497dc8afb5ade4c709b5b64bf	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-384 = "Namibia Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-601 = "Taipei Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-632 = "Tokyo Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	tapinstall.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-532 = "Sri Lanka Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-434 = "Georgian Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-335 = "Jordan Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-621 = "Korea Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\329B78A5C9EBC2043242DE90CE1B7C6B1BA6C692	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e939e192cf5d347bab33f04265015e200000000020000000000106600000001000020000000af0d85473409d1d104ec86f4b2a1d7e497083c3e88209cbc316e0b56706ed0dc000000000e80000000020000200000008304d1bed6ec9600065678127366481402543205ef03836a4a84e82207c8424770030000259522c16028a31dc0ba7a6bd438a72b47ec18e334025826611f39314865916be58ec5d01dd5c0299542847b299c15f8b7486c22e2b9d990d2492f4ab6226844d40860a673913a988ed7b1049211ed56921a772f4017cbf92c8bedecfa3d645e0b844dad633ae70e94ce254eb9ba7e90a9bb2e375b94204c55efe80c46c743a3d5d2f82287dc3b963b345a843c329aa21deffc17ea838f204a4c3d669b8ee7096803cce35f46f72dc4e2fb814c226d77e712284b9c94b220425fb3d6d02e080a54116af04ac34d776e2a8a4242f460ececcfa4b55e8d4a492e7e51c65af2156ba77329972526037cb925530bcdc5413e225dc7cab3101ddd1668280fd541b2a2b539020e62ef4ed7b001bf353453815283a4b0ba509d47dbc0b241c2cf47f6a170e9a53c801c441e1ccc169c4f9002b9fd01b66465ce64d3431680cddc6fb64d1554c40b242c416bc5f601a916edd9c0ef34fb7fa365928ef7924fa48237757b22b97d4556ff58968271ae0405a0b26ea0e0a8187dcbff91f8bd6e79443fdebff2d8b9eb699e2851055f70a0979573b9dcdacb03f5027b016c450d7e644454a89aff074734c09637f7cd75735fecbe44fcb91c80b4c80d6fd18be851ec55cfe514c33e115d0be0d6479db5197cfea6655be95c185232fb8094e84643558e932659d21e3801f04892894e0d2479b082d74086135869296fccf7dac465d063b4f71ba8466bc081887e154aa0a1ccba3d67751b868b7b022021b09cedbaeecc3f7dad542bb5140ea3375aab00a521c238f41befca5c00b051962f264cf3362b5408e3583fe71276fae7f36309aaa4466144007dfca1d4b1259a15cd915d409cde82fa6303e53d046428a3f0cb7f4cc6f4d21a4a02a17cf79c0cbc18cadd2ca6626fc563778a620b7e4ff69231c51c9edd18622b76fe2a4ed8e1c4c11f07470f037d40bcf33ab5724b1a7941d6bb5e73082ee8896f276e073b366a8e4cbb4e52a20094bfc3cf08bb4fd4d75d57340f38c1564ef39b33b141b02d6ab310f0e3766daf91087997bcfa55dce48f2e2984c8d4667353f1ace1e3a152f76f518c453a54caac654cac26c7535f2c0463191bd784c7c184f6572125c8862259d7dbe634c15f314e9ee32359d6d544278ce9bea2c8adbc19f5aa4428e53bfaa876c4a48ed538648870210fc85666be2aa4f779679be0048dfa7affbcd58c3a54a16053f8dd6fa3f5e776194d9e880ca3c112992c17004000000021e094a9c3e558ae67091b6abbbe5c5332207272a95935f8dbdecfd2dce3d5025b800e538e820017f9027833dad22c738ab01b9d7aa1344227abff683fa075aa	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-172 = "Central Standard Time (Mexico)"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-435 = "Georgian Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet."	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-331 = "E. Europe Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	LetsPRO.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\58FC6756EF1B4C747BC43E3A7ABA54B6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\PackageName = "5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2619D19EF59FE20499FA406415DA3C59\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\58FC6756EF1B4C747BC43E3A7ABA54B6\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Version = "50331649"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\ProductName = "InnovateGraciousSupplier"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\PackageCode = "C77F9DB5C75184D43A75CFB1C0847EF1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2619D19EF59FE20499FA406415DA3C59	msiexec.exe

Modifies system certificate store 2 TTPs 12 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	LetsPRO.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	tapinstall.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2796	msiexec.exe
2796	msiexec.exe
1244	OqmnhpUgthmZ.exe
1260	powershell.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeSecurityPrivilege	2796	msiexec.exe
Token: SeCreateTokenPrivilege	2824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2824	msiexec.exe
Token: SeLockMemoryPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeMachineAccountPrivilege	2824	msiexec.exe
Token: SeTcbPrivilege	2824	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeLoadDriverPrivilege	2824	msiexec.exe
Token: SeSystemProfilePrivilege	2824	msiexec.exe
Token: SeSystemtimePrivilege	2824	msiexec.exe
Token: SeProfSingleProcessPrivilege	2824	msiexec.exe
Token: SeIncBasePriorityPrivilege	2824	msiexec.exe
Token: SeCreatePagefilePrivilege	2824	msiexec.exe
Token: SeCreatePermanentPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2824	msiexec.exe
Token: SeAuditPrivilege	2824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2824	msiexec.exe
Token: SeChangeNotifyPrivilege	2824	msiexec.exe
Token: SeRemoteShutdownPrivilege	2824	msiexec.exe
Token: SeUndockPrivilege	2824	msiexec.exe
Token: SeSyncAgentPrivilege	2824	msiexec.exe
Token: SeEnableDelegationPrivilege	2824	msiexec.exe
Token: SeManageVolumePrivilege	2824	msiexec.exe
Token: SeImpersonatePrivilege	2824	msiexec.exe
Token: SeCreateGlobalPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	2784	vssvc.exe
Token: SeRestorePrivilege	2784	vssvc.exe
Token: SeAuditPrivilege	2784	vssvc.exe
Token: SeBackupPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	264	DrvInst.exe
Token: SeLoadDriverPrivilege	264	DrvInst.exe
Token: SeLoadDriverPrivilege	264	DrvInst.exe
Token: SeLoadDriverPrivilege	264	DrvInst.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	1648	ckhjghacCGCf.exe
Token: 35	1648	ckhjghacCGCf.exe
Token: SeSecurityPrivilege	1648	ckhjghacCGCf.exe
Token: SeSecurityPrivilege	1648	ckhjghacCGCf.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe
Token: SeTakeOwnershipPrivilege	2796	msiexec.exe
Token: SeRestorePrivilege	2796	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
2824	msiexec.exe
2824	msiexec.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe
1756	LetsPRO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2764	2796	msiexec.exe	34
PID 2796 wrote to memory of 2764	2796	msiexec.exe	34
PID 2796 wrote to memory of 2764	2796	msiexec.exe	34
PID 2796 wrote to memory of 2764	2796	msiexec.exe	34
PID 2796 wrote to memory of 2764	2796	msiexec.exe	34
PID 2764 wrote to memory of 1648	2764	MsiExec.exe	35
PID 2764 wrote to memory of 1648	2764	MsiExec.exe	35
PID 2764 wrote to memory of 1648	2764	MsiExec.exe	35
PID 2764 wrote to memory of 1648	2764	MsiExec.exe	35
PID 2764 wrote to memory of 1244	2764	MsiExec.exe	37
PID 2764 wrote to memory of 1244	2764	MsiExec.exe	37
PID 2764 wrote to memory of 1244	2764	MsiExec.exe	37
PID 2764 wrote to memory of 1244	2764	MsiExec.exe	37
PID 2764 wrote to memory of 1692	2764	MsiExec.exe	38
PID 2764 wrote to memory of 1692	2764	MsiExec.exe	38
PID 2764 wrote to memory of 1692	2764	MsiExec.exe	38
PID 2764 wrote to memory of 1692	2764	MsiExec.exe	38
PID 1692 wrote to memory of 1260	1692	letsvpn.exe	39
PID 1692 wrote to memory of 1260	1692	letsvpn.exe	39
PID 1692 wrote to memory of 1260	1692	letsvpn.exe	39
PID 1692 wrote to memory of 1260	1692	letsvpn.exe	39
PID 1692 wrote to memory of 1572	1692	letsvpn.exe	41
PID 1692 wrote to memory of 1572	1692	letsvpn.exe	41
PID 1692 wrote to memory of 1572	1692	letsvpn.exe	41
PID 1692 wrote to memory of 1572	1692	letsvpn.exe	41
PID 1692 wrote to memory of 2160	1692	letsvpn.exe	43
PID 1692 wrote to memory of 2160	1692	letsvpn.exe	43
PID 1692 wrote to memory of 2160	1692	letsvpn.exe	43
PID 1692 wrote to memory of 2160	1692	letsvpn.exe	43
PID 2356 wrote to memory of 1664	2356	DrvInst.exe	47
PID 2356 wrote to memory of 1664	2356	DrvInst.exe	47
PID 2356 wrote to memory of 1664	2356	DrvInst.exe	47
PID 1692 wrote to memory of 844	1692	letsvpn.exe	51
PID 1692 wrote to memory of 844	1692	letsvpn.exe	51
PID 1692 wrote to memory of 844	1692	letsvpn.exe	51
PID 1692 wrote to memory of 844	1692	letsvpn.exe	51
PID 844 wrote to memory of 2944	844	cmd.exe	53
PID 844 wrote to memory of 2944	844	cmd.exe	53
PID 844 wrote to memory of 2944	844	cmd.exe	53
PID 844 wrote to memory of 2944	844	cmd.exe	53
PID 1692 wrote to memory of 3020	1692	letsvpn.exe	54
PID 1692 wrote to memory of 3020	1692	letsvpn.exe	54
PID 1692 wrote to memory of 3020	1692	letsvpn.exe	54
PID 1692 wrote to memory of 3020	1692	letsvpn.exe	54
PID 3020 wrote to memory of 1532	3020	cmd.exe	56
PID 3020 wrote to memory of 1532	3020	cmd.exe	56
PID 3020 wrote to memory of 1532	3020	cmd.exe	56
PID 3020 wrote to memory of 1532	3020	cmd.exe	56
PID 1692 wrote to memory of 1028	1692	letsvpn.exe	57
PID 1692 wrote to memory of 1028	1692	letsvpn.exe	57
PID 1692 wrote to memory of 1028	1692	letsvpn.exe	57
PID 1692 wrote to memory of 1028	1692	letsvpn.exe	57
PID 1028 wrote to memory of 1332	1028	cmd.exe	59
PID 1028 wrote to memory of 1332	1028	cmd.exe	59
PID 1028 wrote to memory of 1332	1028	cmd.exe	59
PID 1028 wrote to memory of 1332	1028	cmd.exe	59
PID 1692 wrote to memory of 1588	1692	letsvpn.exe	60
PID 1692 wrote to memory of 1588	1692	letsvpn.exe	60
PID 1692 wrote to memory of 1588	1692	letsvpn.exe	60
PID 1692 wrote to memory of 1588	1692	letsvpn.exe	60
PID 1588 wrote to memory of 448	1588	cmd.exe	62
PID 1588 wrote to memory of 448	1588	cmd.exe	62
PID 1588 wrote to memory of 448	1588	cmd.exe	62
PID 1588 wrote to memory of 448	1588	cmd.exe	62

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 86F154B6DC03D44327A4E959F5D4DB24 M Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe
    "C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe" x "C:\Program Files\InnovateGraciousSupplier\gAyPsguYXDsMcEThACGI" -o"C:\Program Files\InnovateGraciousSupplier\" -pgeAZLqCXgLqbCiVjQrQI -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1648
- - C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe
    "C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe" -number 164 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1244
- - C:\Program Files\InnovateGraciousSupplier\letsvpn.exe
    "C:\Program Files\InnovateGraciousSupplier\letsvpn.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Drops file in System32 directory
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1260
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
      4⤵
      Executes dropped EXE
      PID:1572
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Modifies system certificate store
      PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=lets
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:844
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=lets
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        
        PID:2944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=lets.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=lets.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1532
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=LetsPRO.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1332
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=LetsPRO
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:448
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
      4⤵
      Executes dropped EXE
      PID:2196
  - - C:\Program Files (x86)\letsvpn\LetsPRO.exe
      "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2504
    - - C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe
        
        "C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe"
        5⤵
        Drops file in System32 directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:1692
      - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=1
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh interface ipv4 set interface LetsTAP metric=1
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:696
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:2204

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "00000000000003C8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:264

C:\Windows\system32\DrvInst.exe
DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{72e10d49-c7ff-5741-c3ad-d1659677222b}\oemvista.inf" "9" "6d14a44ff" "00000000000004D8" "WinSta0\Default" "0000000000000060" "208" "c:\program files (x86)\letsvpn\driver"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{11e12386-2e83-7f14-db40-6203dfcdfd45} Global\{58ef6203-8c9f-69a6-0c86-2714181e4e2a} C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{728ed3df-24df-1111-931c-fc3069f0ff24}\tap0901.cat
  2⤵
  - Modifies data under HKEY_USERS
  PID:1664

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot20" "" "" "65dbac317" "0000000000000000" "0000000000000608" "0000000000000604"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3060

C:\Windows\system32\DrvInst.exe
DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "00000000000004D8" "00000000000004CC" "0000000000000600"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2152

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768893.rbs

Filesize
7KB

MD5
f14a7e0e0bd3e7d675ecfb794e212082

SHA1
fcd50c2242aff831f5192093e191efccb55ad545

SHA256
ea4e656af3e14dec5ccf2f0a1722907f6b422af7eea4ee803b1d35445dea32b5

SHA512
ee8e59a73719e5bd98beeab9b104fd6e89fe17f9a2ecc8257cdfba8946ebd5644b1c879f0937b49829ed11f200ad69c374626150394d4e39af898081eb9e60ef

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe.config

Filesize
22KB

MD5
ebaeca4375f9cc819ff3835ba62717de

SHA1
819d4ad83729d709a3ed6172e2c608af70de3d03

SHA256
a12e73eb35a51a227afd1318edb824a77cbe60d2fbf67e1463404c0673e42d9c

SHA512
311d6aa1a8608b327bfa97cb77e4e21a44946438f60c6c2fc9e0bf9ef97434138d0136ca1d55c7d836d72a03cebec63beefd974219ab8ea580eddf3e23e76d3f

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\Newtonsoft.Json.dll

Filesize
693KB

MD5
a051afcfeff1f630188c5785f7ea3273

SHA1
9312b0a42b4ffbdad365c4938a081c9abc870074

SHA256
97e46c96938851c462a59eaa43bca65ed3a0b0a385e2b87ae959acf3bfa6ba75

SHA512
0a4ba46ea22021f467e97a4f68dd1473187c7af213dda9f0a9fcb683891bb804b27b45d9760aa02a3ce8eb0287efa67b8b4690ce1908aab0004d548183015cb9

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\log4net.config

Filesize
3KB

MD5
28f9077c304d8c626554818a5b5f3b3a

SHA1
a01f735fe348383795d61aadd6aab0cc3a9db190

SHA256
746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90

SHA512
485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe

Filesize
2.9MB

MD5
c0332d95acdfc46fb60f3f1d9dd6b92d

SHA1
2863f05a42637d22a354e7c39cd17f8497c447ad

SHA256
0975d859e5a7b56faaf48ba8e50c800156b8cff927f3bd01f564aa6f18eac2e7

SHA512
7fdab98bdb7012cc87af60d3bbe1bfcd42ce536f75aca56981b1a2d7121bca7d9c8f5091fea7902a9e5c688c7d30613c3f99c07dc166faf58e6c230dac53d09d

Download Submit
C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\InnovateGraciousSupplier\gAyPsguYXDsMcEThACGI

Filesize
2.1MB

MD5
6bb89d170132b6a2df5920a5243ed390

SHA1
94a1a99e6d0bfd8d4458daafe56b3f9e36caa18d

SHA256
1cf0546651767e50b1ccd478dffb5afd00ca9af6316ec3bc1349f0a2573bc070

SHA512
67bb4e5fafa4a95ada5f0df6c669f3bd85c5efd0446ae199f277d2f0075ec8e5c0b47fde4a84df2158eb49c198e1676143b91c888ddcc9f75055486c64f83070

Download Submit
C:\Program Files\InnovateGraciousSupplier\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE13.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBE36.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE67.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst8F36.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Windows\Installer\f768891.msi

Filesize
31.4MB

MD5
44e80380964f2ccbc6bc7b14ad4ffd3f

SHA1
c1b9a5cf8b8b63860fab7b3e8094fb0f58892596

SHA256
5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395

SHA512
93a9935aa0b14b99b8d74ecc9870a782907afd540a21759f56cc837fab72b33ce5386b7c6623987596fad15594848e47da36efed60d1553a566e2bc54c90647d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc715dfa47b933264086b5b0c330792

SHA1
21d91f7e221a300b0a142567f7825d32b8d52d0f

SHA256
de212086b291196a27afec37418e54b8aa013f09740be9a385615a1b555af749

SHA512
499c975738de758f3c76c92f18c53f9fc0e7b92f59cc578d105010fd39ac85385e84f49ba608b984480f6b369180c1801e1182ce90bf6d7d53db7ddacaf5b0a4

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df01d8f7dc0400ab6d4d17505f2c3e8e

SHA1
18e533c5236a1bc8e32f12d38faaa549be180865

SHA256
ee3c84ad8b15729687930a29a301ca1d275df3951c9bfead1b77d1f9c8dfe850

SHA512
c0b7d463988374ff1112a83b7a214acb1886026621738e880582da51528a29dc9f78cb069e876ee97786d94167dc9d8098ab114c8826fc75c183e595daf0de10

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d238e3d99eec7d0de9479e20f8288320

SHA1
d0db27287f503c8fdd513684ca3856b4c9575e5b

SHA256
acc60fcfeafc299b5e0e0334ad558d11c8c993da8f3dab355137327db2f55336

SHA512
6263aa9cebf95ea0c8e37920ae7f87eb6e80946642ffd45926f952237788dcc7dccf0c0a2b999aaf06f5fe2743e9feeb73b68cb2cb64134c30d13647774b951f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51b9dbf48a72e6966d375c5d73d53810

SHA1
899080674c31b136084ab07af9b2b5777ee79552

SHA256
cd2c019b97f966438822b808f798545d623e7d500e88908dbf59248ed1b9886b

SHA512
7120025cf3d21c55028b4396519cc1df4a60ebbc0c9cf9ce63ebd721e159c3a1da5e3125010596b924db6fc5b83bf7f6b2f32b0a1ef9071ee42f5909fdfbaf96

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
996e8968254dfbabe644ad4014c6e372

SHA1
8f89868b3ebc7e55d2346e6853baf4b6096322d6

SHA256
499ab150f3a10d960a63253bf17dc5af6ecf70aff3626540583687d4906ddd9b

SHA512
d67c30bbc1467e735ae2d7e2870c4d23aa21879fe8271b897ce26364170fa57c6a3c56b39825a58638aa8ff75924068b7e58aee2e0e1047476a6553e4c9f6a0d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c406bd7b2e0936a90cd183750f07c3ab

SHA1
c2d50dc44f19873e37793c84068c2324f0c33e39

SHA256
ad1f19855000b147439a15cd118db0bf406e733c0bdee566618ce8eb704663ea

SHA512
7caaa3d3c9e4fddffabb10a0d33b3bb53139fb04bd9d9ad5ae34b3ed632afba22300402dfab01ac193e1f391c47efb6001f5959597cc5dba75505d25bbe055f0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15352e60541fc08d0e7b42ae37f66648

SHA1
b6b2528660b571e71dc2003de4027fd56ebad312

SHA256
7c5143c58df58b18ff4f3ba04633a29cf1b51bf9097e80727ed3e8bdc011aa09

SHA512
8d797194bff4356f25245ab6c0d667680e9bc36f4e2468f3fb8892c755f7030ca53f54f23213c3e9cb424c353b5154e699e85d40cca343e648051ec11f72d07f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53c0fe95f73afc597690be8f8f02d872

SHA1
a231170c2c8ce3799f06f2ebf6fdf29de8378415

SHA256
b4c21a0ece511fe31545e316f80a9b6ffb2e1b926c2b3882921c8c8b7d9dd2f4

SHA512
2c9c410c356574da165038acbcf93531d7f4d728fd7d41525319fae970216309b84a051708e335da04c830007a3647aa8d72122a48a4d1e033e8eb5b1022ed20

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
518bfd0c390de6e49156bd5c4172f22b

SHA1
168e7ef36f0a4908282e041d584623b1b8d41dc9

SHA256
d8bf1778f5c3829594234b59c15847613efd0f4be098e8b9b237071c59893518

SHA512
8c239a72fc0452b8bdda71b7ca93f3285b4d48c41e1966544c16535dada9f4b9850b012790c7c7067b369a900bfe056b36c099fd08f992636e5e4b4161022b4d

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9aa33d5b382a2fdb3b3d2338933a9e07

SHA1
20619c40e7f439ab4541f9cf23757b82e13330e7

SHA256
f654a6e2393f244d03a78b1c2d93ea1fddfe927e57a5e85c0830af462f79980e

SHA512
69774f1876c63d261e22b7b771b1d1129bab6386637fc6c24436354963922e22f0edc72f23b31b7b5960ee59f9ce556c60d6e3075a106954547ff21a4ee050e3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3de88f766011546dd1fad91e5e1ae46a

SHA1
2472f7d1f0b1e94e46670ab546181f1112b293d0

SHA256
ac974bb220c724d448f3184a3a083f7ee5bf3e8b03f4feae230ab366668da13c

SHA512
6ab6cb308c5fcd6c92abb2dca788983e274ab94307a4b41da56d2d407062adc4c81e49bc17786c8f7471dea7a5822bff78d456aac2166e1baf6ef20b482da93a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
307ec2e90e67539c8920530240e22684

SHA1
c1133947f9190c3b399266069aeb8acf7073a134

SHA256
ca6a70a3509da4c26f1a06a3e950a12a6292424914879aa121ca01047304df99

SHA512
2c2ed596aaf046f5d07d836ba751777291006073b8af45282faf017628c2e49c6ace3eac0ed2cec567ee277f1f49e1ebfad0cb307b473a29c1e203f52e68e663

Download Submit
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF

Filesize
8KB

MD5
85f82570fc50d5fa1ddf70b08400c658

SHA1
7a33d6caa148899e8c1afa450476a4023d8c2c7f

SHA256
6d2b3963e9bd9c494595ae60f27cb0cdace935ffc3f582bddbf823310227d07c

SHA512
9b45f642447a28ff80b1c5acf167d432f3c366872939e81a1ebcdf345bf24b2751d21c9a7651fa0912480aacc7c351ccf81e718696ccee55e0156250b6b6a69d

Download Submit
C:\Windows\System32\DriverStore\INFCACHE.1

Filesize
1.4MB

MD5
6828822bce5f4a7d5699a6f836977bec

SHA1
7da6b1ceed4f9c86d0b7ab9321d04d36a52a0478

SHA256
a879572be9c9f1304825cfb6e333dc4f7295d83e31dbe45e8a1586953cb2713f

SHA512
29674b07a4f18954ee4b8b48a8511089d767c7aed59c4145c42b8f38bf2de91967ee509baa0dd7c9abebadac7a138261bd7f6e000b58a520ee544b6b2c4dd609

Download Submit
C:\Windows\inf\oem2.PNF

Filesize
8KB

MD5
cdac1f2d4a155f30fdf50a6cdf064352

SHA1
153e4b34772f3b10e5a54b0133dde1fd0db9e6de

SHA256
dcb5f2f4ece5be2ac8a07ff0ee17f0f12d795f671d4724fb6ddf6f603a2ab386

SHA512
0b3739335d30ecb240dd24fd628610a2c945d0dc2bd6788b67091264db51f71ace6952114277baac157eb7bc44c36a7c03c450ec149725a3df3119ccf9fcf73c

Download Submit
\??\c:\PROGRA~2\letsvpn\driver\tap0901.sys

Filesize
30KB

MD5
b1c405ed0434695d6fc893c0ae94770c

SHA1
79ecacd11a5f2b7e2d3f0461eef97b7b91181c46

SHA256
4c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246

SHA512
635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
9KB

MD5
4fee2548578cd9f1719f84d2cb456dbf

SHA1
3070ed53d0e9c965bf1ffea82c259567a51f5d5f

SHA256
baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24

SHA512
6bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49

Download Submit
\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
5c418c95fad150290b99fd115838f2a9

SHA1
1af87b13df4f52fa458152821fa7c51c75a772f3

SHA256
7bcd5e4b4771172d4a66f3d1eefd74d94755e929fe4012295d6651ca15277a88

SHA512
4a3bb2a01e48c2be67dcae15c1e9e7255fafccb8a3270b77484f72c939b92a18cb80b4b5ed579511d6eba42482ae5e8528e8270a7a06d19463044b20f709f775

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe

Filesize
1.5MB

MD5
cc8594dbaf16443f0d92fbdac4dc2797

SHA1
047e926a7d3e0e7a1fa6219af32b531ed3574487

SHA256
afeb1c6108ef4f2b241ffbdf0bd138ada0fb2af2381b068f2af397c761c76890

SHA512
e4a8390a60fd42f21ce89e79ec5bea6629359d2c4629810aec7069234f423058f8271b1d61d7342a623edca7a65abdda701149494709c88c8431a61c352d108e

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\LetsVPNDomainModel.dll

Filesize
21KB

MD5
4aa9b59fc32caa6d74293cc4ff4234a9

SHA1
3ed90204d89217a19b1078eb8718202932f4282a

SHA256
2aa48a6078e2ef1c4954b507c3da13bea8ee3e4c38a4131621adf98fc8da265e

SHA512
dad298b8430ffcb3d7c44283f3b85892773a288eff1e071860839ed39725e8696f2dae6f9562377bddcdbcfde83f164fb753d36501e2b9c215d0fb2d93cb2ee2

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\Utils.dll

Filesize
126KB

MD5
0b0e7270f14d5dec664787ef680ab980

SHA1
4c5c9f4385423d083d2693585056363853727ca0

SHA256
35288ce35fb77395a2f55244e30f7f8aa2131fa3ebac9c85ea58979e7276ec3e

SHA512
d45c34602a49c75e9f0beb4f473ebb851e17c1a342308984ecf5666be93d615f75655a0ea723aa4bd3fd24208e8ab384223f888a0f2baa9d36c96150098fd801

Download Submit
\Program Files (x86)\letsvpn\app-3.10.2\log4net.dll

Filesize
273KB

MD5
6c4e61362d16c7c0b3731b0e2a84f911

SHA1
3c89a13ab980e3d9ea515470c9d53bb30ac746cb

SHA256
5245b084cfd79eb3627caf4ddac63096ef89046093dcb0e00e2b96cf74c24fb6

SHA512
ac1a941200787971d154b99211fa5c7d7a3ba83132be505de2a7ea2682e8be87e668fb0264de94dc6cedce85750b214159c797ce5b1fcfde1e229875215ae458

Download Submit
\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
\Users\Admin\AppData\Local\Temp\nst8F36.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
\Users\Admin\AppData\Local\Temp\nst8F36.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
\Users\Admin\AppData\Local\Temp\nst8F36.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
memory/1756-848-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/1756-1028-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/1756-852-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/1756-851-0x00000000059C0000-0x00000000059CA000-memory.dmp

Filesize
40KB

Download
memory/1756-850-0x0000000005020000-0x0000000005030000-memory.dmp

Filesize
64KB

Download
memory/1756-1482-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-847-0x00000000049C0000-0x00000000049CA000-memory.dmp

Filesize
40KB

Download
memory/1756-846-0x0000000004860000-0x000000000486A000-memory.dmp

Filesize
40KB

Download
memory/1756-845-0x0000000000E40000-0x0000000000E48000-memory.dmp

Filesize
32KB

Download
memory/1756-978-0x00000000061D0000-0x00000000061E2000-memory.dmp

Filesize
72KB

Download
memory/1756-1006-0x0000000006290000-0x0000000006298000-memory.dmp

Filesize
32KB

Download
memory/1756-1005-0x000000000EBE0000-0x000000000EBF4000-memory.dmp

Filesize
80KB

Download
memory/1756-1004-0x000000000EA30000-0x000000000EA42000-memory.dmp

Filesize
72KB

Download
memory/1756-1003-0x0000000006220000-0x0000000006228000-memory.dmp

Filesize
32KB

Download
memory/1756-1007-0x000000002EC80000-0x000000002EC9E000-memory.dmp

Filesize
120KB

Download
memory/1756-1016-0x000000002F3F0000-0x000000002F400000-memory.dmp

Filesize
64KB

Download
memory/1756-1017-0x000000002F570000-0x000000002F586000-memory.dmp

Filesize
88KB

Download
memory/1756-1018-0x000000002F590000-0x000000002F5A0000-memory.dmp

Filesize
64KB

Download
memory/1756-1021-0x0000000031E30000-0x0000000031E8C000-memory.dmp

Filesize
368KB

Download
memory/1756-1026-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-1027-0x0000000004D90000-0x0000000004DC2000-memory.dmp

Filesize
200KB

Download
memory/1756-849-0x0000000004FF0000-0x0000000005016000-memory.dmp

Filesize
152KB

Download
memory/1756-844-0x0000000004A70000-0x0000000004A96000-memory.dmp

Filesize
152KB

Download
memory/1756-843-0x0000000004840000-0x000000000484A000-memory.dmp

Filesize
40KB

Download
memory/1756-842-0x0000000004410000-0x000000000442A000-memory.dmp

Filesize
104KB

Download
memory/1756-1173-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-841-0x00000000043F0000-0x000000000440E000-memory.dmp

Filesize
120KB

Download
memory/1756-840-0x0000000004F20000-0x0000000004FD2000-memory.dmp

Filesize
712KB

Download
memory/1756-836-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1756-1325-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-1326-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-830-0x0000000000550000-0x0000000000596000-memory.dmp

Filesize
280KB

Download
memory/1756-826-0x0000000000390000-0x00000000003B4000-memory.dmp

Filesize
144KB

Download
memory/1756-822-0x0000000000E60000-0x0000000000FE4000-memory.dmp

Filesize
1.5MB

Download
memory/1756-1481-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-1471-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-1478-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-1479-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/1756-1480-0x000000006B950000-0x000000006C3B8000-memory.dmp

Filesize
10.4MB

Download
memory/2152-774-0x0000000000BB0000-0x0000000000BD6000-memory.dmp

Filesize
152KB

Download
memory/2764-12-0x0000000000500000-0x0000000000510000-memory.dmp

Filesize
64KB

Download