gh0strat | 5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-10-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi
Size

31.4MB
MD5

44e80380964f2ccbc6bc7b14ad4ffd3f
SHA1

c1b9a5cf8b8b63860fab7b3e8094fb0f58892596
SHA256

5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395
SHA512

93a9935aa0b14b99b8d74ecc9870a782907afd540a21759f56cc837fab72b33ce5386b7c6623987596fad15594848e47da36efed60d1553a566e2bc54c90647d
SSDEEP

786432:FPmtdVFmEvj9/DRTZVb2kZDJkj4BZELqx4LIsUtC1dQ+8eQfH2oPFQx:APVAW9Ff2kZaUBKLquL1UtCY+8x22FC

Score

10^/10

gh0strat purplefox discovery evasion execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/888-575-0x000000002B800000-0x000000002B9BD000-memory.dmp	purplefox_rootkit
behavioral2/memory/888-578-0x000000002B800000-0x000000002B9BD000-memory.dmp	purplefox_rootkit
behavioral2/memory/888-579-0x000000002B800000-0x000000002B9BD000-memory.dmp	purplefox_rootkit
behavioral2/memory/888-598-0x000000002B800000-0x000000002B9BD000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/888-575-0x000000002B800000-0x000000002B9BD000-memory.dmp	family_gh0strat
behavioral2/memory/888-578-0x000000002B800000-0x000000002B9BD000-memory.dmp	family_gh0strat
behavioral2/memory/888-579-0x000000002B800000-0x000000002B9BD000-memory.dmp	family_gh0strat
behavioral2/memory/888-598-0x000000002B800000-0x000000002B9BD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\SETD9C6.tmp	DrvInst.exe
File created	C:\Windows\System32\drivers\SETD9C6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\drivers\tap0901.sys	DrvInst.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\S:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\X:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\V:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\P:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\T:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\Y:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\M:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\G:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\N:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\Q:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\Z:	OqmnhpUgthmZ.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2500	netsh.exe
4940	netsh.exe
1308	netsh.exe
4848	netsh.exe

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5420	cmd.exe
5480	ARP.EXE

Drops file in System32 directory 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\tap0901.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\SETD812.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_46C2CD5D0F070B6D918CC9BAEC875CC3	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\oemvista.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\SETD802.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4	LetsPRO.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	LetsPRO.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xPKoYjAvcnvH.exe.log	xPKoYjAvcnvH.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_71A3756DBB32C004799210B766A7AFA4	LetsPRO.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.inf	DrvInst.exe
File created	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\oemvista.PNF	tapinstall.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	LetsPRO.exe
File created	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\SETD801.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\SETD802.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEED7C5D2183A1352C6D421D65F131F0	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	LetsPRO.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\SETD801.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\SETD812.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEED7C5D2183A1352C6D421D65F131F0	LetsPRO.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\tap0901.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_662fd96dfdced4ae\tap0901.cat	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\ko\System.Web.Services.Description.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-arm	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Mono.Cecil.Mdb.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.WebSockets.Client.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Runtime.InteropServices.RuntimeInformation.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ServiceModel.NetTcp.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ValueTuple.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\ICSharpCode.AvalonEdit.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Microsoft.Web.WebView2.WinForms.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Buffers.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.SecureString.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\WpfAnimatedGif.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\SuperSocket.ClientEngine.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\ru\LetsPRO.resources.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\SharpCompress.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Globalization.Calendars.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Permissions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Xml.XPath.XDocument.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Text.Encoding.CodePages.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-arm\native	letsvpn.exe
File opened for modification	C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe	ckhjghacCGCf.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ComponentModel.Annotations.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.FileSystem.AccessControl.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-x64	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\DeltaCompressionDotNet.MsDelta.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Diagnostics.Contracts.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.ValueTuple.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-arm\native\e_sqlite3.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-x64\native\e_sqlite3.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Reflection.Extensions.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Principal.Windows.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\LetsPRO.exe	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Management.Automation.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.Primitives.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.Tasks.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Diagnostics.Contracts.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.IO.IsolatedStorage.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.Timer.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\fr	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\WpfAnimatedGif.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\runtimes\win-arm\native\e_sqlite3.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\x86	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Xml.XPath.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\View	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\PusherClient.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Dynamic.Runtime.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Linq.Queryable.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Security.Cryptography.ProtectedData.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\CommunityToolkit.Mvvm.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\NuGet.Squirrel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\NuGet.Squirrel.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Globalization.Calendars.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Globalization.Extensions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\Newtonsoft.Json.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Data.SqlClient.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.AccessControl.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\PusherClient.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Resources.ResourceManager.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Threading.ThreadPool.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Net.IPNetwork.dll	letsvpn.exe
File created	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Text.RegularExpressions.dll	letsvpn.exe
File opened for modification	C:\Program Files (x86)\letsvpn\app-3.10.2\System.Text.RegularExpressions.dll	letsvpn.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e579422.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E91D9162-F95F-402E-99AF-044651ADC395}	msiexec.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	tapinstall.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\e579422.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9589.tmp	msiexec.exe
File created	C:\Windows\Installer\e579424.msi	msiexec.exe

Executes dropped EXE 13 IoCs

pid	Process
4460	ckhjghacCGCf.exe
1692	OqmnhpUgthmZ.exe
2100	letsvpn.exe
3612	xPKoYjAvcnvH.exe
3300	xPKoYjAvcnvH.exe
1292	xPKoYjAvcnvH.exe
1716	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
2348	tapinstall.exe
4996	tapinstall.exe
3712	tapinstall.exe
4064	LetsPRO.exe
772	LetsPRO.exe

Loads dropped DLL 59 IoCs

pid	Process
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
2100	letsvpn.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4344	powershell.exe
4352	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3296	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ROUTE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ckhjghacCGCf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OqmnhpUgthmZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsPRO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OqmnhpUgthmZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OqmnhpUgthmZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	tapinstall.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	tapinstall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	OqmnhpUgthmZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	OqmnhpUgthmZ.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	LetsPRO.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	LetsPRO.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2100	ipconfig.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-831 = "SA Eastern Daylight Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lets\userHabit = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023fa5edebf919e4ea955920c54b9fda000000000020000000000106600000001000020000000f24222e968ae46dac4456ebad5c11862e1721f3c53544d0f0615346fdf65c994000000000e8000000002000020000000071194f8672ad56dc4680a5140d83fd3c6bbe681ea2e34d54fcc23a421f1a59da00200001ac9b87526eb22e7d87405ce55a4482ee8a71cdca173412554a4a9acc05bfbd2c270b69ce2fdbe2e02a05fa6ac07ba74692fae6e0e0b0be40ac518965a74272faeed1b74fb562ba3bd063ea90247d057b60aa0c0922f7f3ae32e16623d33f19f3b9c5053275de12976724940f7461b5d4b4254e74ce31283cdbaad5a4d5b60697f87cfa84567bddf450b61a40cb7a4339ed43e591ea91277e6bb2e2523acf9238b0b8b7ffa756846faa938b76047ac5c0b979a993ebf1d481c4a0c554dd4c5b80f016434b8ac050a2961453ba1a7b37f9bd514bdfab80a4f3d765de5ab1bf29da8365595c8cbebd19c66cd4fd407e511bb060524f4d8740a367eb4c5f68f481dcab4cbb6938de47e1ccd1953f0c6e1cf5ef5ceaa4e9ba21696e89a04fbf08f2ceb49bc23b6261dc0155d49b71fa4dbe15f9a648be388bd9c95f49a648b03e9c5b9865f4c351389cf0a2072dadf24df18c4fb30e9d4b6f914fad94fbc8fe83017794964fc17b3186de23adab4575c689d614e30db135bdc521b0ddff75a097ea02ec51a80e94f86847d8b59ecd6695ab29690419d44ccdab72205bb422e6c0278d0de41fdd2c60f5b0b679f794fd31b72f67f300cbc1461d7cd44c37d46352109112ae55322a0ac5c2f231eae2c37d4ef8ae4ba8e53b181be69ab5f8c301827075a636104c6a7046614978b309c839e9e6f6e6da9cbd324726a4778fcbf05122ef4bba5f7bcc7feb071857035c7fa80ea180ac71673d2c48f2683e4b69b48e5f6290cb81f559c62964e1db484c1e1250228dad37fac597dcd72f8eecbff88d59cfa33cd56276fa074e90462dfe4de32ffaf9c8e883fed760e31462671f19fb6bc28ef784f6dc6221de09bde5b4fa53c22d71d506946186ff359b97e99a6f024843a74ad4617a41ac574551ba42e851f8ef410a272d69f6bd590b01821889e4ebf400000007ccf67371c40829cf6df36d27dac28d064e5181335eb4ab64364fe9922556a76776e2ac41fda7c8680f286478c83503cd931e23e11377c946da01360d2da471b	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2611 = "Bougainville Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023fa5edebf919e4ea955920c54b9fda00000000002000000000010660000000100002000000095b86a4a015680fb5c01a231d90e51de6f4c01884a5f2453d6176a9f4c87e8d7000000000e8000000002000020000000c36d83397466dbf8a7a3d3a1fe99e80b7c1be4cf7488af12e4d34335060ee42f30030000942a21a3cccb48d88198ac02e65823fef5e74bc0dd34a6bc78ca85d1974e766a5acba75cd7653fb067c2c5ee53c34e6ec1bb6630d514e9fec523cad4e47cef119fd844aa4891b4cb2438fb5ce41156d0d05eeb00e7c6496ad07f8763c11b6162a326ef69e184a45b033f7e297d65666ab5de624e4bbebb11484cbb73b5938198e20d8de69498d7e6367c289358698b0439e2d40dafc8d5794d9ac560760a72cf31775b16c5ccf34de8eb0cc179466934f7518a2805df9bed619a932fb91a2483ef86be6b0fbb640e1f3fb60bc4dd59bacade9f930ac473ddd35cfc1952eb3a424b9a9919a2257a28328583eb7e5ca69dc4a90d549b7f36d61205c28eacc25d9b663376abf23ad667626a627bf89e5bed3619ac6f01a10d4cc32a9e876bfc37b44313265ae1e571cf06b69565346ed001f6b7dd5bcec67da95db2e1f9e5d77c78aec9f1ac40c6bcb83770d98342ce7e66dbba89c19bc3f67b904f7ae0f110b4bfe5524b30d50586eed7f66205622804f53456d9928c17055674420a80640423d46469b82f48a2657f97c1fb0a8e56bb5d4fff787e956f3b31791ad3ff1aa1e6ff52f66c4deff5da857a22777fb938d6a91fc8f469c7c7f5ad1da6e424e1be61db02910856e8da503904c5882366e3435954ef1ae3b5fb3373c5439b02febeafef58336e0269413f19c850b2cf48995ac05231daf3e7c2451e77ef2ae08995f81a17f56e4cf4f03e9e0593423d444bf570f154befd56d111b1c108af319c04f5b341addadd7b9630b5de2dc0ad1c5d6821677be366ae0e27f5a078cd62c31d3d21d81bbd0b4ec5ff5dca2e27606e684f41febe8ae7c86c0c13a1a64bdce2ca2e3c684307b57be1051bd8f14715dca624981ed0c2e6d91e8b3373b034a5c4f9f4b51dd77730931cf6c3535218ce1b6ba60e6118b13d28c624348dcba43232fce44006189dc053da2230dc6785459483b67bb1f89108ea53f637936ce422b6c45cd3f029819eda042267ee99d359a3a0d195911b58fbdf101bababe9f5357b73b23819def7e6f1b3202a41e55b73d2348f083479d21ec6dcb79235fa3e824c86eb921042669b462f7b202af93df2f3fae549f48ec0a196eb42baf18a44af69d14eba73d8f8397cf0240422284f331e461aa04000000053d8ae55947707bb2226c434c81cfc290b5369d9c0bb3fe055dea54d76effd6e8ec42f7cc91f75d0ab0e9ad68de1d0640500129b65d3935682b6d09bde1eef48	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-361 = "GTB Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023fa5edebf919e4ea955920c54b9fda000000000020000000000106600000001000020000000042ceb6444d456534831dd1ae1bd40ab5190872e6a16220a8248dee140570510000000000e8000000002000020000000f517ef67b5cc4fd2b46e66726406a6a7a7ac826b13fefb1c23ba51b9dff9fded3003000097578db4893e0b30c36f55f920aec392dd4d021185318654e1e52806620d45085cd723cd0f571d2b6d39cae2a1487aa2e20c625bd6630a3f1943e29437f8f259c05057b518e9b42b7fe684a7fec77fb594d471d284022cf4c95b26fa1060e89bb627c17f22def61bbdff8cb6aeac1a640b22a41cded7eaa88cb763944db42edf70b828a91cd2783ddda32add1f837ea8171c08138c6d4356bc645e4f2e3e07043972a04c68e3eba9757aff5405e3ae312205cc3f84a0fddf997a669a88aadde638e9a6f695ae75241b418122fc78a6963e31a0be928ca26c0007954ad729861f2ec26b655789291ea7efbb8fb3dc4ffb31897f96812b334836df42b1df2dc8e4c125e8808be96b323220c9b44a530701c554805d0cb2a242f59b13213da38011bf6a3df0c22f96aa6c83a2d00484a7d04dd72a92311c984a62d06c6fb2b70931eab1868e75beefa1d0863c0e0e228eb6e9d72c9369cfde0a2f08a4703a817598d1a2164d567a4053d6c7e62b7088e3f3dc6c29e63cfa23106baa20505a5e0d74ae3ac729ad745294bb78797d15633b12bd6579ae7c2b5031ea4893a2d6d168ed0b417163828f4ce0b07fa6399a522b92a74a6e22664d437a9a477e865aa68d962402db7463cd4ee45ac9a4c6894a6b180124bb62d0485b8e28daddeb6a39f076880111c6d11a32a6ab6199564b41ac616b4aa945265affce48fcfb20e4c01b5f3f4b2977e4c88c15febdaf3c7e0125b809a914f33722ee9c26540554f365b74a764c3fdf4659df873666d5eebd7730cbd7bf005dbaef524eba0d943649e1378f5c27d3cf9815ae8e0d5adbf0e697718eb0e7d5204e115cfc5f66e138a5c7ab6409bb82285ea0808e1e3a4c9627a9a9f0c18ef44010084b13d71f87bf64c54ed9f724dd18ab961d9af2cab8f1c4ca14da0ce8735d0171c9889bd55c5c9704630280f5b2dde9fa0325bfbcecfb924b3eaa683669a006a06b560bf5c64b70337aa658e182bc93a2462edcf5e52a00733b711794083ae4dfc1cb9fcaf115d66207ee90356d9fe50e00abd590e6d47de3fa9fb1a0fcd72355883f01b44f5cb08ef7e9969935d64fa890e122122adb514f07247567da8200dcaf8f6bfecc6e0913a0991bcdf884487b4ddfbee66e73fdf2568740000000ad21f9b295f39bbad07b55649275604f24d32239598a60647c0450a1d96e46ec3292aa39c1d5edfa2a96bbb77b8f94a26653232af1621062cea3e518d796580b	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-385 = "Namibia Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-592 = "Malay Peninsula Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2891 = "Sudan Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2341 = "Haiti Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	letsvpn.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-105 = "Central Brazilian Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-542 = "Myanmar Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-461 = "Afghanistan Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-841 = "Argentina Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-661 = "Cen. Australia Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2941 = "Sao Tome Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023fa5edebf919e4ea955920c54b9fda000000000020000000000106600000001000020000000a23d43c65a00d03028af5d6d6afb7985296d53d509cbeafc7e272f1c679b6460000000000e80000000020000200000004eb1efd61784b9846ae98879681a6efb7741c58786d545d0d6d2db8b354eb5aab002000098dfb65467d4d020e3b5c94602dff7ebd86734d64d7e614089151a4b5655768532805f56cf8bce73c218cc6d921ee44763424aba9c2d13201b04dbb71bd5c4fe7da2bea7ec5c8a06fc2a5356900ced73e3b1629831f19e3483692b0d88d27a7d5dec2e497784f2e135bba5dd9a95ba129da74ae0558c0d206a957bd5b4a0d8c576a8609771c8b2aaf7a4f3c9c848357d79ee1f671854cf1cc2004369a83e1e8e70896a376154b27ee79a161f0e5e94f1b9366fca874ff698dc105303fdd34677338b9d5834f968e521abccb89e94df238b71cccdb69dcea2cbcf580c625b1a50d8c13504cf70b254c47f9b31e823cb1c66dcb6bc49719ef2c995cf6d6915a28bab63f9429d82dc610670fcc2b3031648b6c4719eb35aec364909e3a28b3e1569e214c6e6df5ca7710fa7e105cb3bc9bcdcabe0bca97e73fc3f92e176f2b2fc539b0995876be163dd4a9a579e7b1819ab8df954a6bd7cc59b452cda4383bdead09571c045e85fdd6239a3abfeb8dbfc08fdeb90602a0ad75298ea6b91301b244f5f74653a004e082d92cadb5945ace19779e7c25264cc3793ffffabf3202e177b38fc014df00ddfbcf2b12e668b357baa694fac3d1e67d316468aa4927a8c5f519d6a665bccdf9980259e811c4b83a85b9a8fff593b3bc1fada8841876c0cb7c0893313379c76c0e3b939a1a84cc67b20dfc3775916960597695f260769ce33865630e2d1559d3020889ac49cb76ed63f3e71da1df3a61e4b01653ca728c59199641d121d258cdc58243e2baa53368447f429bb0d382bd1db6f557a48ee507607933b2de66d19c9b7dbc27bb8c17f1961b50d3afda264490da9ca94c424edbffc82f75d4c627461f640383de8c510fb5418449d2b0172b2a5405d9d546ee7b4313b56073d82504d3acda001e3cff9df994fd261498795010f844dc8acd4fb4a9d1c5073770cd4065b07f9b52cb635e9d640000000ae64fdd0ff79ae17af4eeb7f8575fdbcf30fdd4a970c05af7b69bb65f284201aa192f9cff11be6875bff6195200f007e4abca2110e6720ad2b6dd1846f2c0baa	LetsPRO.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Lets\qjiwx = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000023fa5edebf919e4ea955920c54b9fda000000000020000000000106600000001000020000000b6e2ffb7d6c96c7167ee5e8cf1e770852f7f18f14434cf929c76851f1607118c000000000e8000000002000020000000bcb826e7bf82e1253c5be5c705011ea444bba06fc32b42a5d12a78c48820d4e4400300009e4878f1480dba5fc3c92cca80bafc2801c067f52cf69df2ae116bdf122f3fb7f04207fe0c5d33c12b1fad7ca07407550562615297677ef402b8b8a2e813b8fd9f11bc27b05e92ae34b8f17cc2461ef5dbc5f4e1ef9969d4e742b6be66c91b12f552b206f2b38cdcb503e241bcc8bcbd828abd20f416a83837e6af0cb141c7a02c11a79c5d619cbf444bc245242cfe192a7bfbdc2ebb15e0e1e27bd8b1fb6f93e559aba23940712b7ad72ac29065a83a07325ffe7a075e4b6dd94b527ba4ee5d3f72511d2a82b263fabebaad0cb353ad9e220e2dd6b66d3be26965d4b26227bf5e5bb49bcf8a0cd98d404f32876dd1ce3ad8134ba2c9710e424a5cdc84ac1ad5f4c429e7ceba11ccd8bafa133318502b15a8ab457933ada853f7e3fee7668dda9a2e75049cbb3cffea5133f0a0bf7426d78344c11856bb5ed049f57816a15be7beec471a9ad875eb304dfca1b7e23542e21a6b45f94ccd5840107ead919cd39b38fa5fa6879a093466f5a094803294f8a89f1a691c590ce11a409aa50c8f6a90da86f77664dd04db671158f7fbbd45915b6be08b0fee8ed763f26b1b436f9e28daa572831818caa3e4e8b24db30a4f326d12ab34c1b55310ac12934f6e78420754239d4d3a57d20f1124c796134c74938733593d5922170ada8ac0a3af47a8b01bff36a7995c89e575ae0f59354925ac492cf364aa43a166f26606fe97904305158e4e5bf58c74ff3ad7b56c92f76cca7ed2912fd507cef77900ae6eb1a12dc43211f1d8ae27cad256940322a881562b856b006914199a61c838f88bbf58e38f641525e131e80ec1aac3683c4b1fe956ad86fd6ce997f61f6ce4bcf365269ec77c7cef8c4a60e0b566e3fb8b220d777ee80de042d87d917dd45267fc83d309827f6872e63f5c8c67172a269a0d82bd78164221c2e3af07011ff2d0430fefb111b169f0a79e94e4184d26f16a1bfefbceb78640a5efff4c355b47d19008eab99cdb70f1dbaea5c9dbaf5877d28563d2284bd18375564fcf72d7a375f3811bbd6fd7007907287e4447c18a57918753ccf1177a2c93596118ec9847486ebacf56cb9ef174fee6cdf0d0a9eabd9478690fcad2b663e8a87b4583af82541cb91a1aca51e173a7c6b1c8ea9ac6b807481ea46ecbd54453fd15120a97bc0536ef20e62040000000cc3efed652f30ff9688fec8772dfd2e31d2b57b0885f73d469fe5aaf98ea5a8ea82ea584fc6b8047ec7d6a023465daea2618bf98f4b7285426e9e5b9dc2a9646	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-182 = "Mountain Standard Time (Mexico)"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.10.2\\LetsPRO.exe\" /silent"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2772 = "Omsk Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1861 = "Russia TZ 6 Daylight Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2392 = "Aleutian Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2532 = "Chatham Islands Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	tapinstall.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)"	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	tapinstall.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	LetsPRO.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	LetsPRO.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Version = "50331649"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\58FC6756EF1B4C747BC43E3A7ABA54B6\2619D19EF59FE20499FA406415DA3C59	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\58FC6756EF1B4C747BC43E3A7ABA54B6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\PackageName = "5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2619D19EF59FE20499FA406415DA3C59\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\ProductName = "InnovateGraciousSupplier"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\PackageCode = "C77F9DB5C75184D43A75CFB1C0847EF1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2619D19EF59FE20499FA406415DA3C59\SourceList\Media	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 0f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be0b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000006200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a3814000000010000001400000032eb929aff3596482f284042702036915c1785e61d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f609000000010000000c000000300a06082b06010505070303030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\CCBBF9E1485AF63CE47ABF8E9E648C2504FC319D\Blob = 1900000001000000100000000e8c3d8a006eb5c23a7725464ad10a8c030000000100000014000000ccbbf9e1485af63ce47abf8e9e648c2504fc319d09000000010000000c000000300a06082b060105050703031d0000000100000010000000b57b5c441b8ef4866b6f8f43ff6e45f614000000010000001400000032eb929aff3596482f284042702036915c1785e66200000001000000200000007e76260ae69a55d3f060b0fd18b2a8c01443c87b60791030c9fa0b0585101a380b000000010000004a0000005300650063007400690067006f0020005000750062006c0069006300200043006f006400650020005300690067006e0069006e006700200052006f006f007400200052003400360000000f000000010000003000000009cc9211dbd405f0eb21b2fe598b2439893f4c3d478888adf01431a8b1fb66bd524266fc4e875f022623e69fcb4dd9be20000000010000007c0500003082057830820360a00302010202104b2c3b01018bad2abc8c7b5b3eed9057300d06092a864886f70d01010c05003056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f7420523436301e170d3231303332323030303030305a170d3436303332313233353935395a3056310b300906035504061302474231183016060355040a130f5365637469676f204c696d69746564312d302b060355040313245365637469676f205075626c696320436f6465205369676e696e6720526f6f742052343630820222300d06092a864886f70d01010105000382020f003082020a02820201008de79412220424742eff162302928ab6ae3685ac47d423912b3edc7de231a0516fac8491e3528ab5e296ded0876324898affef12933b7dbbb68abdbd057f279b6b65d3a50c69b1bc49399af16d6eaae4a08327da9a0d2b50e94b5bb3b86436a47e4a3da971ab61b373b33c0b0cefdb3357e5be3437e3971b5dfd1f123d820376e6fb3f66d2943169fa6db334acc17a78dc9250f264c7aa2d04abc36aeae02fa7a7dc6ed7e8ffda21ab40bfb9ee0d9ec6d99e99efc6de1fa90c76b32720a1d6bafd80e701d2efeb822995708dffbb15cffed10f36a22e4f329074466b4735137705334f632eb82de1bf65a7046b18d871facc08f26d899910b1addb3e2ce4aa18b0c607017567de6de963631e367f6989beaa453e6e5a5f8fa15bcb9d308630e803b340c60d0f38cd67a85388fab83065fa6fc7e71db18374693eacc4683bb1e667339ab608e080054840eef6826446a8f573b00695f26c659fbf555b1c9c571ac778467c70aa941b8217ac87e9b6c90e811c40d6161729fc5c9c182bea45f5efbdd5674f285e05ee904c7ae7c6f4d0fcfacd3e32461320368a04eab7aa07469c0d933a096699585c29a3b90ca630383cd04636357c9cbaeec3d5f90a76fa7e051b40ca9235e9d57ad1b57f00aea990aac57f019c10b116fccc6e18dc6f62fea650a7b87bb89d153ffe200c75c8225a1395199000e91ad5c286f1e38eec5ff4e50203010001a3423040301d0603551d0e0416041432eb929aff3596482f284042702036915c1785e6300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff300d06092a864886f70d01010c050003820201007665c2e3d7224ad71d895eff695ec614024d73a6cdcd28cab037eabfa7c921aaaa5fdabff6836cd080d10a5c00a4cbf3cc390f9e417188d53ce88a7b8c1723f7ca3474916c06ae503f0059b2263c3c178357033e2dd11a3dd4cf0754b2430b5272a888f5c417f26fd158a5d168e43d980818ee36f448489afa5470f088d47016304249d0d93f754b4571d8aea2bb610e88855057b9ba112b36291f8f20729e5c9e89d182da458d6a99da84716b33a510bb79f097f67481a03f57c7868c308c0e3895ae01c61eabdca81f6f2fd7ff761eae17736de5b975b36106a89533c24e6fb237f295be855412b9c8bd624276f72afcf53731032657fed1e6dbf0160272838c08b384aca9e407f8a188c4135a50475442a6edd041342c98b13ea234a10c5dbdacf77f79a7bf6d0c5632851b4b97b8e1ace4a43c71f1a3e14e63d6f446baf50b08e1633ceda2592f0ad42c6b23a29ea14deed112cd183350ed416ecb7f3d41600b630b78f575ef4315b7360b10afdc5c18a998d936d91dd884b3068a82e37b1b24a742ceee0f3e565c327dec4bde562b3b3bbaf97a58d051b66cd6f658a252247a4486a11c603f49d3fcfaf9841c05c234bfe2e6f1192a992f5657359cb5f507c3462fde383d190dfba3f1df139ee7a9725831afbdeadad7d66d7733338ef4acfdc1bf4987d27005677406a6f678402d1604910f1fd316c4b87a170d24c9b2	LetsPRO.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4456	msiexec.exe
4456	msiexec.exe
1692	OqmnhpUgthmZ.exe
1692	OqmnhpUgthmZ.exe
4344	powershell.exe
4344	powershell.exe
4344	powershell.exe
1292	xPKoYjAvcnvH.exe
1292	xPKoYjAvcnvH.exe
1716	OqmnhpUgthmZ.exe
1716	OqmnhpUgthmZ.exe
1716	OqmnhpUgthmZ.exe
1716	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
4352	powershell.exe
4352	powershell.exe
4352	powershell.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe
888	OqmnhpUgthmZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3296	msiexec.exe
Token: SeSecurityPrivilege	4456	msiexec.exe
Token: SeCreateTokenPrivilege	3296	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3296	msiexec.exe
Token: SeLockMemoryPrivilege	3296	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3296	msiexec.exe
Token: SeMachineAccountPrivilege	3296	msiexec.exe
Token: SeTcbPrivilege	3296	msiexec.exe
Token: SeSecurityPrivilege	3296	msiexec.exe
Token: SeTakeOwnershipPrivilege	3296	msiexec.exe
Token: SeLoadDriverPrivilege	3296	msiexec.exe
Token: SeSystemProfilePrivilege	3296	msiexec.exe
Token: SeSystemtimePrivilege	3296	msiexec.exe
Token: SeProfSingleProcessPrivilege	3296	msiexec.exe
Token: SeIncBasePriorityPrivilege	3296	msiexec.exe
Token: SeCreatePagefilePrivilege	3296	msiexec.exe
Token: SeCreatePermanentPrivilege	3296	msiexec.exe
Token: SeBackupPrivilege	3296	msiexec.exe
Token: SeRestorePrivilege	3296	msiexec.exe
Token: SeShutdownPrivilege	3296	msiexec.exe
Token: SeDebugPrivilege	3296	msiexec.exe
Token: SeAuditPrivilege	3296	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3296	msiexec.exe
Token: SeChangeNotifyPrivilege	3296	msiexec.exe
Token: SeRemoteShutdownPrivilege	3296	msiexec.exe
Token: SeUndockPrivilege	3296	msiexec.exe
Token: SeSyncAgentPrivilege	3296	msiexec.exe
Token: SeEnableDelegationPrivilege	3296	msiexec.exe
Token: SeManageVolumePrivilege	3296	msiexec.exe
Token: SeImpersonatePrivilege	3296	msiexec.exe
Token: SeCreateGlobalPrivilege	3296	msiexec.exe
Token: SeBackupPrivilege	3016	vssvc.exe
Token: SeRestorePrivilege	3016	vssvc.exe
Token: SeAuditPrivilege	3016	vssvc.exe
Token: SeBackupPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeBackupPrivilege	4908	srtasks.exe
Token: SeRestorePrivilege	4908	srtasks.exe
Token: SeSecurityPrivilege	4908	srtasks.exe
Token: SeTakeOwnershipPrivilege	4908	srtasks.exe
Token: SeRestorePrivilege	4460	ckhjghacCGCf.exe
Token: 35	4460	ckhjghacCGCf.exe
Token: SeSecurityPrivilege	4460	ckhjghacCGCf.exe
Token: SeSecurityPrivilege	4460	ckhjghacCGCf.exe
Token: SeBackupPrivilege	4908	srtasks.exe
Token: SeRestorePrivilege	4908	srtasks.exe
Token: SeSecurityPrivilege	4908	srtasks.exe
Token: SeTakeOwnershipPrivilege	4908	srtasks.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe
Token: SeTakeOwnershipPrivilege	4456	msiexec.exe
Token: SeRestorePrivilege	4456	msiexec.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3296	msiexec.exe
3296	msiexec.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe
772	LetsPRO.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4456 wrote to memory of 4908	4456	msiexec.exe	103
PID 4456 wrote to memory of 4908	4456	msiexec.exe	103
PID 4456 wrote to memory of 4604	4456	msiexec.exe	105
PID 4456 wrote to memory of 4604	4456	msiexec.exe	105
PID 4604 wrote to memory of 4460	4604	MsiExec.exe	106
PID 4604 wrote to memory of 4460	4604	MsiExec.exe	106
PID 4604 wrote to memory of 4460	4604	MsiExec.exe	106
PID 4604 wrote to memory of 1692	4604	MsiExec.exe	108
PID 4604 wrote to memory of 1692	4604	MsiExec.exe	108
PID 4604 wrote to memory of 1692	4604	MsiExec.exe	108
PID 4604 wrote to memory of 2100	4604	MsiExec.exe	109
PID 4604 wrote to memory of 2100	4604	MsiExec.exe	109
PID 4604 wrote to memory of 2100	4604	MsiExec.exe	109
PID 2100 wrote to memory of 4344	2100	letsvpn.exe	111
PID 2100 wrote to memory of 4344	2100	letsvpn.exe	111
PID 2100 wrote to memory of 4344	2100	letsvpn.exe	111
PID 1292 wrote to memory of 1716	1292	xPKoYjAvcnvH.exe	118
PID 1292 wrote to memory of 1716	1292	xPKoYjAvcnvH.exe	118
PID 1292 wrote to memory of 1716	1292	xPKoYjAvcnvH.exe	118
PID 1716 wrote to memory of 888	1716	OqmnhpUgthmZ.exe	120
PID 1716 wrote to memory of 888	1716	OqmnhpUgthmZ.exe	120
PID 1716 wrote to memory of 888	1716	OqmnhpUgthmZ.exe	120
PID 2100 wrote to memory of 4352	2100	letsvpn.exe	122
PID 2100 wrote to memory of 4352	2100	letsvpn.exe	122
PID 2100 wrote to memory of 4352	2100	letsvpn.exe	122
PID 2100 wrote to memory of 2348	2100	letsvpn.exe	126
PID 2100 wrote to memory of 2348	2100	letsvpn.exe	126
PID 2100 wrote to memory of 4996	2100	letsvpn.exe	129
PID 2100 wrote to memory of 4996	2100	letsvpn.exe	129
PID 824 wrote to memory of 2064	824	svchost.exe	132
PID 824 wrote to memory of 2064	824	svchost.exe	132
PID 824 wrote to memory of 4244	824	svchost.exe	133
PID 824 wrote to memory of 4244	824	svchost.exe	133
PID 2100 wrote to memory of 740	2100	letsvpn.exe	135
PID 2100 wrote to memory of 740	2100	letsvpn.exe	135
PID 2100 wrote to memory of 740	2100	letsvpn.exe	135
PID 740 wrote to memory of 4848	740	cmd.exe	137
PID 740 wrote to memory of 4848	740	cmd.exe	137
PID 740 wrote to memory of 4848	740	cmd.exe	137
PID 2100 wrote to memory of 5012	2100	letsvpn.exe	138
PID 2100 wrote to memory of 5012	2100	letsvpn.exe	138
PID 2100 wrote to memory of 5012	2100	letsvpn.exe	138
PID 5012 wrote to memory of 2500	5012	cmd.exe	140
PID 5012 wrote to memory of 2500	5012	cmd.exe	140
PID 5012 wrote to memory of 2500	5012	cmd.exe	140
PID 2100 wrote to memory of 4028	2100	letsvpn.exe	142
PID 2100 wrote to memory of 4028	2100	letsvpn.exe	142
PID 2100 wrote to memory of 4028	2100	letsvpn.exe	142
PID 4028 wrote to memory of 4940	4028	cmd.exe	144
PID 4028 wrote to memory of 4940	4028	cmd.exe	144
PID 4028 wrote to memory of 4940	4028	cmd.exe	144
PID 2100 wrote to memory of 700	2100	letsvpn.exe	145
PID 2100 wrote to memory of 700	2100	letsvpn.exe	145
PID 2100 wrote to memory of 700	2100	letsvpn.exe	145
PID 700 wrote to memory of 1308	700	cmd.exe	147
PID 700 wrote to memory of 1308	700	cmd.exe	147
PID 700 wrote to memory of 1308	700	cmd.exe	147
PID 2100 wrote to memory of 3712	2100	letsvpn.exe	148
PID 2100 wrote to memory of 3712	2100	letsvpn.exe	148
PID 2100 wrote to memory of 4064	2100	letsvpn.exe	151
PID 2100 wrote to memory of 4064	2100	letsvpn.exe	151
PID 2100 wrote to memory of 4064	2100	letsvpn.exe	151
PID 4064 wrote to memory of 772	4064	LetsPRO.exe	152
PID 4064 wrote to memory of 772	4064	LetsPRO.exe	152

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4456
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4908
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 8DEEFCEB8F9A3431DE8AD2BECF638AF6 E Global\MSI0000
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4604
- - C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe
    "C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe" x "C:\Program Files\InnovateGraciousSupplier\gAyPsguYXDsMcEThACGI" -o"C:\Program Files\InnovateGraciousSupplier\" -pgeAZLqCXgLqbCiVjQrQI -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4460
- - C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe
    "C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe" -number 164 -file file3 -mode mode3 -flag flag3
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1692
- - C:\Program Files\InnovateGraciousSupplier\letsvpn.exe
    "C:\Program Files\InnovateGraciousSupplier\letsvpn.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:4344
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -inputformat none -ExecutionPolicy Bypass -File "C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:4352
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:2348
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap0901
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Executes dropped EXE
      Checks SCSI registry key(s)
      Modifies data under HKEY_USERS
      PID:4996
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=lets
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:740
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=lets
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=lets.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5012
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=lets.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=LetsPRO.exe
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4940
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c netsh advfirewall firewall Delete rule name=LetsPRO
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:700
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall Delete rule name=LetsPRO
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1308
  - - C:\Program Files (x86)\letsvpn\driver\tapinstall.exe
      "C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap0901
      4⤵
      Executes dropped EXE
      Checks SCSI registry key(s)
      PID:3712
  - - C:\Program Files (x86)\letsvpn\LetsPRO.exe
      "C:\Program Files (x86)\letsvpn\LetsPRO.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4064
    - - C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe
        
        "C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe"
        5⤵
        Drops file in System32 directory
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies data under HKEY_USERS
        Modifies system certificate store
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:772
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C ipconfig /all
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        7⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:2100
      - C:\Windows\SysWOW64\netsh.exe
        
        C:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5208
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C route print
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5328
        
        C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C arp -a
        6⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:5420
        
        C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        System Location Discovery: System Language Discovery
        
        PID:5480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe
"C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe" install
1⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3612

C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe
"C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe" start
1⤵
- Executes dropped EXE
PID:3300

C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe
"C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe
  "C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe" -number 132 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe
    "C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of WriteProcessMemory
PID:824
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "1" "c:\program files (x86)\letsvpn\driver\oemvista.inf" "9" "4d14a44ff" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\letsvpn\driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2064
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:3beb73aff103cc24:tap0901.ndi:9.24.6.601:tap0901," "4d14a44ff" "0000000000000148"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  PID:4244

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
PID:1308

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:5740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579423.rbs

Filesize
8KB

MD5
038942cceccbbe3780a69eca8c51e460

SHA1
1afd3bc80b024eba5f268809c106e201331526ad

SHA256
bcf726041d6aa76c2694134fbc1fa4a7d9b26b22733503770efcff774089385d

SHA512
ccd0db79212779eb12aaf105ea2804e02b2c0bd6ac3d9d00e6a46e98dd60a3320692d3c337aa5230a89e87b964489fff94260275a411f27c48b1fb26998f1b82

Download Submit
C:\Program Files (x86)\letsvpn\AddWindowsSecurityExclusion.ps1

Filesize
318B

MD5
b34636a4e04de02d079ba7325e7565f0

SHA1
f32c1211eac22409bb195415cb5a8063431f75cd

SHA256
a9901397d39c0fc74adfdb95dd5f95c3a14def3f9d58ef44ab45fc74a56d46df

SHA512
6eb3255e3c89e2894f0085095fb5f6ab97349f0ed63c267820c82916f43a0ac014a94f98c186ff5d54806469a00c3c700a34d26de90afb090b80ac824a05aa2f

Download Submit
C:\Program Files (x86)\letsvpn\LetsPRO.exe

Filesize
240KB

MD5
5c418c95fad150290b99fd115838f2a9

SHA1
1af87b13df4f52fa458152821fa7c51c75a772f3

SHA256
7bcd5e4b4771172d4a66f3d1eefd74d94755e929fe4012295d6651ca15277a88

SHA512
4a3bb2a01e48c2be67dcae15c1e9e7255fafccb8a3270b77484f72c939b92a18cb80b4b5ed579511d6eba42482ae5e8528e8270a7a06d19463044b20f709f775

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\CommunityToolkit.Mvvm.dll

Filesize
109KB

MD5
8bfa2e9dc7f4ac42d1fa58fc3ff37267

SHA1
b3189f2f45a70e719339a147f9cab0d1ee77858d

SHA256
c5059bf1dd92deb3c590d0ea8065dc62b89259f4266c0ea54f5c8d062056c76f

SHA512
a2be51b345c3c7d69695e284d0097c36a6e3b53104a159f8cc1e2af28cb6f5a7f9710299febaff3d3be6f554cf3f3d184fb11408908bf7237be161b0fe38af5c

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe

Filesize
1.5MB

MD5
cc8594dbaf16443f0d92fbdac4dc2797

SHA1
047e926a7d3e0e7a1fa6219af32b531ed3574487

SHA256
afeb1c6108ef4f2b241ffbdf0bd138ada0fb2af2381b068f2af397c761c76890

SHA512
e4a8390a60fd42f21ce89e79ec5bea6629359d2c4629810aec7069234f423058f8271b1d61d7342a623edca7a65abdda701149494709c88c8431a61c352d108e

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\LetsPRO.exe.config

Filesize
22KB

MD5
ebaeca4375f9cc819ff3835ba62717de

SHA1
819d4ad83729d709a3ed6172e2c608af70de3d03

SHA256
a12e73eb35a51a227afd1318edb824a77cbe60d2fbf67e1463404c0673e42d9c

SHA512
311d6aa1a8608b327bfa97cb77e4e21a44946438f60c6c2fc9e0bf9ef97434138d0136ca1d55c7d836d72a03cebec63beefd974219ab8ea580eddf3e23e76d3f

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\LetsVPNDomainModel.dll

Filesize
21KB

MD5
4aa9b59fc32caa6d74293cc4ff4234a9

SHA1
3ed90204d89217a19b1078eb8718202932f4282a

SHA256
2aa48a6078e2ef1c4954b507c3da13bea8ee3e4c38a4131621adf98fc8da265e

SHA512
dad298b8430ffcb3d7c44283f3b85892773a288eff1e071860839ed39725e8696f2dae6f9562377bddcdbcfde83f164fb753d36501e2b9c215d0fb2d93cb2ee2

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\Newtonsoft.Json.dll

Filesize
693KB

MD5
a051afcfeff1f630188c5785f7ea3273

SHA1
9312b0a42b4ffbdad365c4938a081c9abc870074

SHA256
97e46c96938851c462a59eaa43bca65ed3a0b0a385e2b87ae959acf3bfa6ba75

SHA512
0a4ba46ea22021f467e97a4f68dd1473187c7af213dda9f0a9fcb683891bb804b27b45d9760aa02a3ce8eb0287efa67b8b4690ce1908aab0004d548183015cb9

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\Utils.dll

Filesize
126KB

MD5
0b0e7270f14d5dec664787ef680ab980

SHA1
4c5c9f4385423d083d2693585056363853727ca0

SHA256
35288ce35fb77395a2f55244e30f7f8aa2131fa3ebac9c85ea58979e7276ec3e

SHA512
d45c34602a49c75e9f0beb4f473ebb851e17c1a342308984ecf5666be93d615f75655a0ea723aa4bd3fd24208e8ab384223f888a0f2baa9d36c96150098fd801

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\log4net.config

Filesize
3KB

MD5
28f9077c304d8c626554818a5b5f3b3a

SHA1
a01f735fe348383795d61aadd6aab0cc3a9db190

SHA256
746b5675ea85c21ef4fcc05e072383a7f83c5fe06aaa391fc3046f34b9817c90

SHA512
485c175bc13c64601b15243daecbf72621883c2ff294852c9bbb2681937f7ef0bea65361e0f83131ec989432326442ef387c1ccf2a7ca537c6788b8fd5c0021e

Download Submit
C:\Program Files (x86)\letsvpn\app-3.10.2\log4net.dll

Filesize
273KB

MD5
6c4e61362d16c7c0b3731b0e2a84f911

SHA1
3c89a13ab980e3d9ea515470c9d53bb30ac746cb

SHA256
5245b084cfd79eb3627caf4ddac63096ef89046093dcb0e00e2b96cf74c24fb6

SHA512
ac1a941200787971d154b99211fa5c7d7a3ba83132be505de2a7ea2682e8be87e668fb0264de94dc6cedce85750b214159c797ce5b1fcfde1e229875215ae458

Download Submit
C:\Program Files (x86)\letsvpn\driver\OemVista.inf

Filesize
7KB

MD5
26009f092ba352c1a64322268b47e0e3

SHA1
e1b2220cd8dcaef6f7411a527705bd90a5922099

SHA256
150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9

SHA512
c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363

Download Submit
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe

Filesize
99KB

MD5
1e3cf83b17891aee98c3e30012f0b034

SHA1
824f299e8efd95beca7dd531a1067bfd5f03b646

SHA256
9f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f

SHA512
fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b

Download Submit
C:\Program Files\InnovateGraciousSupplier\OqmnhpUgthmZ.exe

Filesize
2.9MB

MD5
c0332d95acdfc46fb60f3f1d9dd6b92d

SHA1
2863f05a42637d22a354e7c39cd17f8497c447ad

SHA256
0975d859e5a7b56faaf48ba8e50c800156b8cff927f3bd01f564aa6f18eac2e7

SHA512
7fdab98bdb7012cc87af60d3bbe1bfcd42ce536f75aca56981b1a2d7121bca7d9c8f5091fea7902a9e5c688c7d30613c3f99c07dc166faf58e6c230dac53d09d

Download Submit
C:\Program Files\InnovateGraciousSupplier\ckhjghacCGCf.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\InnovateGraciousSupplier\gAyPsguYXDsMcEThACGI

Filesize
2.1MB

MD5
6bb89d170132b6a2df5920a5243ed390

SHA1
94a1a99e6d0bfd8d4458daafe56b3f9e36caa18d

SHA256
1cf0546651767e50b1ccd478dffb5afd00ca9af6316ec3bc1349f0a2573bc070

SHA512
67bb4e5fafa4a95ada5f0df6c669f3bd85c5efd0446ae199f277d2f0075ec8e5c0b47fde4a84df2158eb49c198e1676143b91c888ddcc9f75055486c64f83070

Download Submit
C:\Program Files\InnovateGraciousSupplier\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.wrapper.log

Filesize
793B

MD5
c8f006ea7a986994d688f92a790ba934

SHA1
a14156edbde9b6188d72a6d7d9a6ce86a9c25ed5

SHA256
f54bb9f14ae523e4b68921431e6015a66353f39916d2e395bdc7d4a9340bf279

SHA512
01dae28e9835719eb5959e04a3fd9ef61316035b5388b44beab4d9a75ea361d7256d0d6f2a75999d971fdf755f78ab43cd02d650abe6cd41d8e5e258916df65f

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.wrapper.log

Filesize
294B

MD5
ed38e8c992afc6270c0b236e1b32603f

SHA1
f9aa805295eadf9a040a56997122597aa8e6ae02

SHA256
b5795558b8876cee942d588cca5f8a2f0b95717aa771eedeb43bb19027cf97fa

SHA512
502b724b9b1140f842568df475d149257a44051c85e5c546fba7275d33cf5fa247aaf84c9f63d7e242faf6d4efecb94182b9d0608d2c4d29abebc7f7d2a3b14a

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.wrapper.log

Filesize
464B

MD5
35171dc3329b2851868b5e4401822b43

SHA1
a699333d94c4c2025239e713a7dd2cfb43fe4fba

SHA256
8c003e4d10eca122dec14d728e6592a72ea647dad429c6d11543d64b9f79eeda

SHA512
f7fb0cbd70b2c459d6e9438227a17d185590422a5a2bf22e318e8254c6bf58d7062d589c17f63ed3a6171ada61f11acd3503e1b22c523f5b56ee3c493979ee2b

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.wrapper.log

Filesize
528B

MD5
fe2629b6960f0b8c7217631b6e83c2e6

SHA1
fd3a2c96bad665c1511c2dbe150e22f9ca57dac0

SHA256
3655c18774e85334d014efe61c6301ee84c3260c3faa51ffea521583a5b3afee

SHA512
9e89311863a02f1cad1679886a9e38a6ded3ba568e2234a6d3140425cd8a8d39a17dfdd9421d1eb6309af7922a287c646bc03db4a828c297db7575719b9fbf86

Download Submit
C:\Program Files\InnovateGraciousSupplier\xPKoYjAvcnvH.xml

Filesize
456B

MD5
4a0662c093559ef4a0a36a7ea203b449

SHA1
790de7e00830c00edb86d1e58bd8e2f4fea14b28

SHA256
07883d6864252d25a20e729b9d4dfa3d7f48b5efaf20acfe0efe23824827e68e

SHA512
697604a80208c61493c97d81893323e8517c740b3dd2780e57b00ca37d663faedfd9f14f08d966139d2769af4f7813811fe329bcb358ec8094f2c43bda504540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
26caa3b1d8baf20466a9802ed54b1c4d

SHA1
6de4eee861e139a6f7a8eecec5dc8561642df5a6

SHA256
cf352d46e4870b67065c9e6adb00635524b3cedf755e0b5fcebff6a06f0a712f

SHA512
9efd62305a2fe17f3eea109c9dd0bc93169e381906d52a62c1ab918c5b02178f9002ee838c263997a0492c2d46ecbef57aeb2f8671d5d43679e0279882d33f71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eck05pdd.r0m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9E54.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9E54.tmp\modern-wizard.bmp

Filesize
51KB

MD5
7f8e1969b0874c8fb9ab44fc36575380

SHA1
3057c9ce90a23d29f7d0854472f9f44e87b0f09a

SHA256
076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd

SHA512
7aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9E54.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz9E54.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Windows\Installer\e579422.msi

Filesize
31.4MB

MD5
44e80380964f2ccbc6bc7b14ad4ffd3f

SHA1
c1b9a5cf8b8b63860fab7b3e8094fb0f58892596

SHA256
5f523ca858a54f437a676f1b03682fb73fb2c02c388e38214c3a306fb11bf395

SHA512
93a9935aa0b14b99b8d74ecc9870a782907afd540a21759f56cc837fab72b33ce5386b7c6623987596fad15594848e47da36efed60d1553a566e2bc54c90647d

Download Submit
C:\Windows\System32\DriverStore\Temp\{a982dc44-ef3e-994e-a707-1f844193aa53}\tap0901.sys

Filesize
38KB

MD5
c10ccdec5d7af458e726a51bb3cdc732

SHA1
0553aab8c2106abb4120353360d747b0a2b4c94f

SHA256
589c5667b1602837205da8ea8e92fe13f8c36048b293df931c99b39641052253

SHA512
7437c12ae5b31e389de3053a55996e7a0d30689c6e0d10bde28f1fbf55cee42e65aa441b7b82448334e725c0899384dee2645ce5c311f3a3cfc68e42ad046981

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xPKoYjAvcnvH.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
f60b699eca46ce35bce600685d2b31d3

SHA1
aa447e19176bbf2c67da84cb0cd9d215c36bc8ff

SHA256
b5f98e6d660ee7ac3a04aa5637b20791292ab99831bad9a29f7f0948c91668cd

SHA512
2468e11d07caefde9106c1d92057284f1d43a997acacbfd1953cbaf4d22316990d5dbc483ca4804da2233376a7652297ff47a27399278e3f17d782289f5a9b6c

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{492c46e5-08da-471c-9abf-6eb3a31fc18c}_OnDiskSnapshotProp

Filesize
6KB

MD5
0c197b5844fe437c320c9f8477e1e0c1

SHA1
16e0b3200d65a86243722f20df8c3cc405b1cac2

SHA256
b590a79ba6603bde226047a3df6a60898684dd42e8b9a2a8b96589583128807a

SHA512
30f9a633dc8289560f49fcf91a2beeb0d45b149949a113f390d1d61d049c4a5613a49b574328b8ac14728edbf2cbdf37feffcde8b17a85a6fe79bd58be585315

Download Submit
\??\c:\program files (x86)\letsvpn\driver\tap0901.cat

Filesize
10KB

MD5
f73ac62e8df97faf3fc8d83e7f71bf3f

SHA1
619a6e8f7a9803a4c71f73060649903606beaf4e

SHA256
cc74cdb88c198eb00aef4caa20bf1fda9256917713a916e6b94435cd4dcb7f7b

SHA512
f81f5757e0e449ad66a632299bcbe268ed02df61333a304dccafb76b2ad26baf1a09e7f837762ee4780afb47d90a09bf07cb5b8b519c6fb231b54fa4fbe17ffe

Download Submit
memory/772-748-0x0000000034FE0000-0x0000000034FF4000-memory.dmp

Filesize
80KB

Download
memory/772-754-0x00000000374E0000-0x0000000037666000-memory.dmp

Filesize
1.5MB

Download
memory/772-815-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-814-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-813-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-812-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-811-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-810-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-808-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-807-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-806-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-801-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-788-0x0000000038720000-0x0000000038752000-memory.dmp

Filesize
200KB

Download
memory/772-787-0x0000000037C80000-0x0000000037C91000-memory.dmp

Filesize
68KB

Download
memory/772-786-0x0000000038350000-0x00000000383C6000-memory.dmp

Filesize
472KB

Download
memory/772-785-0x0000000037B90000-0x0000000037C33000-memory.dmp

Filesize
652KB

Download
memory/772-775-0x000000006BA70000-0x000000006C4D8000-memory.dmp

Filesize
10.4MB

Download
memory/772-774-0x0000000037710000-0x000000003775C000-memory.dmp

Filesize
304KB

Download
memory/772-773-0x0000000037450000-0x000000003749A000-memory.dmp

Filesize
296KB

Download
memory/772-761-0x0000000035B70000-0x0000000035B80000-memory.dmp

Filesize
64KB

Download
memory/772-760-0x0000000036370000-0x0000000036386000-memory.dmp

Filesize
88KB

Download
memory/772-757-0x0000000035780000-0x0000000035790000-memory.dmp

Filesize
64KB

Download
memory/772-691-0x0000000000430000-0x00000000005B4000-memory.dmp

Filesize
1.5MB

Download
memory/772-751-0x0000000035720000-0x000000003573E000-memory.dmp

Filesize
120KB

Download
memory/772-695-0x0000000004DD0000-0x0000000004DF4000-memory.dmp

Filesize
144KB

Download
memory/772-750-0x00000000357D0000-0x00000000357E2000-memory.dmp

Filesize
72KB

Download
memory/772-747-0x0000000034740000-0x0000000034752000-memory.dmp

Filesize
72KB

Download
memory/772-703-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/772-749-0x0000000034730000-0x0000000034738000-memory.dmp

Filesize
32KB

Download
memory/772-699-0x0000000005300000-0x0000000005346000-memory.dmp

Filesize
280KB

Download
memory/772-746-0x0000000034710000-0x0000000034718000-memory.dmp

Filesize
32KB

Download
memory/772-743-0x0000000035B80000-0x0000000036124000-memory.dmp

Filesize
5.6MB

Download
memory/772-708-0x00000000055E0000-0x0000000005692000-memory.dmp

Filesize
712KB

Download
memory/772-709-0x00000000056A0000-0x00000000059F4000-memory.dmp

Filesize
3.3MB

Download
memory/772-711-0x0000000005F40000-0x0000000005F62000-memory.dmp

Filesize
136KB

Download
memory/772-710-0x00000000061B0000-0x00000000066DC000-memory.dmp

Filesize
5.2MB

Download
memory/772-735-0x0000000034860000-0x000000003486E000-memory.dmp

Filesize
56KB

Download
memory/772-714-0x00000000060D0000-0x00000000060EA000-memory.dmp

Filesize
104KB

Download
memory/772-715-0x0000000006110000-0x000000000611A000-memory.dmp

Filesize
40KB

Download
memory/772-713-0x00000000060B0000-0x00000000060CE000-memory.dmp

Filesize
120KB

Download
memory/772-718-0x0000000006120000-0x000000000612A000-memory.dmp

Filesize
40KB

Download
memory/772-717-0x0000000006100000-0x0000000006108000-memory.dmp

Filesize
32KB

Download
memory/772-716-0x0000000006150000-0x0000000006176000-memory.dmp

Filesize
152KB

Download
memory/772-719-0x0000000006140000-0x000000000614A000-memory.dmp

Filesize
40KB

Download
memory/772-720-0x000000002F7C0000-0x000000002F7CA000-memory.dmp

Filesize
40KB

Download
memory/772-721-0x000000002FB70000-0x000000002FB96000-memory.dmp

Filesize
152KB

Download
memory/772-722-0x000000002F7D0000-0x000000002F7E0000-memory.dmp

Filesize
64KB

Download
memory/772-725-0x0000000030960000-0x00000000309F2000-memory.dmp

Filesize
584KB

Download
memory/772-728-0x0000000034530000-0x0000000034538000-memory.dmp

Filesize
32KB

Download
memory/772-732-0x0000000034880000-0x00000000348B8000-memory.dmp

Filesize
224KB

Download
memory/888-598-0x000000002B800000-0x000000002B9BD000-memory.dmp

Filesize
1.7MB

Download
memory/888-107-0x000000002B380000-0x000000002B3C5000-memory.dmp

Filesize
276KB

Download
memory/888-575-0x000000002B800000-0x000000002B9BD000-memory.dmp

Filesize
1.7MB

Download
memory/888-578-0x000000002B800000-0x000000002B9BD000-memory.dmp

Filesize
1.7MB

Download
memory/888-579-0x000000002B800000-0x000000002B9BD000-memory.dmp

Filesize
1.7MB

Download
memory/3612-67-0x0000000000250000-0x0000000000326000-memory.dmp

Filesize
856KB

Download
memory/4344-55-0x0000000005590000-0x00000000055F6000-memory.dmp

Filesize
408KB

Download
memory/4344-50-0x0000000004810000-0x0000000004846000-memory.dmp

Filesize
216KB

Download
memory/4344-70-0x0000000005DF0000-0x0000000005E0E000-memory.dmp

Filesize
120KB

Download
memory/4344-54-0x0000000004D20000-0x0000000004D42000-memory.dmp

Filesize
136KB

Download
memory/4344-56-0x0000000005780000-0x00000000057E6000-memory.dmp

Filesize
408KB

Download
memory/4344-66-0x00000000057F0000-0x0000000005B44000-memory.dmp

Filesize
3.3MB

Download
memory/4344-51-0x0000000004EB0000-0x00000000054D8000-memory.dmp

Filesize
6.2MB

Download
memory/4344-71-0x0000000005E80000-0x0000000005ECC000-memory.dmp

Filesize
304KB

Download
memory/4352-580-0x0000000007BA0000-0x0000000007BB1000-memory.dmp

Filesize
68KB

Download
memory/4352-557-0x0000000006C70000-0x0000000006CBC000-memory.dmp

Filesize
304KB

Download
memory/4352-584-0x0000000007C20000-0x0000000007C28000-memory.dmp

Filesize
32KB

Download
memory/4352-583-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/4352-582-0x0000000007BE0000-0x0000000007BF4000-memory.dmp

Filesize
80KB

Download
memory/4352-581-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

Filesize
56KB

Download
memory/4352-560-0x000000006F6A0000-0x000000006F6EC000-memory.dmp

Filesize
304KB

Download
memory/4352-570-0x0000000006C00000-0x0000000006C1E000-memory.dmp

Filesize
120KB

Download
memory/4352-559-0x0000000006BC0000-0x0000000006BF2000-memory.dmp

Filesize
200KB

Download
memory/4352-576-0x0000000007C40000-0x0000000007CD6000-memory.dmp

Filesize
600KB

Download
memory/4352-555-0x0000000006130000-0x0000000006484000-memory.dmp

Filesize
3.3MB

Download
memory/4352-574-0x0000000007A10000-0x0000000007A1A000-memory.dmp

Filesize
40KB

Download
memory/4352-573-0x00000000079C0000-0x00000000079DA000-memory.dmp

Filesize
104KB

Download
memory/4352-572-0x0000000008000000-0x000000000867A000-memory.dmp

Filesize
6.5MB

Download
memory/4352-571-0x00000000078D0000-0x0000000007973000-memory.dmp

Filesize
652KB

Download